Malware analysis 82e5621ef317c7895d35697136aba7ac7f91d39ad89570da1946c06df5308c59.zip Malicious activity

Add for printing

File name:	82e5621ef317c7895d35697136aba7ac7f91d39ad89570da1946c06df5308c59.zip
Full analysis:	https://app.any.run/tasks/80894995-3f6e-409f-99cb-9f3177e23ff4
Verdict:	Malicious activity
Analysis date:	June 19, 2023, 11:38:14
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	snake blackguard
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v5.1 to extract
MD5:	E40B3AC059BCFB3A37B72E1565E3151F
SHA1:	CC0F72EE77BAF34D0D277841F5DBC14D3A45A1C3
SHA256:	7F6A2D7D6382DFD0897BB2E50180526E0FEB7F339C0E564F67BCF1A553BEADD9
SSDEEP:	12288:W6DEptN5cwwEdIZYi6UvzAU53qFN2jQLMFnHVYOsEgu3QUopdJooslVTC:W2e5F5dIZYNUn5a2kOC7EgugUopdJrs2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 180 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 120 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.19596 KB4534251
Adobe Acrobat Reader DC (20.013.20064)
Adobe Acrobat Reader DC (20.013.20064)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Refresh Manager (1.8.0)
Adobe Refresh Manager (1.8.0)
CCleaner (5.74)
CCleaner (5.74)
FileZilla Client 3.51.0 (3.51.0)
FileZilla Client 3.51.0 (3.51.0)
Google Chrome (86.0.4240.198)
Google Chrome (86.0.4240.198)
Google Update Helper (1.3.36.31)
Google Update Helper (1.3.36.31)
Java 8 Update 271 (8.0.2710.9)
Java 8 Update 271 (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Java Auto Updater (2.8.271.9)
Microsoft .NET Framework 4.5.2 (4.5.51209)
Microsoft .NET Framework 4.5.2 (4.5.51209)
Microsoft .NET Framework 4.5.2 (4.5.51209)
Microsoft .NET Framework 4.5.2 (4.5.51209)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 83.0 (x86 en-US) (83.0)
Mozilla Firefox 83.0 (x86 en-US) (83.0)
Mozilla Maintenance Service (83.0.0.7621)
Mozilla Maintenance Service (83.0.0.7621)
Notepad++ (32-bit x86) (7.9.1)
Notepad++ (32-bit x86) (7.9.1)
Opera 12.15 (12.15.1748)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Skype version 8.29 (8.29)
VLC media player (3.0.11)
VLC media player (3.0.11)
WinRAR 5.91 (32-bit) (5.91.0)
WinRAR 5.91 (32-bit) (5.91.0)

Add for printing

MALICIOUS
- Application was dropped or rewritten from another process
  - 82e5621ef317c7895d35697136aba7ac7f91d39ad89570da1946c06df5308c59.exe (PID: 3336)
  - 82e5621ef317c7895d35697136aba7ac7f91d39ad89570da1946c06df5308c59.exe (PID: 1060)
- Uses Task Scheduler to run other applications
  - 82e5621ef317c7895d35697136aba7ac7f91d39ad89570da1946c06df5308c59.exe (PID: 3336)
- SNAKE detected by memory dumps
  - 82e5621ef317c7895d35697136aba7ac7f91d39ad89570da1946c06df5308c59.exe (PID: 1060)
- BLACKGUARD detected by memory dumps
  - 82e5621ef317c7895d35697136aba7ac7f91d39ad89570da1946c06df5308c59.exe (PID: 1060)
SUSPICIOUS
- Application launched itself
  - 82e5621ef317c7895d35697136aba7ac7f91d39ad89570da1946c06df5308c59.exe (PID: 3336)
- Reads the Internet Settings
  - 82e5621ef317c7895d35697136aba7ac7f91d39ad89570da1946c06df5308c59.exe (PID: 3336)
  - 82e5621ef317c7895d35697136aba7ac7f91d39ad89570da1946c06df5308c59.exe (PID: 1060)
- Executable content was dropped or overwritten
  - 82e5621ef317c7895d35697136aba7ac7f91d39ad89570da1946c06df5308c59.exe (PID: 3336)
INFO
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 1116)
- Reads the computer name
  - 82e5621ef317c7895d35697136aba7ac7f91d39ad89570da1946c06df5308c59.exe (PID: 3336)
  - 82e5621ef317c7895d35697136aba7ac7f91d39ad89570da1946c06df5308c59.exe (PID: 1060)
- The process checks LSA protection
  - 82e5621ef317c7895d35697136aba7ac7f91d39ad89570da1946c06df5308c59.exe (PID: 3336)
  - 82e5621ef317c7895d35697136aba7ac7f91d39ad89570da1946c06df5308c59.exe (PID: 1060)
- Checks supported languages
  - 82e5621ef317c7895d35697136aba7ac7f91d39ad89570da1946c06df5308c59.exe (PID: 3336)
  - 82e5621ef317c7895d35697136aba7ac7f91d39ad89570da1946c06df5308c59.exe (PID: 1060)
- Manual execution by a user
  - 82e5621ef317c7895d35697136aba7ac7f91d39ad89570da1946c06df5308c59.exe (PID: 3336)
- Reads the machine GUID from the registry
  - 82e5621ef317c7895d35697136aba7ac7f91d39ad89570da1946c06df5308c59.exe (PID: 3336)
  - 82e5621ef317c7895d35697136aba7ac7f91d39ad89570da1946c06df5308c59.exe (PID: 1060)
- Creates files or folders in the user directory
  - 82e5621ef317c7895d35697136aba7ac7f91d39ad89570da1946c06df5308c59.exe (PID: 3336)
- Create files in a temporary directory
  - 82e5621ef317c7895d35697136aba7ac7f91d39ad89570da1946c06df5308c59.exe (PID: 3336)
- Reads Environment values
  - 82e5621ef317c7895d35697136aba7ac7f91d39ad89570da1946c06df5308c59.exe (PID: 1060)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

SnakeKeylogger

(PID) Process(1060) 82e5621ef317c7895d35697136aba7ac7f91d39ad89570da1946c06df5308c59.exe

Keys

DES6fc98cd6

Options

SMTP User[email protected]

SMTP Passwordu1T8hf3?

SMTP Hostriogrande.es

SMTP SendTo[email protected]

SMTP Port25

BlackGuard

(PID) Process(1060) 82e5621ef317c7895d35697136aba7ac7f91d39ad89570da1946c06df5308c59.exe

C2 (2)http://checkip.dyndns.org

https://api.telegram.org

Strings (427)WinForms_RecursiveFormCreate

WinForms_SeeInnerException

lfwhUWZlmFnGhDYPudAJ.Resources

Software\

Win32_OperatingSystem

Version

.txt

$%SMTPDV$

$#TheHashHere%&

False

$ProtectPass%

ProtectFalse

BsrOkyiChvpfhAkipZAxnnChkMGkLnAiZhGMyrnJfULiDGkfTkrTELinhfkLkJrkDExMvkEUCxUkUGr

Country Name:

CountryCode:

Region Name:

Region Code:

City:

TimeZone:

Latitude:

Longitude:

ZzHN95aDFK10Ltdoj2UXp2Fl5yji01m9Gx7jCwN15ko=

GMo4BV2mUThjHvh0nRM/cw==

IACNaOg/bwCNrANaQjv16Q==

7L5bYii2xdYv2u9GWSJcvcG/ESep3BBpToL0V6baP08=

O+dvBLjH3Ow=

Yx74dJ0TP3M=

ZyiAEnXWZP

chrome

firefox

zlclient

egui

bdagent

npfmsg

olydbg

anubis

wireshark

avastui

_Avp32

vsmon

mbam

keyscrambler

_Avpcc

_Avpm

Ackwin32

Outpost

Anti-Trojan

ANTIVIR

Apvxdwin

ATRACK

Autodown

Avconsol

Ave32

Avgctrl

Avkserv

Avnt

Avp32

Avpcc

Avpdos32

Avpm

Avptc32

Avpupd

Avsched32

AVSYNMGR

Avwin95

Avwupd32

Blackd

Blackice

Cfiadmin

Cfiaudit

Cfinet

Cfinet32

Claw95

Claw95cf

Cleaner

Cleaner3

Defwatch

Dvp95

Dvp95_0

Ecengine

Esafe

Espwatch

F-Agnt95

Findviru

Fprot

F-Prot

F-Prot95

Fp-Win

F-Stopw

Iamapp

Iamserv

Ibmasn

Ibmavsp

Icload95

Icloadnt

Icmon

Icsupp95

Icsuppnt

Iface

Iomon98

Jedi

Lockdown2000

Lookout

Luall

MCAFEE

Moolive

Mpftray

N32scanw

NAVAPW32

NAVLU32

Navnt

NAVRUNR

Navw32

Navwnt

NeoWatch

NISSERV

Nisum

Nmain

Normist

NORTON

Nupgrade

Nvc95

Padmin

Pavcl

Pavsched

Pavw

PCCIOMON

PCCMAIN

Pccwin98

Pcfwallicon

Persfw

POP3TRAP

PVIEW95

Rav7

Rav7win

Rescue

Safeweb

Scan32

Scan95

Scanpm

Scrscan

Serv95

SMCSERVICE

Snort

Sphinx

Sweep95

SYMPROXYSVC

Tbscan

Tds2-98

Tds2-Nt

TermiNET

Vet95

Vettray

Vscan40

Vsecomr

Vshwin32

Vsstat

Webscanx

WEBTRAP

Wfindv32

Zonealarm

LOCKDOWN2000

RESCUE32

LUCOMSERVER

avgcc

avgamsvr

avgupsvc

avgw

avgcc32

avgserv

avgserv9

avgserv9schedapp

avgemc

ashwebsv

ashdisp

ashmaisv

ashserv

aswUpdSv

symwsc

norton

Norton Auto-Protect

norton_av

nortonav

ccsetmgr

ccevtmgr

avadmin

avcenter

avgnt

avguard

avnotify

avscan

guardgui

nod32krn

nod32kui

clamscan

clamTray

clamWin

freshclam

oladdin

sigtool

w9xpopen

Wclose

cmgrdian

alogserv

mcshield

vshwin32

avconsol

vsstat

avsynmgr

avcmd

avconfig

licmgr

sched

preupd

MsMpEng

MSASCui

Avira.Systray

/C choice /C Y /N /D Y /T 3 & Del "

cmd.exe

software\microsoft\windows\currentversion\run

------------------------

Content-Type

multipart/form-data; boundary=

POST

/sendMessage?chat_id=

&text=

utf-8

{0:f2} GB

user-agent

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)

<html><head><title>Current IP Check</title></head><body>

</body></html>

Current IP Address:

{Null}

Clipboard |

http

<http>

%FTPDV$

Create

- Clipboard Logs ID -

STOR

Pc Name:

| Snake Tracker

Clipboard

text/plain

True

$%TelegramDv$

/sendDocument?chat_id=

&caption=

application/x-ms-dos-executable

Screenshot

.png

\SnakeKeylogger

\SnakeKeylogger\

- Screenshot Logs ID -

Screenshot |

KP |

- keystroke Logs ID -

Keystrokes

Keylogger |

SnakeKeylogger

PW |

- Passwords ID -

Passwords

Rǫ

SnakePW

.ldb

oken

ProtectTrue

300000

[ENTR]

[TAP]

ObjectLength

ChainingModeGCM

AuthTagLength

ChainingMode

KeyDataBlob

Microsoft Primitive Provider

BCrypt.BCryptDecrypt() (get size) failed with status code: {0}

BCrypt.BCryptDecrypt(): authentication tag mismatch

BCrypt.BCryptDecrypt() failed with status code:{0}

BCrypt.BCryptOpenAlgorithmProvider() failed with status code:{0}

BCrypt.BCryptSetAlgorithmProperty(BCrypt.BCRYPT_CHAINING_MODE, BCrypt.BCRYPT_CHAIN_MODE_GCM) failed with status code:{0}

BCrypt.BCryptImportKey() failed with status code:{0}

BCrypt.BCryptGetProperty() (get size) failed with status code:{0}

BCrypt.BCryptGetProperty() failed with status code:{0}

IMAP Password

POP3 Password

HTTP Password

SMTP Password

Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676

Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

GetBytes

SMTP Server

Nothing

Outlook

Foxmail

SOFTWARE\Classes\Foxmail.url.mailto\Shell\open\command

Foxmail.exe

Storage\

\Accounts\Account.rec0

Account

POP3Account

Password

POP3Password

E-Mail: {0}

PSWD: {0}

\Local State

"encrypted_key":"(.*?)"

\Kinza\User Data\Default\Login Data

logins

origin_url

username_value

password_value

\Sputnik\Sputnik\User Data\Default\Login Data

\SalamWeb\User Data\Default\Login Data

\MapleStudio\ChromePlus\User Data\Default\Login Data

\QIP Surf\User Data\Default\Login Data

\BlackHawk\User Data\Default\Login Data

\7Star\7Star\User Data\Default\Login Data

APPDATA

\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer\Default\Login Data

\CatalinaGroup\Citrio\User Data\Default\Login Data

\Google\Chrome SxS\User Data\Default\Login Data

\Google\Chrome\User Data\Default\Login Data

\Coowon\Coowon\User Data\Default\Login Data

\CocCoc\Browser\User Data\Default\Login Data

\uCozMedia\Uran\User Data\Default\Login Data

\Tencent\QQBrowser\User Data\Default\Login Data

\Orbitum\User Data\Default\Login Data

\Slimjet\User Data\Default\Login Data

\Iridium\User Data\Default\Login Data

\Vivaldi\User Data\Default\Login Data

\Chromium\User Data\Default\Login Data

\GhostBrowser\User Data\Default\Login Data

\CentBrowser\User Data\Default\Login Data

\Xvast\User Data\Default\Login Data

\Chedot\User Data\Default\Login Data

\SuperBird\User Data\Default\Login Data

\360Browser\Browser\User Data\Default\Login Data

\360Chrome\Chrome\User Data\Default\Login Data

\Comodo\Dragon\User Data\Default\Login Data

\BraveSoftware\Brave-Browser\User Data\Default\Login Data

\Torch\User Data\Default\Login Data

\UCBrowser\User Data_i18n\Default\UC Login Data.18

wow_logins

\Blisk\User Data\Default\Login Data

\Epic Privacy Browser\User Data\Default\Login Data

\Yandex\YandexBrowser\User Data\Default\Ya Login Data

\Nichrome\User Data\Default\Login Data

\Amigo\User Data\Default\Login Data

\Kometa\User Data\Default\Login Data

\Xpom\User Data\Default\Login Data

\Elements Browser\User Data\Default\Login Data

\Microsoft\Edge\User Data\Default\Login Data

ataD nigoL\elbatS arepO\erawtfoS arepO\

tad.dnaw\eliforp\arepO\arepO\

ReadTable

snigol

GetRowCount

GetValue

lru_nigiro

eulav_emanresu

eulav_drowssap

abcdefghijklmnopqrstuvwxyz1234567890_-.~!@#$%^&*()[{]}\|';:,<>/?+=

\FileZilla\recentservers.xml

Host

Pass

Port

Host:

AppData

\.purple\accounts.xml

protocol

name

password

\Liebao7\User Data\Default\EncryptedStorage

entries

str3

str2

blob0

\AVAST Software\Browser\User Data\Default\Login Data

Software\Microsoft\Windows NT\CurrentVersion

DigitalProductID

BCDFGHJKMPQRTVWXY2346789

All User Profile * : (?<after>.*)

after

{0}{1}{2}{3}{4}

WiFi Name:

wlan show profile name="

" key=clear

netsh

wlan show profile

Key Content * : (?<after>.*)

Open Network

\discord\Local Storage\leveldb\

.log

UNIQUE

table

Mozilla\Firefox\Profiles

logins.json

Waterfox\Profiles

Thunderbird\Profiles\

Mozilla\SeaMonkey\Profiles

Comodo\IceDragon\Profiles

8pecxstudios\Cyberfox\Profiles

FlashPeak\SlimBrowser\Profiles

Mozilla\icecat\Profiles

PostboxApp\Profiles

Moonchild Productions\Pale Moon\Profiles

NSS_Shutdown

PROGRAMFILES

\Mozilla Thunderbird\

\Mozilla Firefox\

\SeaMonkey\

\Comodo\IceDragon\

\Cyberfox\

\Pale Moon\

\Waterfox Current\

\SlimBrowser\

\Postbox\

\mozglue.dll

\nss3.dll

NSS_Init

PK11SDR_Decrypt

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipFileName:	82e5621ef317c7895d35697136aba7ac7f91d39ad89570da1946c06df5308c59.exe
ZipUncompressedSize:	841216
ZipCompressedSize:	691875
ZipCRC:	0x050ae997
ZipModifyDate:	2023:06:19 11:36:34
ZipCompression:	Unknown (99)
ZipBitFlag:	0x0003
ZipRequiredVersion:	51

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1060

"C:\Users\admin\Desktop\82e5621ef317c7895d35697136aba7ac7f91d39ad89570da1946c06df5308c59.exe"

C:\Users\admin\Desktop\82e5621ef317c7895d35697136aba7ac7f91d39ad89570da1946c06df5308c59.exe

82e5621ef317c7895d35697136aba7ac7f91d39ad89570da1946c06df5308c59.exe

User:

admin

Integrity Level:

MEDIUM

Description:

QuanLyCafe

Exit code:

Version:

1.0.0.0

Modules

Images
c:\users\admin\desktop\82e5621ef317c7895d35697136aba7ac7f91d39ad89570da1946c06df5308c59.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shlwapi.dll

SnakeKeylogger

(PID) Process(1060) 82e5621ef317c7895d35697136aba7ac7f91d39ad89570da1946c06df5308c59.exe

Keys

DES6fc98cd6

Options

SMTP User[email protected]

SMTP Passwordu1T8hf3?

SMTP Hostriogrande.es

SMTP SendTo[email protected]

SMTP Port25

BlackGuard

(PID) Process(1060) 82e5621ef317c7895d35697136aba7ac7f91d39ad89570da1946c06df5308c59.exe

C2 (2)http://checkip.dyndns.org

https://api.telegram.org

Strings (427)WinForms_RecursiveFormCreate

WinForms_SeeInnerException

lfwhUWZlmFnGhDYPudAJ.Resources

Software\

Win32_OperatingSystem

Version

.txt

$%SMTPDV$

$#TheHashHere%&

False

$ProtectPass%

ProtectFalse

BsrOkyiChvpfhAkipZAxnnChkMGkLnAiZhGMyrnJfULiDGkfTkrTELinhfkLkJrkDExMvkEUCxUkUGr

Country Name:

CountryCode:

Region Name:

Region Code:

City:

TimeZone:

Latitude:

Longitude:

ZzHN95aDFK10Ltdoj2UXp2Fl5yji01m9Gx7jCwN15ko=

GMo4BV2mUThjHvh0nRM/cw==

IACNaOg/bwCNrANaQjv16Q==

7L5bYii2xdYv2u9GWSJcvcG/ESep3BBpToL0V6baP08=

O+dvBLjH3Ow=

Yx74dJ0TP3M=

ZyiAEnXWZP

chrome

firefox

zlclient

egui

bdagent

npfmsg

olydbg

anubis

wireshark

avastui

_Avp32

vsmon

mbam

keyscrambler

_Avpcc

_Avpm

Ackwin32

Outpost

Anti-Trojan

ANTIVIR

Apvxdwin

ATRACK

Autodown

Avconsol

Ave32

Avgctrl

Avkserv

Avnt

Avp32

Avpcc

Avpdos32

Avpm

Avptc32

Avpupd

Avsched32

AVSYNMGR

Avwin95

Avwupd32

Blackd

Blackice

Cfiadmin

Cfiaudit

Cfinet

Cfinet32

Claw95

Claw95cf

Cleaner

Cleaner3

Defwatch

Dvp95

Dvp95_0

Ecengine

Esafe

Espwatch

F-Agnt95

Findviru

Fprot

F-Prot

F-Prot95

Fp-Win

F-Stopw

Iamapp

Iamserv

Ibmasn

Ibmavsp

Icload95

Icloadnt

Icmon

Icsupp95

Icsuppnt

Iface

Iomon98

Jedi

Lockdown2000

Lookout

Luall

MCAFEE

Moolive

Mpftray

N32scanw

NAVAPW32

NAVLU32

Navnt

NAVRUNR

Navw32

Navwnt

NeoWatch

NISSERV

Nisum

Nmain

Normist

NORTON

Nupgrade

Nvc95

Padmin

Pavcl

Pavsched

Pavw

PCCIOMON

PCCMAIN

Pccwin98

Pcfwallicon

Persfw

POP3TRAP

PVIEW95

Rav7

Rav7win

Rescue

Safeweb

Scan32

Scan95

Scanpm

Scrscan

Serv95

SMCSERVICE

Snort

Sphinx

Sweep95

SYMPROXYSVC

Tbscan

Tds2-98

Tds2-Nt

TermiNET

Vet95

Vettray

Vscan40

Vsecomr

Vshwin32

Vsstat

Webscanx

WEBTRAP

Wfindv32

Zonealarm

LOCKDOWN2000

RESCUE32

LUCOMSERVER

avgcc

avgamsvr

avgupsvc

avgw

avgcc32

avgserv

avgserv9

avgserv9schedapp

avgemc

ashwebsv

ashdisp

ashmaisv

ashserv

aswUpdSv

symwsc

norton

Norton Auto-Protect

norton_av

nortonav

ccsetmgr

ccevtmgr

avadmin

avcenter

avgnt

avguard

avnotify

avscan

guardgui

nod32krn

nod32kui

clamscan

clamTray

clamWin

freshclam

oladdin

sigtool

w9xpopen

Wclose

cmgrdian

alogserv

mcshield

vshwin32

avconsol

vsstat

avsynmgr

avcmd

avconfig

licmgr

sched

preupd

MsMpEng

MSASCui

Avira.Systray

/C choice /C Y /N /D Y /T 3 & Del "

cmd.exe

software\microsoft\windows\currentversion\run

------------------------

Content-Type

multipart/form-data; boundary=

POST

/sendMessage?chat_id=

&text=

utf-8

{0:f2} GB

user-agent

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)

<html><head><title>Current IP Check</title></head><body>

</body></html>

Current IP Address:

{Null}

Clipboard |

http

<http>

%FTPDV$

Create

- Clipboard Logs ID -

STOR

Pc Name:

| Snake Tracker

Clipboard

text/plain

True

$%TelegramDv$

/sendDocument?chat_id=

&caption=

application/x-ms-dos-executable

Screenshot

.png

\SnakeKeylogger

\SnakeKeylogger\

- Screenshot Logs ID -

Screenshot |

KP |

- keystroke Logs ID -

Keystrokes

Keylogger |

SnakeKeylogger

PW |

- Passwords ID -

Passwords

Rǫ

SnakePW

.ldb

oken

ProtectTrue

300000

[ENTR]

[TAP]

ObjectLength

ChainingModeGCM

AuthTagLength

ChainingMode

KeyDataBlob

Microsoft Primitive Provider

BCrypt.BCryptDecrypt() (get size) failed with status code: {0}

BCrypt.BCryptDecrypt(): authentication tag mismatch

BCrypt.BCryptDecrypt() failed with status code:{0}

BCrypt.BCryptOpenAlgorithmProvider() failed with status code:{0}

BCrypt.BCryptSetAlgorithmProperty(BCrypt.BCRYPT_CHAINING_MODE, BCrypt.BCRYPT_CHAIN_MODE_GCM) failed with status code:{0}

BCrypt.BCryptImportKey() failed with status code:{0}

BCrypt.BCryptGetProperty() (get size) failed with status code:{0}

BCrypt.BCryptGetProperty() failed with status code:{0}

IMAP Password

POP3 Password

HTTP Password

SMTP Password

Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676

Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

GetBytes

SMTP Server

Nothing

Outlook

Foxmail

SOFTWARE\Classes\Foxmail.url.mailto\Shell\open\command

Foxmail.exe

Storage\

\Accounts\Account.rec0

Account

POP3Account

Password

POP3Password

E-Mail: {0}

PSWD: {0}

\Local State

"encrypted_key":"(.*?)"

\Kinza\User Data\Default\Login Data

logins

origin_url

username_value

password_value

\Sputnik\Sputnik\User Data\Default\Login Data

\SalamWeb\User Data\Default\Login Data

\MapleStudio\ChromePlus\User Data\Default\Login Data

\QIP Surf\User Data\Default\Login Data

\BlackHawk\User Data\Default\Login Data

\7Star\7Star\User Data\Default\Login Data

APPDATA

\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer\Default\Login Data

\CatalinaGroup\Citrio\User Data\Default\Login Data

\Google\Chrome SxS\User Data\Default\Login Data

\Google\Chrome\User Data\Default\Login Data

\Coowon\Coowon\User Data\Default\Login Data

\CocCoc\Browser\User Data\Default\Login Data

\uCozMedia\Uran\User Data\Default\Login Data

\Tencent\QQBrowser\User Data\Default\Login Data

\Orbitum\User Data\Default\Login Data

\Slimjet\User Data\Default\Login Data

\Iridium\User Data\Default\Login Data

\Vivaldi\User Data\Default\Login Data

\Chromium\User Data\Default\Login Data

\GhostBrowser\User Data\Default\Login Data

\CentBrowser\User Data\Default\Login Data

\Xvast\User Data\Default\Login Data

\Chedot\User Data\Default\Login Data

\SuperBird\User Data\Default\Login Data

\360Browser\Browser\User Data\Default\Login Data

\360Chrome\Chrome\User Data\Default\Login Data

\Comodo\Dragon\User Data\Default\Login Data

\BraveSoftware\Brave-Browser\User Data\Default\Login Data

\Torch\User Data\Default\Login Data

\UCBrowser\User Data_i18n\Default\UC Login Data.18

wow_logins

\Blisk\User Data\Default\Login Data

\Epic Privacy Browser\User Data\Default\Login Data

\Yandex\YandexBrowser\User Data\Default\Ya Login Data

\Nichrome\User Data\Default\Login Data

\Amigo\User Data\Default\Login Data

\Kometa\User Data\Default\Login Data

\Xpom\User Data\Default\Login Data

\Elements Browser\User Data\Default\Login Data

\Microsoft\Edge\User Data\Default\Login Data

ataD nigoL\elbatS arepO\erawtfoS arepO\

tad.dnaw\eliforp\arepO\arepO\

ReadTable

snigol

GetRowCount

GetValue

lru_nigiro

eulav_emanresu

eulav_drowssap

abcdefghijklmnopqrstuvwxyz1234567890_-.~!@#$%^&*()[{]}\|';:,<>/?+=

\FileZilla\recentservers.xml

Host

Pass

Port

Host:

AppData

\.purple\accounts.xml

protocol

name

password

\Liebao7\User Data\Default\EncryptedStorage

entries

str3

str2

blob0

\AVAST Software\Browser\User Data\Default\Login Data

Software\Microsoft\Windows NT\CurrentVersion

DigitalProductID

BCDFGHJKMPQRTVWXY2346789

All User Profile * : (?<after>.*)

after

{0}{1}{2}{3}{4}

WiFi Name:

wlan show profile name="

" key=clear

netsh

wlan show profile

Key Content * : (?<after>.*)

Open Network

\discord\Local Storage\leveldb\

.log

UNIQUE

table

Mozilla\Firefox\Profiles

logins.json

Waterfox\Profiles

Thunderbird\Profiles\

Mozilla\SeaMonkey\Profiles

Comodo\IceDragon\Profiles

8pecxstudios\Cyberfox\Profiles

FlashPeak\SlimBrowser\Profiles

Mozilla\icecat\Profiles

PostboxApp\Profiles

Moonchild Productions\Pale Moon\Profiles

NSS_Shutdown

PROGRAMFILES

\Mozilla Thunderbird\

\Mozilla Firefox\

\SeaMonkey\

\Comodo\IceDragon\

\Cyberfox\

\Pale Moon\

\Waterfox Current\

\SlimBrowser\

\Postbox\

\mozglue.dll

\nss3.dll

NSS_Init

PK11SDR_Decrypt

1116

"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\82e5621ef317c7895d35697136aba7ac7f91d39ad89570da1946c06df5308c59.zip"

C:\Program Files\WinRAR\WinRAR.exe

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Exit code:

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\comdlg32.dll

3336

"C:\Users\admin\Desktop\82e5621ef317c7895d35697136aba7ac7f91d39ad89570da1946c06df5308c59.exe"

C:\Users\admin\Desktop\82e5621ef317c7895d35697136aba7ac7f91d39ad89570da1946c06df5308c59.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

QuanLyCafe

Exit code:

Version:

1.0.0.0

Modules

Images
c:\users\admin\desktop\82e5621ef317c7895d35697136aba7ac7f91d39ad89570da1946c06df5308c59.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\sechost.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

3792

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IghAgYEPrw" /XML "C:\Users\admin\AppData\Local\Temp\tmp1DD1.tmp"

C:\Windows\System32\schtasks.exe

—

82e5621ef317c7895d35697136aba7ac7f91d39ad89570da1946c06df5308c59.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Manages scheduled tasks

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll

Add for printing

Total events

1 481

Read events

1 454

Write events

Delete events

Modification events


(PID) Process:	(1116) WinRAR.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(1116) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:	(1116) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:	(1116) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\phacker.zip
(PID) Process:	(1116) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(1116) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(1116) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(1116) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(1116) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:	write	Name:	Placement
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
(PID) Process:	(1116) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\General
Operation:	write	Name:	LastFolder
Value: C:\Users\admin\Desktop

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
1116	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb1116.19004\82e5621ef317c7895d35697136aba7ac7f91d39ad89570da1946c06df5308c59.exe		executable
		MD5:AE6CE9E081EBCAD0F1A822C8BF9E8811	SHA256:82E5621EF317C7895D35697136ABA7AC7F91D39AD89570DA1946C06DF5308C59
3336	82e5621ef317c7895d35697136aba7ac7f91d39ad89570da1946c06df5308c59.exe	C:\Users\admin\AppData\Local\Temp\tmp1DD1.tmp		xml
		MD5:8D59A93894DCAB07B86C6309956944EC	SHA256:06CF721FBA44FE07C5880BB66081B714BC58A0709E385488AF3C364A83C6DD59
3336	82e5621ef317c7895d35697136aba7ac7f91d39ad89570da1946c06df5308c59.exe	C:\Users\admin\AppData\Roaming\IghAgYEPrw.exe		executable
		MD5:AE6CE9E081EBCAD0F1A822C8BF9E8811	SHA256:82E5621EF317C7895D35697136ABA7AC7F91D39AD89570DA1946C06DF5308C59

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
1076	svchost.exe	224.0.0.252:5355	—	—	—	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4004	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
1060	82e5621ef317c7895d35697136aba7ac7f91d39ad89570da1946c06df5308c59.exe	193.122.6.168:80	checkip.dyndns.org	ORACLE-BMC-31898	DE	malicious
1060	82e5621ef317c7895d35697136aba7ac7f91d39ad89570da1946c06df5308c59.exe	132.226.8.169:80	checkip.dyndns.org	ORACLE-BMC-31898	JP	malicious
1060	82e5621ef317c7895d35697136aba7ac7f91d39ad89570da1946c06df5308c59.exe	193.122.130.0:80	checkip.dyndns.org	ORACLE-BMC-31898	US	malicious
1060	82e5621ef317c7895d35697136aba7ac7f91d39ad89570da1946c06df5308c59.exe	132.226.247.73:80	checkip.dyndns.org	ORACLE-BMC-31898	BR	malicious
1060	82e5621ef317c7895d35697136aba7ac7f91d39ad89570da1946c06df5308c59.exe	158.101.44.242:80	checkip.dyndns.org	ORACLE-BMC-31898	US	malicious

DNS requests

Domain	IP	Reputation
checkip.dyndns.org	193.122.6.168 132.226.8.169 193.122.130.0 132.226.247.73 158.101.44.242	shared
dns.msftncsi.com	131.107.255.255	shared

Threats

PID	Process	Class	Message
—	—	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
—	—	Misc activity	AV INFO Query to checkip.dyndns. Domain

Add for printing

No debug info

General Info

82e5621ef317c7895d35697136aba7ac7f91d39ad89570da1946c06df5308c59.zip

E40B3AC059BCFB3A37B72E1565E3151F

CC0F72EE77BAF34D0D277841F5DBC14D3A45A1C3

7F6A2D7D6382DFD0897BB2E50180526E0FEB7F339C0E564F67BCF1A553BEADD9

12288:W6DEptN5cwwEdIZYi6UvzAU53qFN2jQLMFnHVYOsEgu3QUopdJooslVTC:W2e5F5dIZYNUn5a2kOC7EgugUopdJrs2

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

Uses Task Scheduler to run other applications

SNAKE detected by memory dumps

BLACKGUARD detected by memory dumps

SUSPICIOUS

Application launched itself

Reads the Internet Settings

Executable content was dropped or overwritten

INFO

Executable content was dropped or overwritten

Reads the computer name

The process checks LSA protection

Checks supported languages

Manual execution by a user

Reads the machine GUID from the registry

Creates files or folders in the user directory

Create files in a temporary directory

Reads Environment values

Malware configuration

SnakeKeylogger

BlackGuard

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Malware configuration

SnakeKeylogger

BlackGuard

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings