Windows
Analysis Report
Shipment Document BL,INV and packing list.pdf.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Confidence: | 100% |
Signatures
Classification
- System is w7x64
Shipment Document BL,INV and packing list.pdf.exe (PID: 3680 cmdline:
"C:\Users\ user\Deskt op\Shipmen t Document BL,INV an d packing list.pdf.e xe" MD5: 5FD799C047C81A8EFB15D9A32F1D8E39) RegSvcs.exe (PID: 3720 cmdline:
"C:\Users\ user\Deskt op\Shipmen t Document BL,INV an d packing list.pdf.e xe" MD5: 19855C0DC5BEC9FDF925307C57F9F5FC)
- cleanup
{
"C2 url": "https://api.telegram.org/bot7686228576:AAFCRREYytnmTaqdF-c37qTodNKZZxoFsFg/sendMessage"
}
{
"EXfil Mode": "Telegram",
"Telegram Token": "7686228576:AAFCRREYytnmTaqdF-c37qTodNKZZxoFsFg",
"Telegram Chatid": "7632407857"
}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_MassLogger | Yara detected MassLogger RAT | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_MSILLogger | Yara detected MSIL Logger | Joe Security | ||
JoeSecurity_TelegramRAT | Yara detected Telegram RAT | Joe Security | ||
Windows_Trojan_SnakeKeylogger_af3faa65 | unknown | unknown |
| |
Click to see the 19 entries |
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): |
Source: | Author: Brandon George (blog post), Thomas Patzke: |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-03-17T11:09:46.968357+0100 | 2057744 | 1 | Malware Command and Control Activity Detected | 192.168.2.22 | 49163 | 149.154.167.220 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-03-17T11:09:40.070606+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.22 | 49161 | 132.226.247.73 | 80 | TCP |
2025-03-17T11:09:46.217032+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.22 | 49161 | 132.226.247.73 | 80 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-03-17T11:09:46.712421+0100 | 1810008 | 1 | Potentially Bad Traffic | 192.168.2.22 | 49163 | 149.154.167.220 | 443 | TCP |
- • AV Detection
- • Location Tracking
- • Compliance
- • Networking
- • System Summary
- • Persistence and Installation Behavior
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • Anti Debugging
- • HIPS / PFW / Operating System Protection Evasion
- • Language, Device and Operating System Detection
- • Lowering of HIPS / PFW / Operating System Security Settings
- • Stealing of Sensitive Information
- • Remote Access Functionality
Click to jump to signature section
AV Detection |
---|
Source: | Malware Configuration Extractor: | ||
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Location Tracking |
---|
Source: | DNS query: |
Source: | Static PE information: |
Source: | HTTPS traffic detected: |
Source: | HTTPS traffic detected: |
Source: | Binary string: |
Networking |
---|
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | DNS query: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | IP Address: | ||
Source: | IP Address: | ||
Source: | IP Address: | ||
Source: | IP Address: |
Source: | JA3 fingerprint: | ||
Source: | JA3 fingerprint: |
Source: | DNS query: | ||
Source: | DNS query: | ||
Source: | DNS query: | ||
Source: | DNS query: |
Source: | Suricata IDS: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | HTTPS traffic detected: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: |
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTPS traffic detected: |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | String found in binary or memory: | memstr_36456399-d | |
Source: | String found in binary or memory: | memstr_f6eaea43-4 | |
Source: | String found in binary or memory: | memstr_bc045e3a-7 | |
Source: | String found in binary or memory: | memstr_ec850c34-a |
Source: | Static PE information: |
Source: | Process Stats: |
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Classification label: |
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | ReversingLabs: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | File created: | |||
Source: | File created: | Jump to behavior |
Hooking and other Techniques for Hiding and Protection |
---|
Source: | Static PE information: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | API/Special instruction interceptor: |
Source: | Binary or memory string: |
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior |
Source: | Window / User API: | Jump to behavior |
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior |
Source: | Memory allocated: | Jump to behavior |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Section loaded: | Jump to behavior |
Source: | Memory written: | Jump to behavior |
Source: | Process created: | Jump to behavior |
Source: | Binary or memory string: |
Source: | Queries volume information: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Binary or memory string: |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | File opened: | Jump to behavior |
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 212 Process Injection | 1 Masquerading | 1 OS Credential Dumping | 21 Security Software Discovery | Remote Services | 1 Email Collection | 1 Web Service | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 Disable or Modify Tools | LSASS Memory | 1 Process Discovery | Remote Desktop Protocol | 1 Data from Local System | 1 Encrypted Channel | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 11 Virtualization/Sandbox Evasion | Security Account Manager | 11 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Ingress Tool Transfer | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 212 Process Injection | NTDS | 1 Application Window Discovery | Distributed Component Object Model | Input Capture | 3 Non-Application Layer Protocol | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Obfuscated Files or Information | LSA Secrets | 1 Remote System Discovery | SSH | Keylogging | 14 Application Layer Protocol | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | 1 System Network Configuration Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | Compile After Delivery | DCSync | 113 System Information Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
50% | ReversingLabs | Win32.Trojan.AutoitInject |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
reallyfreegeoip.org | 104.21.112.1 | true | false | high | |
api.telegram.org | 149.154.167.220 | true | false | high | |
checkip.dyndns.com | 132.226.8.169 | true | false | high | |
checkip.dyndns.org | unknown | unknown | false | high |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false | high | ||
false | high | ||
false | high |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
149.154.167.220 | api.telegram.org | United Kingdom | 62041 | TELEGRAMRU | false | |
104.21.112.1 | reallyfreegeoip.org | United States | 13335 | CLOUDFLARENETUS | false | |
132.226.247.73 | unknown | United States | 16989 | UTMEMUS | false |
Joe Sandbox version: | 42.0.0 Malachite |
Analysis ID: | 1640472 |
Start date and time: | 2025-03-17 11:08:42 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 6m 19s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 4 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | Shipment Document BL,INV and packing list.pdf.exe |
Detection: | MAL |
Classification: | mal100.troj.spyw.evad.winEXE@3/2@5/3 |
Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): dllhost.exe, WM IADAP.exe - Report size getting too big, t
oo many NtOpenKeyEx calls foun d. - Report size getting too big, t
oo many NtQueryValueKey calls found. - Report size getting too big, t
oo many NtReadVirtualMemory ca lls found.
Time | Type | Description |
---|---|---|
06:09:36 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
149.154.167.220 | Get hash | malicious | Unknown | Browse | ||
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse | |||
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse | |||
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse | |||
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse | |||
Get hash | malicious | GuLoader, Snake Keylogger | Browse | |||
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse | |||
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse | |||
Get hash | malicious | DCRat, PureLog Stealer, zgRAT | Browse | |||
Get hash | malicious | DCRat, PureLog Stealer, zgRAT | Browse | |||
104.21.112.1 | Get hash | malicious | FormBook | Browse |
| |
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | Lokibot | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
132.226.247.73 | Get hash | malicious | Snake Keylogger | Browse |
| |
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
| ||
Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
| ||
Get hash | malicious | MSIL Logger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
| ||
Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
| ||
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
reallyfreegeoip.org | Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| |
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
api.telegram.org | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
Get hash | malicious | DCRat, PureLog Stealer, zgRAT | Browse |
| ||
Get hash | malicious | DCRat, PureLog Stealer, zgRAT | Browse |
| ||
checkip.dyndns.com | Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| |
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
TELEGRAMRU | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
Get hash | malicious | LummaC Stealer | Browse |
| ||
Get hash | malicious | LummaC Stealer | Browse |
| ||
UTMEMUS | Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| |
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
| ||
Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
| ||
Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
| ||
Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
| ||
Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
| ||
CLOUDFLARENETUS | Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
| |
Get hash | malicious | XWorm | Browse |
| ||
Get hash | malicious | HTMLPhisher, Invisible JS, Tycoon2FA | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | AsyncRAT, XWorm | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
05af1f5ca1b87cc9cc9b25185115607d | Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| |
Get hash | malicious | MSIL Logger | Browse |
| ||
Get hash | malicious | MSIL Logger | Browse |
| ||
Get hash | malicious | MSIL Logger | Browse |
| ||
Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
Get hash | malicious | MSIL Logger | Browse |
| ||
Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
| ||
Get hash | malicious | MassLogger RAT | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | MassLogger RAT | Browse |
| ||
36f7277af969a6947a61ae0b815907a1 | Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| |
Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
Get hash | malicious | Remcos, GuLoader, MailPassView | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Remcos | Browse |
| ||
Get hash | malicious | Remcos | Browse |
| ||
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Process: | C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 93696 |
Entropy (8bit): | 6.914527220484985 |
Encrypted: | false |
SSDEEP: | 1536:kZ9NWJT5fkWG9CKDkqTdCXzkDfiCKzMeb45fwUjwkvvU+aT8rIjnPg4ujeOkk:kZXWJ9ZNMdUDURWzk51vcOkPg4+eq |
MD5: | 21C7393E0CEB68F93247A94F120D159C |
SHA1: | 9D5E4FFBB467FB223EC92F8828C149BD4F94C1C5 |
SHA-256: | 69A3507E33BEF2B15CBD9CFE604D1A040D24B41EAD1D20C7FE6E272FAC2E3F57 |
SHA-512: | 42116223605AB76376719F84847D91E89E5DD0FC8F797A1C565D3F6478AD764FCCCD02D239DC2FE2CF232542E440B02660D8B8B172C11B95B9DCE18152E80AAF |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 69206 |
Entropy (8bit): | 7.923910436166648 |
Encrypted: | false |
SSDEEP: | 1536:8tIkrTIBniMh03U7gKsqv+2cOm6O1TACd8pL2kWyyizdDm4:8VTIRiMh0ssqv+bOm6O1TACd8psbUDm4 |
MD5: | 1A8D92684921C0F01E8A7D37852EA386 |
SHA1: | C677F5828F61D44F02BB2A36615555DB4723233E |
SHA-256: | C32FC74BFBF2E98D049DD92B28E05C7DFE07B2F788051D05B50F45FD116DA8FA |
SHA-512: | 1B4BFF6FD955852F330887E58CBAF95979FA654E1D4AB5C8F9BA1B07D5C0B54378276CA9369832E9A7250D26450AFA091B91023E7BE0CD09D2FE015FC3C38F20 |
Malicious: | false |
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 6.858484049794402 |
TrID: |
|
File name: | Shipment Document BL,INV and packing list.pdf.exe |
File size: | 971'776 bytes |
MD5: | 5fd799c047c81a8efb15d9a32f1d8e39 |
SHA1: | fe01653460b4435266a8d3a3bdab26def6a9b2f7 |
SHA256: | ffac68d784d7cd99536b0664ff0a765371c8bf0d0836fce71fa8a29afa9cb5c3 |
SHA512: | 71e97cda9b0c205be029726c6c280afedcfacf92f324734945d622f2112e259f85b29cf6745455cca2aad39734257ac05cf43c6576c732d0ab3c2f7fd1fd79d0 |
SSDEEP: | 24576:xu6J33O0c+JY5UZ+XC0kGso6Fa5ZzQ5N8yWY:ju0c++OCvkGs9Fa55Q5qY |
TLSH: | 0925AE2273DDC360CB669173BF69B7016EBF3C614630B85B2F980D7DA950162262D7A3 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}. |
Icon Hash: | aaf3e3e3938382a0 |
Entrypoint: | 0x427dcd |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x67D76614 [Mon Mar 17 00:00:20 2025 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 1 |
File Version Major: | 5 |
File Version Minor: | 1 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 1 |
Import Hash: | afcdf79be1557326c854b6e20cb900a7 |
Instruction |
---|
call 00007F256C7CD14Ah |
jmp 00007F256C7BFF14h |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
push edi |
push esi |
mov esi, dword ptr [esp+10h] |
mov ecx, dword ptr [esp+14h] |
mov edi, dword ptr [esp+0Ch] |
mov eax, ecx |
mov edx, ecx |
add eax, esi |
cmp edi, esi |
jbe 00007F256C7C009Ah |
cmp edi, eax |
jc 00007F256C7C03FEh |
bt dword ptr [004C31FCh], 01h |
jnc 00007F256C7C0099h |
rep movsb |
jmp 00007F256C7C03ACh |
cmp ecx, 00000080h |
jc 00007F256C7C0264h |
mov eax, edi |
xor eax, esi |
test eax, 0000000Fh |
jne 00007F256C7C00A0h |
bt dword ptr [004BE324h], 01h |
jc 00007F256C7C0570h |
bt dword ptr [004C31FCh], 00000000h |
jnc 00007F256C7C023Dh |
test edi, 00000003h |
jne 00007F256C7C024Eh |
test esi, 00000003h |
jne 00007F256C7C022Dh |
bt edi, 02h |
jnc 00007F256C7C009Fh |
mov eax, dword ptr [esi] |
sub ecx, 04h |
lea esi, dword ptr [esi+04h] |
mov dword ptr [edi], eax |
lea edi, dword ptr [edi+04h] |
bt edi, 03h |
jnc 00007F256C7C00A3h |
movq xmm1, qword ptr [esi] |
sub ecx, 08h |
lea esi, dword ptr [esi+08h] |
movq qword ptr [edi], xmm1 |
lea edi, dword ptr [edi+08h] |
test esi, 00000007h |
je 00007F256C7C00F5h |
bt esi, 03h |
jnc 00007F256C7C0148h |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xba44c | 0x17c | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xc7000 | 0x24b28 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xec000 | 0x711c | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x92bc0 | 0x1c | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0xa4870 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x8f000 | 0x884 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x8dcc4 | 0x8de00 | d28a820a1d9ff26cda02d12b888ba4b4 | False | 0.5728679102422908 | data | 6.676118058520316 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x8f000 | 0x2e10e | 0x2e200 | 79b14b254506b0dbc8cd0ad67fb70ad9 | False | 0.33535526761517614 | OpenPGP Public Key | 5.76010872795207 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0xbe000 | 0x8f74 | 0x5200 | 9f9d6f746f1a415a63de45f8b7983d33 | False | 0.1017530487804878 | data | 1.198745897703538 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0xc7000 | 0x24b28 | 0x24c00 | d9fe10679bd9771d4e7edde00484457d | False | 0.8208904655612245 | data | 7.6000179710571585 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0xec000 | 0x711c | 0x7200 | 6fcae3cbbf6bfbabf5ec5bbe7cf612c3 | False | 0.7650767543859649 | data | 6.779031650454199 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_ICON | 0xc75a8 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | English | Great Britain | 0.7466216216216216 |
RT_ICON | 0xc76d0 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors | English | Great Britain | 0.3277027027027027 |
RT_ICON | 0xc77f8 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | English | Great Britain | 0.3885135135135135 |
RT_ICON | 0xc7920 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 0 | English | Great Britain | 0.3333333333333333 |
RT_ICON | 0xc7c08 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 0 | English | Great Britain | 0.5 |
RT_ICON | 0xc7d30 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | English | Great Britain | 0.2835820895522388 |
RT_ICON | 0xc8bd8 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | English | Great Britain | 0.37906137184115524 |
RT_ICON | 0xc9480 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | English | Great Britain | 0.23699421965317918 |
RT_ICON | 0xc99e8 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | English | Great Britain | 0.13858921161825727 |
RT_ICON | 0xcbf90 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | English | Great Britain | 0.25070356472795496 |
RT_ICON | 0xcd038 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | English | Great Britain | 0.3173758865248227 |
RT_MENU | 0xcd4a0 | 0x50 | data | English | Great Britain | 0.9 |
RT_STRING | 0xcd4f0 | 0x594 | data | English | Great Britain | 0.3333333333333333 |
RT_STRING | 0xcda84 | 0x68a | data | English | Great Britain | 0.2747909199522103 |
RT_STRING | 0xce110 | 0x490 | data | English | Great Britain | 0.3715753424657534 |
RT_STRING | 0xce5a0 | 0x5fc | data | English | Great Britain | 0.3087467362924282 |
RT_STRING | 0xceb9c | 0x65c | data | English | Great Britain | 0.34336609336609336 |
RT_STRING | 0xcf1f8 | 0x466 | data | English | Great Britain | 0.3605683836589698 |
RT_STRING | 0xcf660 | 0x158 | Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0 | English | Great Britain | 0.502906976744186 |
RT_RCDATA | 0xcf7b8 | 0x1bded | data | 1.000359154497753 | ||
RT_GROUP_ICON | 0xeb5a8 | 0x76 | data | English | Great Britain | 0.6610169491525424 |
RT_GROUP_ICON | 0xeb620 | 0x14 | data | English | Great Britain | 1.25 |
RT_GROUP_ICON | 0xeb634 | 0x14 | data | English | Great Britain | 1.15 |
RT_GROUP_ICON | 0xeb648 | 0x14 | data | English | Great Britain | 1.25 |
RT_VERSION | 0xeb65c | 0xdc | data | English | Great Britain | 0.6181818181818182 |
RT_MANIFEST | 0xeb738 | 0x3ef | ASCII text, with CRLF line terminators | English | Great Britain | 0.5074478649453823 |
DLL | Import |
---|---|
WSOCK32.dll | WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect |
VERSION.dll | GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW |
WINMM.dll | timeGetTime, waveOutSetVolume, mciSendStringW |
COMCTL32.dll | ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create |
MPR.dll | WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W |
WININET.dll | InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW |
PSAPI.DLL | GetProcessMemoryInfo |
IPHLPAPI.DLL | IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho |
USERENV.dll | DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW |
UxTheme.dll | IsThemeActive |
KERNEL32.dll | DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA |
USER32.dll | AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW |
GDI32.dll | StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath |
COMDLG32.dll | GetOpenFileNameW, GetSaveFileNameW |
ADVAPI32.dll | GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW |
SHELL32.dll | DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish |
ole32.dll | CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity |
OLEAUT32.dll | LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit |
Description | Data |
---|---|
Translation | 0x0809 0x04b0 |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | Great Britain |
Download Network PCAP: filtered – full
Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-03-17T11:09:40.070606+0100 | 2803274 | ETPRO MALWARE Common Downloader Header Pattern UH | 2 | 192.168.2.22 | 49161 | 132.226.247.73 | 80 | TCP |
2025-03-17T11:09:46.217032+0100 | 2803274 | ETPRO MALWARE Common Downloader Header Pattern UH | 2 | 192.168.2.22 | 49161 | 132.226.247.73 | 80 | TCP |
2025-03-17T11:09:46.712421+0100 | 1810008 | Joe Security ANOMALY Telegram Send File | 1 | 192.168.2.22 | 49163 | 149.154.167.220 | 443 | TCP |
2025-03-17T11:09:46.968357+0100 | 2057744 | ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram | 1 | 192.168.2.22 | 49163 | 149.154.167.220 | 443 | TCP |
- Total Packets: 32
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Mar 17, 2025 11:09:38.940457106 CET | 49161 | 80 | 192.168.2.22 | 132.226.247.73 |
Mar 17, 2025 11:09:38.945120096 CET | 80 | 49161 | 132.226.247.73 | 192.168.2.22 |
Mar 17, 2025 11:09:38.945218086 CET | 49161 | 80 | 192.168.2.22 | 132.226.247.73 |
Mar 17, 2025 11:09:38.946794033 CET | 49161 | 80 | 192.168.2.22 | 132.226.247.73 |
Mar 17, 2025 11:09:38.951463938 CET | 80 | 49161 | 132.226.247.73 | 192.168.2.22 |
Mar 17, 2025 11:09:39.618871927 CET | 80 | 49161 | 132.226.247.73 | 192.168.2.22 |
Mar 17, 2025 11:09:39.647978067 CET | 49161 | 80 | 192.168.2.22 | 132.226.247.73 |
Mar 17, 2025 11:09:39.652802944 CET | 80 | 49161 | 132.226.247.73 | 192.168.2.22 |
Mar 17, 2025 11:09:39.854804039 CET | 80 | 49161 | 132.226.247.73 | 192.168.2.22 |
Mar 17, 2025 11:09:39.873298883 CET | 49162 | 443 | 192.168.2.22 | 104.21.112.1 |
Mar 17, 2025 11:09:39.873342991 CET | 443 | 49162 | 104.21.112.1 | 192.168.2.22 |
Mar 17, 2025 11:09:39.873430014 CET | 49162 | 443 | 192.168.2.22 | 104.21.112.1 |
Mar 17, 2025 11:09:39.877861023 CET | 49162 | 443 | 192.168.2.22 | 104.21.112.1 |
Mar 17, 2025 11:09:39.877876043 CET | 443 | 49162 | 104.21.112.1 | 192.168.2.22 |
Mar 17, 2025 11:09:40.070605993 CET | 49161 | 80 | 192.168.2.22 | 132.226.247.73 |
Mar 17, 2025 11:09:40.071459055 CET | 80 | 49161 | 132.226.247.73 | 192.168.2.22 |
Mar 17, 2025 11:09:40.071564913 CET | 49161 | 80 | 192.168.2.22 | 132.226.247.73 |
Mar 17, 2025 11:09:40.349121094 CET | 443 | 49162 | 104.21.112.1 | 192.168.2.22 |
Mar 17, 2025 11:09:40.349235058 CET | 49162 | 443 | 192.168.2.22 | 104.21.112.1 |
Mar 17, 2025 11:09:40.354361057 CET | 49162 | 443 | 192.168.2.22 | 104.21.112.1 |
Mar 17, 2025 11:09:40.354374886 CET | 443 | 49162 | 104.21.112.1 | 192.168.2.22 |
Mar 17, 2025 11:09:40.354840040 CET | 443 | 49162 | 104.21.112.1 | 192.168.2.22 |
Mar 17, 2025 11:09:40.425414085 CET | 49162 | 443 | 192.168.2.22 | 104.21.112.1 |
Mar 17, 2025 11:09:40.472326040 CET | 443 | 49162 | 104.21.112.1 | 192.168.2.22 |
Mar 17, 2025 11:09:40.533129930 CET | 443 | 49162 | 104.21.112.1 | 192.168.2.22 |
Mar 17, 2025 11:09:40.533196926 CET | 443 | 49162 | 104.21.112.1 | 192.168.2.22 |
Mar 17, 2025 11:09:40.533252954 CET | 49162 | 443 | 192.168.2.22 | 104.21.112.1 |
Mar 17, 2025 11:09:40.535520077 CET | 49162 | 443 | 192.168.2.22 | 104.21.112.1 |
Mar 17, 2025 11:09:45.811121941 CET | 49161 | 80 | 192.168.2.22 | 132.226.247.73 |
Mar 17, 2025 11:09:45.815870047 CET | 80 | 49161 | 132.226.247.73 | 192.168.2.22 |
Mar 17, 2025 11:09:46.019241095 CET | 80 | 49161 | 132.226.247.73 | 192.168.2.22 |
Mar 17, 2025 11:09:46.031341076 CET | 49163 | 443 | 192.168.2.22 | 149.154.167.220 |
Mar 17, 2025 11:09:46.031382084 CET | 443 | 49163 | 149.154.167.220 | 192.168.2.22 |
Mar 17, 2025 11:09:46.031451941 CET | 49163 | 443 | 192.168.2.22 | 149.154.167.220 |
Mar 17, 2025 11:09:46.032159090 CET | 49163 | 443 | 192.168.2.22 | 149.154.167.220 |
Mar 17, 2025 11:09:46.032167912 CET | 443 | 49163 | 149.154.167.220 | 192.168.2.22 |
Mar 17, 2025 11:09:46.217031956 CET | 49161 | 80 | 192.168.2.22 | 132.226.247.73 |
Mar 17, 2025 11:09:46.648231983 CET | 443 | 49163 | 149.154.167.220 | 192.168.2.22 |
Mar 17, 2025 11:09:46.648319006 CET | 49163 | 443 | 192.168.2.22 | 149.154.167.220 |
Mar 17, 2025 11:09:46.656245947 CET | 49163 | 443 | 192.168.2.22 | 149.154.167.220 |
Mar 17, 2025 11:09:46.656253099 CET | 443 | 49163 | 149.154.167.220 | 192.168.2.22 |
Mar 17, 2025 11:09:46.656554937 CET | 443 | 49163 | 149.154.167.220 | 192.168.2.22 |
Mar 17, 2025 11:09:46.667249918 CET | 49163 | 443 | 192.168.2.22 | 149.154.167.220 |
Mar 17, 2025 11:09:46.712316036 CET | 443 | 49163 | 149.154.167.220 | 192.168.2.22 |
Mar 17, 2025 11:09:46.712362051 CET | 49163 | 443 | 192.168.2.22 | 149.154.167.220 |
Mar 17, 2025 11:09:46.712368011 CET | 443 | 49163 | 149.154.167.220 | 192.168.2.22 |
Mar 17, 2025 11:09:46.968339920 CET | 443 | 49163 | 149.154.167.220 | 192.168.2.22 |
Mar 17, 2025 11:09:46.968430042 CET | 443 | 49163 | 149.154.167.220 | 192.168.2.22 |
Mar 17, 2025 11:09:46.968467951 CET | 49163 | 443 | 192.168.2.22 | 149.154.167.220 |
Mar 17, 2025 11:09:46.969052076 CET | 49163 | 443 | 192.168.2.22 | 149.154.167.220 |
Mar 17, 2025 11:10:51.019860983 CET | 80 | 49161 | 132.226.247.73 | 192.168.2.22 |
Mar 17, 2025 11:10:51.019937038 CET | 49161 | 80 | 192.168.2.22 | 132.226.247.73 |
Mar 17, 2025 11:11:20.551553011 CET | 49161 | 80 | 192.168.2.22 | 132.226.247.73 |
Mar 17, 2025 11:11:20.556348085 CET | 80 | 49161 | 132.226.247.73 | 192.168.2.22 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Mar 17, 2025 11:09:37.756031990 CET | 54562 | 53 | 192.168.2.22 | 8.8.8.8 |
Mar 17, 2025 11:09:37.764164925 CET | 53 | 54562 | 8.8.8.8 | 192.168.2.22 |
Mar 17, 2025 11:09:37.839934111 CET | 54562 | 53 | 192.168.2.22 | 8.8.8.8 |
Mar 17, 2025 11:09:37.846168995 CET | 53 | 54562 | 8.8.8.8 | 192.168.2.22 |
Mar 17, 2025 11:09:38.928704977 CET | 52917 | 53 | 192.168.2.22 | 8.8.8.8 |
Mar 17, 2025 11:09:38.934889078 CET | 53 | 52917 | 8.8.8.8 | 192.168.2.22 |
Mar 17, 2025 11:09:39.862629890 CET | 62751 | 53 | 192.168.2.22 | 8.8.8.8 |
Mar 17, 2025 11:09:39.872725964 CET | 53 | 62751 | 8.8.8.8 | 192.168.2.22 |
Mar 17, 2025 11:09:46.024574041 CET | 57893 | 53 | 192.168.2.22 | 8.8.8.8 |
Mar 17, 2025 11:09:46.030904055 CET | 53 | 57893 | 8.8.8.8 | 192.168.2.22 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Mar 17, 2025 11:09:37.756031990 CET | 192.168.2.22 | 8.8.8.8 | 0x24b8 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Mar 17, 2025 11:09:37.839934111 CET | 192.168.2.22 | 8.8.8.8 | 0x24b8 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Mar 17, 2025 11:09:38.928704977 CET | 192.168.2.22 | 8.8.8.8 | 0x47f3 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Mar 17, 2025 11:09:39.862629890 CET | 192.168.2.22 | 8.8.8.8 | 0xf83f | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Mar 17, 2025 11:09:46.024574041 CET | 192.168.2.22 | 8.8.8.8 | 0xb9d3 | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Mar 17, 2025 11:09:37.764164925 CET | 8.8.8.8 | 192.168.2.22 | 0x24b8 | No error (0) | checkip.dyndns.com | CNAME (Canonical name) | IN (0x0001) | false | ||
Mar 17, 2025 11:09:37.764164925 CET | 8.8.8.8 | 192.168.2.22 | 0x24b8 | No error (0) | 132.226.8.169 | A (IP address) | IN (0x0001) | false | ||
Mar 17, 2025 11:09:37.764164925 CET | 8.8.8.8 | 192.168.2.22 | 0x24b8 | No error (0) | 193.122.6.168 | A (IP address) | IN (0x0001) | false | ||
Mar 17, 2025 11:09:37.764164925 CET | 8.8.8.8 | 192.168.2.22 | 0x24b8 | No error (0) | 132.226.247.73 | A (IP address) | IN (0x0001) | false | ||
Mar 17, 2025 11:09:37.764164925 CET | 8.8.8.8 | 192.168.2.22 | 0x24b8 | No error (0) | 158.101.44.242 | A (IP address) | IN (0x0001) | false | ||
Mar 17, 2025 11:09:37.764164925 CET | 8.8.8.8 | 192.168.2.22 | 0x24b8 | No error (0) | 193.122.130.0 | A (IP address) | IN (0x0001) | false | ||
Mar 17, 2025 11:09:37.846168995 CET | 8.8.8.8 | 192.168.2.22 | 0x24b8 | No error (0) | checkip.dyndns.com | CNAME (Canonical name) | IN (0x0001) | false | ||
Mar 17, 2025 11:09:37.846168995 CET | 8.8.8.8 | 192.168.2.22 | 0x24b8 | No error (0) | 132.226.247.73 | A (IP address) | IN (0x0001) | false | ||
Mar 17, 2025 11:09:37.846168995 CET | 8.8.8.8 | 192.168.2.22 | 0x24b8 | No error (0) | 132.226.8.169 | A (IP address) | IN (0x0001) | false | ||
Mar 17, 2025 11:09:37.846168995 CET | 8.8.8.8 | 192.168.2.22 | 0x24b8 | No error (0) | 193.122.130.0 | A (IP address) | IN (0x0001) | false | ||
Mar 17, 2025 11:09:37.846168995 CET | 8.8.8.8 | 192.168.2.22 | 0x24b8 | No error (0) | 193.122.6.168 | A (IP address) | IN (0x0001) | false | ||
Mar 17, 2025 11:09:37.846168995 CET | 8.8.8.8 | 192.168.2.22 | 0x24b8 | No error (0) | 158.101.44.242 | A (IP address) | IN (0x0001) | false | ||
Mar 17, 2025 11:09:38.934889078 CET | 8.8.8.8 | 192.168.2.22 | 0x47f3 | No error (0) | checkip.dyndns.com | CNAME (Canonical name) | IN (0x0001) | false | ||
Mar 17, 2025 11:09:38.934889078 CET | 8.8.8.8 | 192.168.2.22 | 0x47f3 | No error (0) | 193.122.6.168 | A (IP address) | IN (0x0001) | false | ||
Mar 17, 2025 11:09:38.934889078 CET | 8.8.8.8 | 192.168.2.22 | 0x47f3 | No error (0) | 132.226.247.73 | A (IP address) | IN (0x0001) | false | ||
Mar 17, 2025 11:09:38.934889078 CET | 8.8.8.8 | 192.168.2.22 | 0x47f3 | No error (0) | 158.101.44.242 | A (IP address) | IN (0x0001) | false | ||
Mar 17, 2025 11:09:38.934889078 CET | 8.8.8.8 | 192.168.2.22 | 0x47f3 | No error (0) | 132.226.8.169 | A (IP address) | IN (0x0001) | false | ||
Mar 17, 2025 11:09:38.934889078 CET | 8.8.8.8 | 192.168.2.22 | 0x47f3 | No error (0) | 193.122.130.0 | A (IP address) | IN (0x0001) | false | ||
Mar 17, 2025 11:09:39.872725964 CET | 8.8.8.8 | 192.168.2.22 | 0xf83f | No error (0) | 104.21.112.1 | A (IP address) | IN (0x0001) | false | ||
Mar 17, 2025 11:09:39.872725964 CET | 8.8.8.8 | 192.168.2.22 | 0xf83f | No error (0) | 104.21.96.1 | A (IP address) | IN (0x0001) | false | ||
Mar 17, 2025 11:09:39.872725964 CET | 8.8.8.8 | 192.168.2.22 | 0xf83f | No error (0) | 104.21.32.1 | A (IP address) | IN (0x0001) | false | ||
Mar 17, 2025 11:09:39.872725964 CET | 8.8.8.8 | 192.168.2.22 | 0xf83f | No error (0) | 104.21.80.1 | A (IP address) | IN (0x0001) | false | ||
Mar 17, 2025 11:09:39.872725964 CET | 8.8.8.8 | 192.168.2.22 | 0xf83f | No error (0) | 104.21.16.1 | A (IP address) | IN (0x0001) | false | ||
Mar 17, 2025 11:09:39.872725964 CET | 8.8.8.8 | 192.168.2.22 | 0xf83f | No error (0) | 104.21.48.1 | A (IP address) | IN (0x0001) | false | ||
Mar 17, 2025 11:09:39.872725964 CET | 8.8.8.8 | 192.168.2.22 | 0xf83f | No error (0) | 104.21.64.1 | A (IP address) | IN (0x0001) | false | ||
Mar 17, 2025 11:09:46.030904055 CET | 8.8.8.8 | 192.168.2.22 | 0xb9d3 | No error (0) | 149.154.167.220 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.22 | 49161 | 132.226.247.73 | 80 | 3720 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Mar 17, 2025 11:09:38.946794033 CET | 151 | OUT | |
Mar 17, 2025 11:09:39.618871927 CET | 273 | IN | |
Mar 17, 2025 11:09:39.647978067 CET | 127 | OUT | |
Mar 17, 2025 11:09:39.854804039 CET | 273 | IN | |
Mar 17, 2025 11:09:40.071459055 CET | 273 | IN | |
Mar 17, 2025 11:09:45.811121941 CET | 127 | OUT | |
Mar 17, 2025 11:09:46.019241095 CET | 273 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.22 | 49162 | 104.21.112.1 | 443 | 3720 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2025-03-17 10:09:40 UTC | 85 | OUT | |
2025-03-17 10:09:40 UTC | 857 | IN | |
2025-03-17 10:09:40 UTC | 362 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
1 | 192.168.2.22 | 49163 | 149.154.167.220 | 443 | 3720 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2025-03-17 10:09:46 UTC | 295 | OUT | |
2025-03-17 10:09:46 UTC | 1089 | OUT | |
2025-03-17 10:09:46 UTC | 388 | IN | |
2025-03-17 10:09:46 UTC | 557 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 06:09:34 |
Start date: | 17/03/2025 |
Path: | C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x10f0000 |
File size: | 971'776 bytes |
MD5 hash: | 5FD799C047C81A8EFB15D9A32F1D8E39 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | true |
Target ID: | 2 |
Start time: | 06:09:35 |
Start date: | 17/03/2025 |
Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x250000 |
File size: | 45'248 bytes |
MD5 hash: | 19855C0DC5BEC9FDF925307C57F9F5FC |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | moderate |
Has exited: | false |