Edit tour

Windows Analysis Report
BmLue8t2V7.exe

Overview

General Information

Sample name:	BmLue8t2V7.exe renamed because original name is a hash value
Original sample name:	1e2754b3cdcf417cf8a396df60f61b3f75f10cc61d27807991882c5149e9c681.exe
Analysis ID:	1422995
MD5:	0c84a5727488a29d79506aad7b9e8fca
SHA1:	71bb901c18f2c9cf8514e9bfb9c9462398ad30c6
SHA256:	1e2754b3cdcf417cf8a396df60f61b3f75f10cc61d27807991882c5149e9c681
Tags:	exeSnakeKeylogger
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected Snake Keylogger

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies the context of a thread in another process (thread injection)

Self deletion via cmd or bat file

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to detect virtual machines (SLDT)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

BmLue8t2V7.exe (PID: 1240 cmdline: "C:\Users\user\Desktop\BmLue8t2V7.exe" MD5: 0C84A5727488A29D79506AAD7B9E8FCA)

powershell.exe (PID: 1996 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ffVsTPS.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 1992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7556 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 7176 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ffVsTPS" /XML "C:\Users\user\AppData\Local\Temp\tmpB438.tmp" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 7196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

BmLue8t2V7.exe (PID: 7260 cmdline: C:\Users\user\Desktop\BmLue8t2V7.exe MD5: 0C84A5727488A29D79506AAD7B9E8FCA)

cmd.exe (PID: 7740 cmdline: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\BmLue8t2V7.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

choice.exe (PID: 7800 cmdline: choice /C Y /N /D Y /T 3 MD5: 1A9804F0C374283B094E9E55DC5EE128)

ffVsTPS.exe (PID: 7372 cmdline: C:\Users\user\AppData\Roaming\ffVsTPS.exe MD5: 0C84A5727488A29D79506AAD7B9E8FCA)

schtasks.exe (PID: 7440 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ffVsTPS" /XML "C:\Users\user\AppData\Local\Temp\tmpBC08.tmp" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 7448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ffVsTPS.exe (PID: 7492 cmdline: C:\Users\user\AppData\Roaming\ffVsTPS.exe MD5: 0C84A5727488A29D79506AAD7B9E8FCA)

cmd.exe (PID: 7824 cmdline: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\AppData\Roaming\ffVsTPS.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

choice.exe (PID: 7880 cmdline: choice /C Y /N /D Y /T 3 MD5: 1A9804F0C374283B094E9E55DC5EE128)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "info@stpgig.com", "Password": "Stpgig#Login21", "Host": "mail.stpgig.com", "Port": "587"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.1478842928.0000000140002000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.1478842928.0000000140002000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000007.00000002.1478842928.0000000140002000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1477a:$a1: get_encryptedPassword 0x14a70:$a2: get_encryptedUsername 0x14586:$a3: get_timePasswordChanged 0x14681:$a4: get_passwordField 0x14790:$a5: set_encryptedPassword 0x15dc2:$a7: get_logins 0x15d25:$a10: KeyLoggerEventArgs 0x159be:$a11: KeyLoggerEventArgsEventHandler
00000007.00000002.1478842928.0000000140002000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18188:$x1: $%SMTPDV$ 0x181ec:$x2: $#TheHashHere%& 0x197dd:$x3: %FTPDV$ 0x198d1:$x4: $%TelegramDv$ 0x159be:$x5: KeyLoggerEventArgs 0x15d25:$x5: KeyLoggerEventArgs 0x19801:$m2: Clipboard Logs ID 0x199cd:$m2: Screenshot Logs ID 0x19a99:$m2: keystroke Logs ID 0x199a5:$m4: \SnakeKeylogger\
00000000.00000002.1397872704.000000001E1A1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1397872704.000000001E1A1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1397872704.000000001E1A1000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1004a:$a1: get_encryptedPassword 0x10340:$a2: get_encryptedUsername 0xfe56:$a3: get_timePasswordChanged 0xff51:$a4: get_passwordField 0x10060:$a5: set_encryptedPassword 0x11692:$a7: get_logins 0x115f5:$a10: KeyLoggerEventArgs 0x1128e:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.1397872704.000000001E1A1000.00000004.00000020.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x13a58:$x1: $%SMTPDV$ 0x13abc:$x2: $#TheHashHere%& 0x150ad:$x3: %FTPDV$ 0x151a1:$x4: $%TelegramDv$ 0x1128e:$x5: KeyLoggerEventArgs 0x115f5:$x5: KeyLoggerEventArgs 0x150d1:$m2: Clipboard Logs ID 0x1529d:$m2: Screenshot Logs ID 0x15369:$m2: keystroke Logs ID 0x15275:$m4: \SnakeKeylogger\
00000000.00000002.1393374776.0000000013FCB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1393374776.0000000013FCB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1393374776.0000000013FCB000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x156d2:$a1: get_encryptedPassword 0x35d12:$a1: get_encryptedPassword 0x5614a:$a1: get_encryptedPassword 0x159c8:$a2: get_encryptedUsername 0x36008:$a2: get_encryptedUsername 0x56440:$a2: get_encryptedUsername 0x154de:$a3: get_timePasswordChanged 0x35b1e:$a3: get_timePasswordChanged 0x55f56:$a3: get_timePasswordChanged 0x155d9:$a4: get_passwordField 0x35c19:$a4: get_passwordField 0x56051:$a4: get_passwordField 0x156e8:$a5: set_encryptedPassword 0x35d28:$a5: set_encryptedPassword 0x56160:$a5: set_encryptedPassword 0x16d1a:$a7: get_logins 0x3735a:$a7: get_logins 0x57792:$a7: get_logins 0x16c7d:$a10: KeyLoggerEventArgs 0x372bd:$a10: KeyLoggerEventArgs 0x576f5:$a10: KeyLoggerEventArgs
00000000.00000002.1393374776.0000000013FCB000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x190e0:$x1: $%SMTPDV$ 0x39720:$x1: $%SMTPDV$ 0x59b58:$x1: $%SMTPDV$ 0x19144:$x2: $#TheHashHere%& 0x39784:$x2: $#TheHashHere%& 0x59bbc:$x2: $#TheHashHere%& 0x1a735:$x3: %FTPDV$ 0x3ad75:$x3: %FTPDV$ 0x5b1ad:$x3: %FTPDV$ 0x1a829:$x4: $%TelegramDv$ 0x3ae69:$x4: $%TelegramDv$ 0x5b2a1:$x4: $%TelegramDv$ 0x16916:$x5: KeyLoggerEventArgs 0x16c7d:$x5: KeyLoggerEventArgs 0x36f56:$x5: KeyLoggerEventArgs 0x372bd:$x5: KeyLoggerEventArgs 0x5738e:$x5: KeyLoggerEventArgs 0x576f5:$x5: KeyLoggerEventArgs 0x1a759:$m2: Clipboard Logs ID 0x1a925:$m2: Screenshot Logs ID 0x1a9f1:$m2: keystroke Logs ID
0000000B.00000002.1486729273.00000000033E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000007.00000002.1476046135.00000000036D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: BmLue8t2V7.exe PID: 1240	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: BmLue8t2V7.exe PID: 1240	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: BmLue8t2V7.exe PID: 1240	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e29:$a1: get_encryptedPassword 0x89e72:$a1: get_encryptedPassword 0x3115:$a2: get_encryptedUsername 0x8a15e:$a2: get_encryptedUsername 0x2c3f:$a3: get_timePasswordChanged 0x89c88:$a3: get_timePasswordChanged 0x2d3a:$a4: get_passwordField 0x89d83:$a4: get_passwordField 0x2e3f:$a5: set_encryptedPassword 0x89e88:$a5: set_encryptedPassword 0x52a7:$a7: get_logins 0x8c2f0:$a7: get_logins 0x520a:$a10: KeyLoggerEventArgs 0x8c253:$a10: KeyLoggerEventArgs 0x4ea3:$a11: KeyLoggerEventArgsEventHandler 0x8beec:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: BmLue8t2V7.exe PID: 1240	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x4ea3:$x5: KeyLoggerEventArgs 0x520a:$x5: KeyLoggerEventArgs 0x5af8:$x5: KeyLoggerEventArgs 0x5e2c:$x5: KeyLoggerEventArgs 0x8beec:$x5: KeyLoggerEventArgs 0x8c253:$x5: KeyLoggerEventArgs 0x8cb41:$x5: KeyLoggerEventArgs 0x8ce75:$x5: KeyLoggerEventArgs 0x7407:$m2: Clipboard Logs ID 0x74e7:$m2: Screenshot Logs ID 0x751b:$m2: keystroke Logs ID 0x8e450:$m2: Clipboard Logs ID 0x8e530:$m2: Screenshot Logs ID 0x8e564:$m2: keystroke Logs ID 0x74d3:$m4: \SnakeKeylogger\ 0x8e51c:$m4: \SnakeKeylogger\
Process Memory Space: BmLue8t2V7.exe PID: 7260	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: BmLue8t2V7.exe PID: 7260	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: BmLue8t2V7.exe PID: 7260	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xfd9a:$a1: get_encryptedPassword 0x10086:$a2: get_encryptedUsername 0xfbb0:$a3: get_timePasswordChanged 0xfcab:$a4: get_passwordField 0xfdb0:$a5: set_encryptedPassword 0x12218:$a7: get_logins 0x1217b:$a10: KeyLoggerEventArgs 0x11e14:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: BmLue8t2V7.exe PID: 7260	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x11e14:$x5: KeyLoggerEventArgs 0x1217b:$x5: KeyLoggerEventArgs 0x12a69:$x5: KeyLoggerEventArgs 0x12d9d:$x5: KeyLoggerEventArgs 0x14378:$m2: Clipboard Logs ID 0x14458:$m2: Screenshot Logs ID 0x1448c:$m2: keystroke Logs ID 0x14444:$m4: \SnakeKeylogger\
Process Memory Space: ffVsTPS.exe PID: 7492	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
7.2.BmLue8t2V7.exe.140000000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.BmLue8t2V7.exe.140000000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
7.2.BmLue8t2V7.exe.140000000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1497a:$a1: get_encryptedPassword 0x14c70:$a2: get_encryptedUsername 0x14786:$a3: get_timePasswordChanged 0x14881:$a4: get_passwordField 0x14990:$a5: set_encryptedPassword 0x15fc2:$a7: get_logins 0x15f25:$a10: KeyLoggerEventArgs 0x15bbe:$a11: KeyLoggerEventArgsEventHandler
7.2.BmLue8t2V7.exe.140000000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c2e1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b513:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b946:$a4: \Orbitum\User Data\Default\Login Data 0x1c985:$a5: \Kometa\User Data\Default\Login Data
7.2.BmLue8t2V7.exe.140000000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1552c:$s1: UnHook 0x15533:$s2: SetHook 0x1553b:$s3: CallNextHook 0x15548:$s4: _hook
7.2.BmLue8t2V7.exe.140000000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18388:$x1: $%SMTPDV$ 0x183ec:$x2: $#TheHashHere%& 0x199dd:$x3: %FTPDV$ 0x19ad1:$x4: $%TelegramDv$ 0x15bbe:$x5: KeyLoggerEventArgs 0x15f25:$x5: KeyLoggerEventArgs 0x19a01:$m2: Clipboard Logs ID 0x19bcd:$m2: Screenshot Logs ID 0x19c99:$m2: keystroke Logs ID 0x19ba5:$m4: \SnakeKeylogger\
0.2.BmLue8t2V7.exe.13fcbd58.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.BmLue8t2V7.exe.13fcbd58.7.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.BmLue8t2V7.exe.13fcbd58.7.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12b7a:$a1: get_encryptedPassword 0x12e70:$a2: get_encryptedUsername 0x12986:$a3: get_timePasswordChanged 0x12a81:$a4: get_passwordField 0x12b90:$a5: set_encryptedPassword 0x141c2:$a7: get_logins 0x14125:$a10: KeyLoggerEventArgs 0x13dbe:$a11: KeyLoggerEventArgsEventHandler
0.2.BmLue8t2V7.exe.13fcbd58.7.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a4e1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19713:$a3: \Google\Chrome\User Data\Default\Login Data 0x19b46:$a4: \Orbitum\User Data\Default\Login Data 0x1ab85:$a5: \Kometa\User Data\Default\Login Data
0.2.BmLue8t2V7.exe.13fcbd58.7.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1372c:$s1: UnHook 0x13733:$s2: SetHook 0x1373b:$s3: CallNextHook 0x13748:$s4: _hook
0.2.BmLue8t2V7.exe.13fcbd58.7.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x16588:$x1: $%SMTPDV$ 0x165ec:$x2: $#TheHashHere%& 0x17bdd:$x3: %FTPDV$ 0x17cd1:$x4: $%TelegramDv$ 0x13dbe:$x5: KeyLoggerEventArgs 0x14125:$x5: KeyLoggerEventArgs 0x17c01:$m2: Clipboard Logs ID 0x17dcd:$m2: Screenshot Logs ID 0x17e99:$m2: keystroke Logs ID 0x17da5:$m4: \SnakeKeylogger\
0.2.BmLue8t2V7.exe.13fec398.9.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.BmLue8t2V7.exe.13fec398.9.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.BmLue8t2V7.exe.13fec398.9.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12b7a:$a1: get_encryptedPassword 0x12e70:$a2: get_encryptedUsername 0x12986:$a3: get_timePasswordChanged 0x12a81:$a4: get_passwordField 0x12b90:$a5: set_encryptedPassword 0x141c2:$a7: get_logins 0x14125:$a10: KeyLoggerEventArgs 0x13dbe:$a11: KeyLoggerEventArgsEventHandler
0.2.BmLue8t2V7.exe.13fec398.9.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a4e1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19713:$a3: \Google\Chrome\User Data\Default\Login Data 0x19b46:$a4: \Orbitum\User Data\Default\Login Data 0x1ab85:$a5: \Kometa\User Data\Default\Login Data
0.2.BmLue8t2V7.exe.13fec398.9.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1372c:$s1: UnHook 0x13733:$s2: SetHook 0x1373b:$s3: CallNextHook 0x13748:$s4: _hook
0.2.BmLue8t2V7.exe.13fec398.9.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x16588:$x1: $%SMTPDV$ 0x165ec:$x2: $#TheHashHere%& 0x17bdd:$x3: %FTPDV$ 0x17cd1:$x4: $%TelegramDv$ 0x13dbe:$x5: KeyLoggerEventArgs 0x14125:$x5: KeyLoggerEventArgs 0x17c01:$m2: Clipboard Logs ID 0x17dcd:$m2: Screenshot Logs ID 0x17e99:$m2: keystroke Logs ID 0x17da5:$m4: \SnakeKeylogger\
0.2.BmLue8t2V7.exe.13fec398.9.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.BmLue8t2V7.exe.13fec398.9.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.BmLue8t2V7.exe.13fec398.9.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1497a:$a1: get_encryptedPassword 0x34db2:$a1: get_encryptedPassword 0x14c70:$a2: get_encryptedUsername 0x350a8:$a2: get_encryptedUsername 0x14786:$a3: get_timePasswordChanged 0x34bbe:$a3: get_timePasswordChanged 0x14881:$a4: get_passwordField 0x34cb9:$a4: get_passwordField 0x14990:$a5: set_encryptedPassword 0x34dc8:$a5: set_encryptedPassword 0x15fc2:$a7: get_logins 0x363fa:$a7: get_logins 0x15f25:$a10: KeyLoggerEventArgs 0x3635d:$a10: KeyLoggerEventArgs 0x15bbe:$a11: KeyLoggerEventArgsEventHandler 0x35ff6:$a11: KeyLoggerEventArgsEventHandler
0.2.BmLue8t2V7.exe.13fec398.9.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1552c:$s1: UnHook 0x35964:$s1: UnHook 0x15533:$s2: SetHook 0x3596b:$s2: SetHook 0x1553b:$s3: CallNextHook 0x35973:$s3: CallNextHook 0x15548:$s4: _hook 0x35980:$s4: _hook
0.2.BmLue8t2V7.exe.13fec398.9.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18388:$x1: $%SMTPDV$ 0x387c0:$x1: $%SMTPDV$ 0x183ec:$x2: $#TheHashHere%& 0x38824:$x2: $#TheHashHere%& 0x199dd:$x3: %FTPDV$ 0x39e15:$x3: %FTPDV$ 0x19ad1:$x4: $%TelegramDv$ 0x39f09:$x4: $%TelegramDv$ 0x15bbe:$x5: KeyLoggerEventArgs 0x15f25:$x5: KeyLoggerEventArgs 0x35ff6:$x5: KeyLoggerEventArgs 0x3635d:$x5: KeyLoggerEventArgs 0x19a01:$m2: Clipboard Logs ID 0x19bcd:$m2: Screenshot Logs ID 0x19c99:$m2: keystroke Logs ID 0x39e39:$m2: Clipboard Logs ID 0x3a005:$m2: Screenshot Logs ID 0x3a0d1:$m2: keystroke Logs ID 0x19ba5:$m4: \SnakeKeylogger\ 0x39fdd:$m4: \SnakeKeylogger\
0.2.BmLue8t2V7.exe.13fcbd58.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.BmLue8t2V7.exe.13fcbd58.7.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.BmLue8t2V7.exe.13fcbd58.7.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1497a:$a1: get_encryptedPassword 0x34fba:$a1: get_encryptedPassword 0x553f2:$a1: get_encryptedPassword 0x14c70:$a2: get_encryptedUsername 0x352b0:$a2: get_encryptedUsername 0x556e8:$a2: get_encryptedUsername 0x14786:$a3: get_timePasswordChanged 0x34dc6:$a3: get_timePasswordChanged 0x551fe:$a3: get_timePasswordChanged 0x14881:$a4: get_passwordField 0x34ec1:$a4: get_passwordField 0x552f9:$a4: get_passwordField 0x14990:$a5: set_encryptedPassword 0x34fd0:$a5: set_encryptedPassword 0x55408:$a5: set_encryptedPassword 0x15fc2:$a7: get_logins 0x36602:$a7: get_logins 0x56a3a:$a7: get_logins 0x15f25:$a10: KeyLoggerEventArgs 0x36565:$a10: KeyLoggerEventArgs 0x5699d:$a10: KeyLoggerEventArgs
0.2.BmLue8t2V7.exe.13fcbd58.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1552c:$s1: UnHook 0x35b6c:$s1: UnHook 0x55fa4:$s1: UnHook 0x15533:$s2: SetHook 0x35b73:$s2: SetHook 0x55fab:$s2: SetHook 0x1553b:$s3: CallNextHook 0x35b7b:$s3: CallNextHook 0x55fb3:$s3: CallNextHook 0x15548:$s4: _hook 0x35b88:$s4: _hook 0x55fc0:$s4: _hook
0.2.BmLue8t2V7.exe.13fcbd58.7.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18388:$x1: $%SMTPDV$ 0x389c8:$x1: $%SMTPDV$ 0x58e00:$x1: $%SMTPDV$ 0x183ec:$x2: $#TheHashHere%& 0x38a2c:$x2: $#TheHashHere%& 0x58e64:$x2: $#TheHashHere%& 0x199dd:$x3: %FTPDV$ 0x3a01d:$x3: %FTPDV$ 0x5a455:$x3: %FTPDV$ 0x19ad1:$x4: $%TelegramDv$ 0x3a111:$x4: $%TelegramDv$ 0x5a549:$x4: $%TelegramDv$ 0x15bbe:$x5: KeyLoggerEventArgs 0x15f25:$x5: KeyLoggerEventArgs 0x361fe:$x5: KeyLoggerEventArgs 0x36565:$x5: KeyLoggerEventArgs 0x56636:$x5: KeyLoggerEventArgs 0x5699d:$x5: KeyLoggerEventArgs 0x19a01:$m2: Clipboard Logs ID 0x19bcd:$m2: Screenshot Logs ID 0x19c99:$m2: keystroke Logs ID
Click to see the 23 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ffVsTPS.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ffVsTPS.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\BmLue8t2V7.exe", ParentImage: C:\Users\user\Desktop\BmLue8t2V7.exe, ParentProcessId: 1240, ParentProcessName: BmLue8t2V7.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ffVsTPS.exe", ProcessId: 1996, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ffVsTPS" /XML "C:\Users\user\AppData\Local\Temp\tmpBC08.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ffVsTPS" /XML "C:\Users\user\AppData\Local\Temp\tmpBC08.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\ffVsTPS.exe, ParentImage: C:\Users\user\AppData\Roaming\ffVsTPS.exe, ParentProcessId: 7372, ParentProcessName: ffVsTPS.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ffVsTPS" /XML "C:\Users\user\AppData\Local\Temp\tmpBC08.tmp", ProcessId: 7440, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ffVsTPS" /XML "C:\Users\user\AppData\Local\Temp\tmpB438.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ffVsTPS" /XML "C:\Users\user\AppData\Local\Temp\tmpB438.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\BmLue8t2V7.exe", ParentImage: C:\Users\user\Desktop\BmLue8t2V7.exe, ParentProcessId: 1240, ParentProcessName: BmLue8t2V7.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ffVsTPS" /XML "C:\Users\user\AppData\Local\Temp\tmpB438.tmp", ProcessId: 7176, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ffVsTPS.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ffVsTPS.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\BmLue8t2V7.exe", ParentImage: C:\Users\user\Desktop\BmLue8t2V7.exe, ParentProcessId: 1240, ParentProcessName: BmLue8t2V7.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ffVsTPS.exe", ProcessId: 1996, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ffVsTPS" /XML "C:\Users\user\AppData\Local\Temp\tmpB438.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ffVsTPS" /XML "C:\Users\user\AppData\Local\Temp\tmpB438.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\BmLue8t2V7.exe", ParentImage: C:\Users\user\Desktop\BmLue8t2V7.exe, ParentProcessId: 1240, ParentProcessName: BmLue8t2V7.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ffVsTPS" /XML "C:\Users\user\AppData\Local\Temp\tmpB438.tmp", ProcessId: 7176, ProcessName: schtasks.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: BmLue8t2V7.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://scratchdreams.tk

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe

Avira: detection malicious, Label: TR/AD.SnakeStealer.osiep

Found malware configuration

Source: 00000000.00000002.1393374776.0000000013FCB000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "info@stpgig.com", "Password": "Stpgig#Login21", "Host": "mail.stpgig.com", "Port": "587"}

Multi AV Scanner detection for domain / URL

Source: https://scratchdreams.tk

Virustotal: Detection: 15%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe

ReversingLabs: Detection: 57%

Multi AV Scanner detection for submitted file

Source: BmLue8t2V7.exe	ReversingLabs: Detection: 57%
Source: BmLue8t2V7.exe	Virustotal: Detection: 68%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: BmLue8t2V7.exe

Joe Sandbox ML: detected

Source: unknown	HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.8:49709 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.8:49713 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 192.168.2.8:49732 -> 172.67.177.134:443 version: TLS 1.0

Source: BmLue8t2V7.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.228 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.228 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.228 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.228 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.228 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.228 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.228 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.228 HTTP/1.1Host: reallyfreegeoip.org

Source: Joe Sandbox View	IP Address: 172.67.177.134 172.67.177.134
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: checkip.dyndns.org

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.8:49709 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.8:49713 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 192.168.2.8:49732 -> 172.67.177.134:443 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.228 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.228 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.228 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.228 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.228 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.228 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.228 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.228 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: checkip.dyndns.org

Source: BmLue8t2V7.exe, 00000007.00000002.1476046135.000000000389D000.00000004.00000800.00020000.00000000.sdmp, BmLue8t2V7.exe, 00000007.00000002.1476046135.00000000037E5000.00000004.00000800.00020000.00000000.sdmp, BmLue8t2V7.exe, 00000007.00000002.1476046135.000000000390C000.00000004.00000800.00020000.00000000.sdmp, BmLue8t2V7.exe, 00000007.00000002.1476046135.00000000038B0000.00000004.00000800.00020000.00000000.sdmp, BmLue8t2V7.exe, 00000007.00000002.1476046135.00000000038C4000.00000004.00000800.00020000.00000000.sdmp, BmLue8t2V7.exe, 00000007.00000002.1476046135.00000000038F9000.00000004.00000800.00020000.00000000.sdmp, BmLue8t2V7.exe, 00000007.00000002.1476046135.000000000388A000.00000004.00000800.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1486729273.0000000003618000.00000004.00000800.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1486729273.00000000035D1000.00000004.00000800.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1486729273.0000000003596000.00000004.00000800.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1486729273.00000000034F2000.00000004.00000800.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1486729273.00000000035A9000.00000004.00000800.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1486729273.00000000035BD000.00000004.00000800.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1486729273.0000000003606000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: ffVsTPS.exe, 0000000B.00000002.1486729273.00000000034F2000.00000004.00000800.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1486729273.00000000035A9000.00000004.00000800.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1486729273.00000000035BD000.00000004.00000800.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1486729273.0000000003540000.00000004.00000800.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1486729273.00000000035E4000.00000004.00000800.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1486729273.0000000003606000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: BmLue8t2V7.exe, 00000007.00000002.1476046135.00000000036D1000.00000004.00000800.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1489701453.000000001C91B000.00000004.00000020.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1486729273.00000000033E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: BmLue8t2V7.exe, 00000000.00000002.1393374776.0000000013FCB000.00000004.00000800.00020000.00000000.sdmp, BmLue8t2V7.exe, 00000000.00000002.1397872704.000000001E1A1000.00000004.00000020.00020000.00000000.sdmp, BmLue8t2V7.exe, 00000007.00000002.1478842928.0000000140002000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: BmLue8t2V7.exe, 00000007.00000002.1476046135.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org0p
Source: ffVsTPS.exe, 0000000B.00000002.1486729273.0000000003618000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgp
Source: BmLue8t2V7.exe, 00000007.00000002.1476046135.000000000389D000.00000004.00000800.00020000.00000000.sdmp, BmLue8t2V7.exe, 00000007.00000002.1476046135.0000000003805000.00000004.00000800.00020000.00000000.sdmp, BmLue8t2V7.exe, 00000007.00000002.1476046135.000000000390C000.00000004.00000800.00020000.00000000.sdmp, BmLue8t2V7.exe, 00000007.00000002.1476046135.00000000038B0000.00000004.00000800.00020000.00000000.sdmp, BmLue8t2V7.exe, 00000007.00000002.1476046135.00000000038C4000.00000004.00000800.00020000.00000000.sdmp, BmLue8t2V7.exe, 00000007.00000002.1476046135.00000000038F9000.00000004.00000800.00020000.00000000.sdmp, BmLue8t2V7.exe, 00000007.00000002.1476046135.000000000388A000.00000004.00000800.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1486729273.0000000003512000.00000004.00000800.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1486729273.0000000003618000.00000004.00000800.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1486729273.00000000035D1000.00000004.00000800.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1486729273.0000000003596000.00000004.00000800.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1486729273.00000000035A9000.00000004.00000800.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1486729273.00000000035BD000.00000004.00000800.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1486729273.0000000003606000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: BmLue8t2V7.exe, 00000000.00000002.1391411795.0000000003E21000.00000004.00000800.00020000.00000000.sdmp, BmLue8t2V7.exe, 00000007.00000002.1476046135.00000000036D1000.00000004.00000800.00020000.00000000.sdmp, ffVsTPS.exe, 00000008.00000002.1416835628.0000000003E21000.00000004.00000800.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1486729273.00000000033E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: BmLue8t2V7.exe, 00000007.00000002.1476046135.000000000389D000.00000004.00000800.00020000.00000000.sdmp, BmLue8t2V7.exe, 00000007.00000002.1476046135.00000000037E5000.00000004.00000800.00020000.00000000.sdmp, BmLue8t2V7.exe, 00000007.00000002.1476046135.000000000390C000.00000004.00000800.00020000.00000000.sdmp, BmLue8t2V7.exe, 00000007.00000002.1476046135.00000000038B0000.00000004.00000800.00020000.00000000.sdmp, BmLue8t2V7.exe, 00000007.00000002.1476046135.00000000038C4000.00000004.00000800.00020000.00000000.sdmp, BmLue8t2V7.exe, 00000007.00000002.1476046135.00000000038F9000.00000004.00000800.00020000.00000000.sdmp, BmLue8t2V7.exe, 00000007.00000002.1476046135.0000000003834000.00000004.00000800.00020000.00000000.sdmp, BmLue8t2V7.exe, 00000007.00000002.1476046135.000000000388A000.00000004.00000800.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1486729273.0000000003618000.00000004.00000800.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1486729273.00000000035D1000.00000004.00000800.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1486729273.0000000003596000.00000004.00000800.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1486729273.00000000034F2000.00000004.00000800.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1486729273.00000000035A9000.00000004.00000800.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1486729273.00000000035BD000.00000004.00000800.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1486729273.0000000003540000.00000004.00000800.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1486729273.0000000003606000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: BmLue8t2V7.exe, 00000000.00000002.1393374776.0000000013FCB000.00000004.00000800.00020000.00000000.sdmp, BmLue8t2V7.exe, 00000000.00000002.1397872704.000000001E1A1000.00000004.00000020.00020000.00000000.sdmp, BmLue8t2V7.exe, 00000007.00000002.1476046135.00000000037E5000.00000004.00000800.00020000.00000000.sdmp, BmLue8t2V7.exe, 00000007.00000002.1478842928.0000000140002000.00000040.00000400.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1486729273.00000000034F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: ffVsTPS.exe, 0000000B.00000002.1486729273.0000000003606000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/191.96.227.228
Source: BmLue8t2V7.exe, 00000007.00000002.1476046135.000000000390C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/191.96.227.2280p
Source: BmLue8t2V7.exe, 00000007.00000002.1476046135.00000000037E5000.00000004.00000800.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1486729273.00000000034F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/191.96.227.228p
Source: BmLue8t2V7.exe, 00000000.00000002.1393374776.0000000013FCB000.00000004.00000800.00020000.00000000.sdmp, BmLue8t2V7.exe, 00000000.00000002.1397872704.000000001E1A1000.00000004.00000020.00020000.00000000.sdmp, BmLue8t2V7.exe, 00000007.00000002.1478842928.0000000140002000.00000040.00000400.00020000.00000000.sdmp, BmLue8t2V7.exe, 00000007.00000002.1476046135.00000000036D1000.00000004.00000800.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1486729273.00000000033E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scratchdreams.tk

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: 7.2.BmLue8t2V7.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.BmLue8t2V7.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.BmLue8t2V7.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 7.2.BmLue8t2V7.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.BmLue8t2V7.exe.13fcbd58.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.BmLue8t2V7.exe.13fcbd58.7.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.BmLue8t2V7.exe.13fcbd58.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.BmLue8t2V7.exe.13fcbd58.7.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.BmLue8t2V7.exe.13fec398.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.BmLue8t2V7.exe.13fec398.9.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.BmLue8t2V7.exe.13fec398.9.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.BmLue8t2V7.exe.13fec398.9.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.BmLue8t2V7.exe.13fec398.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.BmLue8t2V7.exe.13fec398.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.BmLue8t2V7.exe.13fec398.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.BmLue8t2V7.exe.13fcbd58.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.BmLue8t2V7.exe.13fcbd58.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.BmLue8t2V7.exe.13fcbd58.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000007.00000002.1478842928.0000000140002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000007.00000002.1478842928.0000000140002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1397872704.000000001E1A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1397872704.000000001E1A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1393374776.0000000013FCB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1393374776.0000000013FCB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: BmLue8t2V7.exe PID: 1240, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: BmLue8t2V7.exe PID: 1240, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: BmLue8t2V7.exe PID: 7260, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: BmLue8t2V7.exe PID: 7260, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Code function: 0_2_00007FFB4B26BBFF	0_2_00007FFB4B26BBFF
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Code function: 0_2_00007FFB4B26E1D1	0_2_00007FFB4B26E1D1
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Code function: 0_2_00007FFB4B26214C	0_2_00007FFB4B26214C
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Code function: 0_2_00007FFB4B26239D	0_2_00007FFB4B26239D
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Code function: 0_2_00007FFB4B266C28	0_2_00007FFB4B266C28
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Code function: 0_2_00007FFB4B26E6FA	0_2_00007FFB4B26E6FA
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Code function: 0_2_00007FFB4B26A950	0_2_00007FFB4B26A950
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Code function: 8_2_00007FFB4B27BBFF	8_2_00007FFB4B27BBFF
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Code function: 8_2_00007FFB4B27E1D1	8_2_00007FFB4B27E1D1
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Code function: 8_2_00007FFB4B27214C	8_2_00007FFB4B27214C
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Code function: 8_2_00007FFB4B27239D	8_2_00007FFB4B27239D
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Code function: 8_2_00007FFB4B276C28	8_2_00007FFB4B276C28
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Code function: 8_2_00007FFB4B27A950	8_2_00007FFB4B27A950

Source: BmLue8t2V7.exe	Static PE information: No import functions for PE file found
Source: ffVsTPS.exe.0.dr	Static PE information: No import functions for PE file found

Source: BmLue8t2V7.exe, 00000000.00000002.1393374776.0000000013FCB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefbXfjPLUOxpHounQOLpg.exeX vs BmLue8t2V7.exe
Source: BmLue8t2V7.exe, 00000000.00000002.1393374776.0000000013FCB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs BmLue8t2V7.exe
Source: BmLue8t2V7.exe, 00000000.00000002.1391411795.0000000003ED4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameReactionDiffusion.dll0 vs BmLue8t2V7.exe
Source: BmLue8t2V7.exe, 00000000.00000002.1398144824.000000001E240000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs BmLue8t2V7.exe
Source: BmLue8t2V7.exe, 00000000.00000002.1391411795.0000000003E21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefbXfjPLUOxpHounQOLpg.exeX vs BmLue8t2V7.exe
Source: BmLue8t2V7.exe, 00000000.00000002.1397872704.000000001E1A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefbXfjPLUOxpHounQOLpg.exeX vs BmLue8t2V7.exe
Source: BmLue8t2V7.exe, 00000000.00000002.1396828950.000000001C970000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameReactionDiffusion.dll0 vs BmLue8t2V7.exe
Source: BmLue8t2V7.exe, 00000000.00000002.1391411795.0000000003E88000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameReactionDiffusion.dll0 vs BmLue8t2V7.exe
Source: BmLue8t2V7.exe, 00000007.00000002.1478842928.0000000140002000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefbXfjPLUOxpHounQOLpg.exeX vs BmLue8t2V7.exe
Source: BmLue8t2V7.exe, 00000007.00000002.1475394547.0000000001E61000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs BmLue8t2V7.exe
Source: BmLue8t2V7.exe	Binary or memory string: OriginalFilenameyCAo.exe" vs BmLue8t2V7.exe

Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\choice.exe	Section loaded: version.dll
Source: C:\Windows\System32\choice.exe	Section loaded: version.dll

Source: 7.2.BmLue8t2V7.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.BmLue8t2V7.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.BmLue8t2V7.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 7.2.BmLue8t2V7.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.BmLue8t2V7.exe.13fcbd58.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.BmLue8t2V7.exe.13fcbd58.7.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.BmLue8t2V7.exe.13fcbd58.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.BmLue8t2V7.exe.13fcbd58.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.BmLue8t2V7.exe.13fec398.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.BmLue8t2V7.exe.13fec398.9.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.BmLue8t2V7.exe.13fec398.9.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.BmLue8t2V7.exe.13fec398.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.BmLue8t2V7.exe.13fec398.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.BmLue8t2V7.exe.13fec398.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.BmLue8t2V7.exe.13fec398.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.BmLue8t2V7.exe.13fcbd58.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.BmLue8t2V7.exe.13fcbd58.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.BmLue8t2V7.exe.13fcbd58.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000007.00000002.1478842928.0000000140002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000007.00000002.1478842928.0000000140002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1397872704.000000001E1A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1397872704.000000001E1A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1393374776.0000000013FCB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1393374776.0000000013FCB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: BmLue8t2V7.exe PID: 1240, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: BmLue8t2V7.exe PID: 1240, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: BmLue8t2V7.exe PID: 7260, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: BmLue8t2V7.exe PID: 7260, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: BmLue8t2V7.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ffVsTPS.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@26/11@2/2

Source: C:\Users\user\Desktop\BmLue8t2V7.exe

File created: C:\Users\user\AppData\Roaming\ffVsTPS.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7196:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7752:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7448:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7836:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1992:120:WilError_03

Source: C:\Users\user\Desktop\BmLue8t2V7.exe

File created: C:\Users\user\AppData\Local\Temp\tmpB438.tmp

Jump to behavior

Source: BmLue8t2V7.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: BmLue8t2V7.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.65%

Source: C:\Users\user\Desktop\BmLue8t2V7.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\BmLue8t2V7.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ffVsTPS.exe.0.dr

Binary or memory string: SELECT e.id_empleado AS ID, e.nombre AS NOMBRE, e.apellido AS APELLIDO, e.email AS CORREO, e.telefono AS TELEFONO, t.tipo AS CARGO FROM empleados e INNER JOIN tipo_empleados t ON e.id_tipo_empleado=t.id_tipo_empleado;

Source: BmLue8t2V7.exe	ReversingLabs: Detection: 57%
Source: BmLue8t2V7.exe	Virustotal: Detection: 68%

Source: C:\Users\user\Desktop\BmLue8t2V7.exe

File read: C:\Users\user\Desktop\BmLue8t2V7.exe:Zone.Identifier

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\BmLue8t2V7.exe "C:\Users\user\Desktop\BmLue8t2V7.exe"
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ffVsTPS.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ffVsTPS" /XML "C:\Users\user\AppData\Local\Temp\tmpB438.tmp"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process created: C:\Users\user\Desktop\BmLue8t2V7.exe C:\Users\user\Desktop\BmLue8t2V7.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\ffVsTPS.exe C:\Users\user\AppData\Roaming\ffVsTPS.exe
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ffVsTPS" /XML "C:\Users\user\AppData\Local\Temp\tmpBC08.tmp"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process created: C:\Users\user\AppData\Roaming\ffVsTPS.exe C:\Users\user\AppData\Roaming\ffVsTPS.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\BmLue8t2V7.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\AppData\Roaming\ffVsTPS.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ffVsTPS.exe"	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ffVsTPS" /XML "C:\Users\user\AppData\Local\Temp\tmpB438.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process created: C:\Users\user\Desktop\BmLue8t2V7.exe C:\Users\user\Desktop\BmLue8t2V7.exe	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\BmLue8t2V7.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ffVsTPS" /XML "C:\Users\user\AppData\Local\Temp\tmpBC08.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process created: C:\Users\user\AppData\Roaming\ffVsTPS.exe C:\Users\user\AppData\Roaming\ffVsTPS.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\AppData\Roaming\ffVsTPS.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 3

Source: C:\Users\user\Desktop\BmLue8t2V7.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\BmLue8t2V7.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: BmLue8t2V7.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: BmLue8t2V7.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: BmLue8t2V7.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: BmLue8t2V7.exe, Form1.cs	.Net Code: InitializeComponent
Source: ffVsTPS.exe.0.dr, Form1.cs	.Net Code: InitializeComponent

Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Code function: 0_2_00007FFB4B2600BD pushad ; iretd	0_2_00007FFB4B2600C1
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Code function: 7_2_00007FFB4B2900BD pushad ; iretd	7_2_00007FFB4B2900C1
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Code function: 8_2_00007FFB4B2700BD pushad ; iretd	8_2_00007FFB4B2700C1
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Code function: 11_2_00007FFB4B2600BD pushad ; iretd	11_2_00007FFB4B2600C1

Source: BmLue8t2V7.exe	Static PE information: section name: .text entropy: 7.956288237929535
Source: ffVsTPS.exe.0.dr	Static PE information: section name: .text entropy: 7.956288237929535

Source: C:\Users\user\Desktop\BmLue8t2V7.exe

File created: C:\Users\user\AppData\Roaming\ffVsTPS.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\BmLue8t2V7.exe

Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ffVsTPS" /XML "C:\Users\user\AppData\Local\Temp\tmpB438.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Self deletion via cmd or bat file

Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process created: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\BmLue8t2V7.exe"
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process created: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\BmLue8t2V7.exe"			Jump to behavior

Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Memory allocated: 1250000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Memory allocated: 1BDD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Memory allocated: E40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Memory allocated: 1B6D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Memory allocated: 1730000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Memory allocated: 1BDD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Memory allocated: CB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Memory allocated: 1B3E0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\BmLue8t2V7.exe

Code function: 0_2_00007FFB4B266078 sldt word ptr [eax]

0_2_00007FFB4B266078

Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 599655	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 599544	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 597999	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 597871	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 597766	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 597641	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 597531	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 597422	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 597312	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 597203	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 597094	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 596984	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 596766	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 596641	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 596516	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 596406	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 596297	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 596187	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 596078	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 595969	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 595859	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 595750	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 595641	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 595516	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 595391	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 595172	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 595062	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 594952	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 594844	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 594625	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 598961	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 598735	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 596869	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 596750	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 596641	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 596516	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 596407	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 596282	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 596157	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 596044	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 595922	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 595813	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 595704	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 595579	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 595468	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 594498	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7070	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2578	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Window / User API: threadDelayed 2473	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Window / User API: threadDelayed 7185	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Window / User API: threadDelayed 1634	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Window / User API: threadDelayed 7609	Jump to behavior

Source: C:\Users\user\Desktop\BmLue8t2V7.exe TID: 6464	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7396	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe TID: 7672	Thread sleep time: -24903104499507879s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe TID: 7672	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe TID: 7672	Thread sleep time: -599874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe TID: 7680	Thread sleep count: 2473 > 30	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe TID: 7672	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe TID: 7672	Thread sleep time: -599655s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe TID: 7672	Thread sleep time: -599544s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe TID: 7672	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe TID: 7680	Thread sleep count: 7185 > 30	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe TID: 7672	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe TID: 7672	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe TID: 7672	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe TID: 7672	Thread sleep time: -599000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe TID: 7672	Thread sleep time: -598890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe TID: 7672	Thread sleep time: -598781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe TID: 7672	Thread sleep time: -598672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe TID: 7672	Thread sleep time: -598562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe TID: 7672	Thread sleep time: -598453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe TID: 7672	Thread sleep time: -598344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe TID: 7672	Thread sleep time: -598219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe TID: 7672	Thread sleep time: -598109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe TID: 7672	Thread sleep time: -597999s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe TID: 7672	Thread sleep time: -597871s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe TID: 7672	Thread sleep time: -597766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe TID: 7672	Thread sleep time: -597641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe TID: 7672	Thread sleep time: -597531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe TID: 7672	Thread sleep time: -597422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe TID: 7672	Thread sleep time: -597312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe TID: 7672	Thread sleep time: -597203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe TID: 7672	Thread sleep time: -597094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe TID: 7672	Thread sleep time: -596984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe TID: 7672	Thread sleep time: -596875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe TID: 7672	Thread sleep time: -596766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe TID: 7672	Thread sleep time: -596641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe TID: 7672	Thread sleep time: -596516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe TID: 7672	Thread sleep time: -596406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe TID: 7672	Thread sleep time: -596297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe TID: 7672	Thread sleep time: -596187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe TID: 7672	Thread sleep time: -596078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe TID: 7672	Thread sleep time: -595969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe TID: 7672	Thread sleep time: -595859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe TID: 7672	Thread sleep time: -595750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe TID: 7672	Thread sleep time: -595641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe TID: 7672	Thread sleep time: -595516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe TID: 7672	Thread sleep time: -595391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe TID: 7672	Thread sleep time: -595281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe TID: 7672	Thread sleep time: -595172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe TID: 7672	Thread sleep time: -595062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe TID: 7672	Thread sleep time: -594952s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe TID: 7672	Thread sleep time: -594844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe TID: 7672	Thread sleep time: -594734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe TID: 7672	Thread sleep time: -594625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe TID: 7336	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe TID: 7312	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe TID: 7392	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe TID: 7700	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe TID: 7700	Thread sleep time: -30437127721620741s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe TID: 7700	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe TID: 7700	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe TID: 7704	Thread sleep count: 1634 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe TID: 7704	Thread sleep count: 7609 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe TID: 7700	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe TID: 7700	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe TID: 7700	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe TID: 7700	Thread sleep time: -599438s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe TID: 7700	Thread sleep time: -599313s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe TID: 7700	Thread sleep time: -599188s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe TID: 7700	Thread sleep time: -599078s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe TID: 7700	Thread sleep time: -598961s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe TID: 7700	Thread sleep time: -598844s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe TID: 7700	Thread sleep time: -598735s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe TID: 7700	Thread sleep time: -598610s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe TID: 7700	Thread sleep time: -598485s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe TID: 7700	Thread sleep time: -598360s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe TID: 7700	Thread sleep time: -598235s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe TID: 7700	Thread sleep time: -598110s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe TID: 7700	Thread sleep time: -597985s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe TID: 7700	Thread sleep time: -597860s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe TID: 7700	Thread sleep time: -597735s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe TID: 7700	Thread sleep time: -597610s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe TID: 7700	Thread sleep time: -597485s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe TID: 7700	Thread sleep time: -597360s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe TID: 7700	Thread sleep time: -597235s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe TID: 7700	Thread sleep time: -597110s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe TID: 7700	Thread sleep time: -596985s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe TID: 7700	Thread sleep time: -596869s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe TID: 7700	Thread sleep time: -596750s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe TID: 7700	Thread sleep time: -596641s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe TID: 7700	Thread sleep time: -596516s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe TID: 7700	Thread sleep time: -596407s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe TID: 7700	Thread sleep time: -596282s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe TID: 7700	Thread sleep time: -596157s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe TID: 7700	Thread sleep time: -596044s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe TID: 7700	Thread sleep time: -595922s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe TID: 7700	Thread sleep time: -595813s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe TID: 7700	Thread sleep time: -595704s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe TID: 7700	Thread sleep time: -595579s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe TID: 7700	Thread sleep time: -595468s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe TID: 7700	Thread sleep time: -595344s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe TID: 7700	Thread sleep time: -595235s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe TID: 7700	Thread sleep time: -595110s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe TID: 7700	Thread sleep time: -594985s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe TID: 7700	Thread sleep time: -594860s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe TID: 7700	Thread sleep time: -594735s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe TID: 7700	Thread sleep time: -594610s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe TID: 7700	Thread sleep time: -594498s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe TID: 7528	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe TID: 7516	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 599655	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 599544	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 597999	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 597871	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 597766	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 597641	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 597531	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 597422	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 597312	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 597203	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 597094	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 596984	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 596766	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 596641	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 596516	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 596406	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 596297	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 596187	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 596078	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 595969	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 595859	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 595750	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 595641	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 595516	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 595391	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 595172	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 595062	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 594952	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 594844	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 594625	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 598961	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 598735	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 596869	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 596750	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 596641	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 596516	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 596407	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 596282	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 596157	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 596044	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 595922	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 595813	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 595704	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 595579	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 595468	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 594498	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: BmLue8t2V7.exe, 00000007.00000002.1474109194.0000000000D58000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllj
Source: BmLue8t2V7.exe, 00000000.00000002.1397872704.000000001E140000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}=
Source: ffVsTPS.exe, 0000000B.00000002.1485693803.0000000000E9B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll::

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\BmLue8t2V7.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ffVsTPS.exe"
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ffVsTPS.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Memory written: C:\Users\user\Desktop\BmLue8t2V7.exe base: 140000000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Memory written: C:\Users\user\AppData\Roaming\ffVsTPS.exe base: 140000000 value starts with: 4D5A			Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Thread register set: target process: 7260			Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Thread register set: target process: 7492			Jump to behavior

Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ffVsTPS.exe"	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ffVsTPS" /XML "C:\Users\user\AppData\Local\Temp\tmpB438.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process created: C:\Users\user\Desktop\BmLue8t2V7.exe C:\Users\user\Desktop\BmLue8t2V7.exe	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\BmLue8t2V7.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ffVsTPS" /XML "C:\Users\user\AppData\Local\Temp\tmpBC08.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process created: C:\Users\user\AppData\Roaming\ffVsTPS.exe C:\Users\user\AppData\Roaming\ffVsTPS.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\AppData\Roaming\ffVsTPS.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 3

Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Queries volume information: C:\Users\user\Desktop\BmLue8t2V7.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BmLue8t2V7.exe	Queries volume information: C:\Users\user\Desktop\BmLue8t2V7.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Queries volume information: C:\Users\user\AppData\Roaming\ffVsTPS.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ffVsTPS.exe	Queries volume information: C:\Users\user\AppData\Roaming\ffVsTPS.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\BmLue8t2V7.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 7.2.BmLue8t2V7.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BmLue8t2V7.exe.13fcbd58.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BmLue8t2V7.exe.13fec398.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BmLue8t2V7.exe.13fec398.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BmLue8t2V7.exe.13fcbd58.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.1478842928.0000000140002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1397872704.000000001E1A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1393374776.0000000013FCB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1486729273.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1476046135.00000000036D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BmLue8t2V7.exe PID: 1240, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BmLue8t2V7.exe PID: 7260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ffVsTPS.exe PID: 7492, type: MEMORYSTR

Source: Yara match	File source: 7.2.BmLue8t2V7.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BmLue8t2V7.exe.13fcbd58.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BmLue8t2V7.exe.13fec398.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BmLue8t2V7.exe.13fec398.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BmLue8t2V7.exe.13fcbd58.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.1478842928.0000000140002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1397872704.000000001E1A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1393374776.0000000013FCB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BmLue8t2V7.exe PID: 1240, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BmLue8t2V7.exe PID: 7260, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 7.2.BmLue8t2V7.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BmLue8t2V7.exe.13fcbd58.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BmLue8t2V7.exe.13fec398.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BmLue8t2V7.exe.13fec398.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BmLue8t2V7.exe.13fcbd58.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.1478842928.0000000140002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1397872704.000000001E1A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1393374776.0000000013FCB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1486729273.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1476046135.00000000036D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BmLue8t2V7.exe PID: 1240, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BmLue8t2V7.exe PID: 7260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ffVsTPS.exe PID: 7492, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	211 Process Injection	1 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	211 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	12 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
BmLue8t2V7.exe	58%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
BmLue8t2V7.exe	68%	Virustotal		Browse
BmLue8t2V7.exe	100%	Avira	TR/AD.SnakeStealer.osiep
BmLue8t2V7.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\ffVsTPS.exe	100%	Avira	TR/AD.SnakeStealer.osiep
C:\Users\user\AppData\Roaming\ffVsTPS.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\ffVsTPS.exe	58%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
reallyfreegeoip.org	1%	Virustotal	Browse
checkip.dyndns.com	0%	Virustotal	Browse
checkip.dyndns.org	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://checkip.dyndns.org/	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
http://reallyfreegeoip.org	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
http://checkip.dyndns.org0p	0%	Avira URL Cloud	safe
http://checkip.dyndns.com	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe
http://checkip.dyndns.orgp	0%	Avira URL Cloud	safe
https://scratchdreams.tk	100%	Avira URL Cloud	malware
https://reallyfreegeoip.org/xml/191.96.227.228	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org/xml/191.96.227.2280p	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org/xml/191.96.227.228p	0%	Avira URL Cloud	safe
https://scratchdreams.tk	15%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
reallyfreegeoip.org	172.67.177.134	true	false	1%, Virustotal, Browse	unknown
checkip.dyndns.com	132.226.247.73	true	false	0%, Virustotal, Browse	unknown
checkip.dyndns.org	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/191.96.227.228	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org0p	BmLue8t2V7.exe, 00000007.00000002.1476046135.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.orgp	ffVsTPS.exe, 0000000B.00000002.1486729273.0000000003618000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org/q	BmLue8t2V7.exe, 00000000.00000002.1393374776.0000000013FCB000.00000004.00000800.00020000.00000000.sdmp, BmLue8t2V7.exe, 00000000.00000002.1397872704.000000001E1A1000.00000004.00000020.00020000.00000000.sdmp, BmLue8t2V7.exe, 00000007.00000002.1478842928.0000000140002000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://scratchdreams.tk	BmLue8t2V7.exe, 00000000.00000002.1393374776.0000000013FCB000.00000004.00000800.00020000.00000000.sdmp, BmLue8t2V7.exe, 00000000.00000002.1397872704.000000001E1A1000.00000004.00000020.00020000.00000000.sdmp, BmLue8t2V7.exe, 00000007.00000002.1478842928.0000000140002000.00000040.00000400.00020000.00000000.sdmp, BmLue8t2V7.exe, 00000007.00000002.1476046135.00000000036D1000.00000004.00000800.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1486729273.00000000033E1000.00000004.00000800.00020000.00000000.sdmp	false	15%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://reallyfreegeoip.org	BmLue8t2V7.exe, 00000007.00000002.1476046135.000000000389D000.00000004.00000800.00020000.00000000.sdmp, BmLue8t2V7.exe, 00000007.00000002.1476046135.0000000003805000.00000004.00000800.00020000.00000000.sdmp, BmLue8t2V7.exe, 00000007.00000002.1476046135.000000000390C000.00000004.00000800.00020000.00000000.sdmp, BmLue8t2V7.exe, 00000007.00000002.1476046135.00000000038B0000.00000004.00000800.00020000.00000000.sdmp, BmLue8t2V7.exe, 00000007.00000002.1476046135.00000000038C4000.00000004.00000800.00020000.00000000.sdmp, BmLue8t2V7.exe, 00000007.00000002.1476046135.00000000038F9000.00000004.00000800.00020000.00000000.sdmp, BmLue8t2V7.exe, 00000007.00000002.1476046135.000000000388A000.00000004.00000800.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1486729273.0000000003512000.00000004.00000800.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1486729273.0000000003618000.00000004.00000800.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1486729273.00000000035D1000.00000004.00000800.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1486729273.0000000003596000.00000004.00000800.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1486729273.00000000035A9000.00000004.00000800.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1486729273.00000000035BD000.00000004.00000800.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1486729273.0000000003606000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org	BmLue8t2V7.exe, 00000007.00000002.1476046135.000000000389D000.00000004.00000800.00020000.00000000.sdmp, BmLue8t2V7.exe, 00000007.00000002.1476046135.00000000037E5000.00000004.00000800.00020000.00000000.sdmp, BmLue8t2V7.exe, 00000007.00000002.1476046135.000000000390C000.00000004.00000800.00020000.00000000.sdmp, BmLue8t2V7.exe, 00000007.00000002.1476046135.00000000038B0000.00000004.00000800.00020000.00000000.sdmp, BmLue8t2V7.exe, 00000007.00000002.1476046135.00000000038C4000.00000004.00000800.00020000.00000000.sdmp, BmLue8t2V7.exe, 00000007.00000002.1476046135.00000000038F9000.00000004.00000800.00020000.00000000.sdmp, BmLue8t2V7.exe, 00000007.00000002.1476046135.0000000003834000.00000004.00000800.00020000.00000000.sdmp, BmLue8t2V7.exe, 00000007.00000002.1476046135.000000000388A000.00000004.00000800.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1486729273.0000000003618000.00000004.00000800.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1486729273.00000000035D1000.00000004.00000800.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1486729273.0000000003596000.00000004.00000800.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1486729273.00000000034F2000.00000004.00000800.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1486729273.00000000035A9000.00000004.00000800.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1486729273.00000000035BD000.00000004.00000800.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1486729273.0000000003540000.00000004.00000800.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1486729273.0000000003606000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org	ffVsTPS.exe, 0000000B.00000002.1486729273.00000000034F2000.00000004.00000800.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1486729273.00000000035A9000.00000004.00000800.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1486729273.00000000035BD000.00000004.00000800.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1486729273.0000000003540000.00000004.00000800.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1486729273.00000000035E4000.00000004.00000800.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1486729273.0000000003606000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://checkip.dyndns.com	BmLue8t2V7.exe, 00000007.00000002.1476046135.000000000389D000.00000004.00000800.00020000.00000000.sdmp, BmLue8t2V7.exe, 00000007.00000002.1476046135.00000000037E5000.00000004.00000800.00020000.00000000.sdmp, BmLue8t2V7.exe, 00000007.00000002.1476046135.000000000390C000.00000004.00000800.00020000.00000000.sdmp, BmLue8t2V7.exe, 00000007.00000002.1476046135.00000000038B0000.00000004.00000800.00020000.00000000.sdmp, BmLue8t2V7.exe, 00000007.00000002.1476046135.00000000038C4000.00000004.00000800.00020000.00000000.sdmp, BmLue8t2V7.exe, 00000007.00000002.1476046135.00000000038F9000.00000004.00000800.00020000.00000000.sdmp, BmLue8t2V7.exe, 00000007.00000002.1476046135.000000000388A000.00000004.00000800.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1486729273.0000000003618000.00000004.00000800.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1486729273.00000000035D1000.00000004.00000800.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1486729273.0000000003596000.00000004.00000800.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1486729273.00000000034F2000.00000004.00000800.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1486729273.00000000035A9000.00000004.00000800.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1486729273.00000000035BD000.00000004.00000800.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1486729273.0000000003606000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	BmLue8t2V7.exe, 00000000.00000002.1391411795.0000000003E21000.00000004.00000800.00020000.00000000.sdmp, BmLue8t2V7.exe, 00000007.00000002.1476046135.00000000036D1000.00000004.00000800.00020000.00000000.sdmp, ffVsTPS.exe, 00000008.00000002.1416835628.0000000003E21000.00000004.00000800.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1486729273.00000000033E1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/191.96.227.2280p	BmLue8t2V7.exe, 00000007.00000002.1476046135.000000000390C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/191.96.227.228p	BmLue8t2V7.exe, 00000007.00000002.1476046135.00000000037E5000.00000004.00000800.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1486729273.00000000034F2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/	BmLue8t2V7.exe, 00000000.00000002.1393374776.0000000013FCB000.00000004.00000800.00020000.00000000.sdmp, BmLue8t2V7.exe, 00000000.00000002.1397872704.000000001E1A1000.00000004.00000020.00020000.00000000.sdmp, BmLue8t2V7.exe, 00000007.00000002.1476046135.00000000037E5000.00000004.00000800.00020000.00000000.sdmp, BmLue8t2V7.exe, 00000007.00000002.1478842928.0000000140002000.00000040.00000400.00020000.00000000.sdmp, ffVsTPS.exe, 0000000B.00000002.1486729273.00000000034F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.177.134	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false
132.226.247.73	checkip.dyndns.com	United States		16989	UTMEMUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1422995
Start date and time:	2024-04-09 15:34:19 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	BmLue8t2V7.exe renamed because original name is a hash value
Original Sample Name:	1e2754b3cdcf417cf8a396df60f61b3f75f10cc61d27807991882c5149e9c681.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@26/11@2/2
EGA Information:	Failed
HCA Information:	Successful, ratio: 71% Number of executed functions: 209 Number of non-executed functions: 11
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target BmLue8t2V7.exe, PID 1240 because it is empty
Execution Graph export aborted for target BmLue8t2V7.exe, PID 7260 because it is empty
Execution Graph export aborted for target ffVsTPS.exe, PID 7372 because it is empty
Execution Graph export aborted for target ffVsTPS.exe, PID 7492 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:35:14	API Interceptor	51x Sleep call for process: BmLue8t2V7.exe modified
15:35:16	Task Scheduler	Run new task: ffVsTPS path: C:\Users\user\AppData\Roaming\ffVsTPS.exe
15:35:16	API Interceptor	49x Sleep call for process: ffVsTPS.exe modified
15:35:16	API Interceptor	19x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.177.134	gZIZ5eyCtS.exe	Get hash	malicious	Snake Keylogger	Browse
	PsBygexGwH.exe	Get hash	malicious	Snake Keylogger	Browse
	Remittance_copy.pdf.scr.exe	Get hash	malicious	Snake Keylogger	Browse
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse
	Fuy2BDS9W2.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse
	109__Purchase_Order.exe	Get hash	malicious	Snake Keylogger	Browse
	FGT5000800000.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse
	z52OURO08765.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse
	PT98765445670009.scr.exe	Get hash	malicious	Snake Keylogger	Browse
132.226.247.73	edlyEKgpaz.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Remittance_copy.pdf.scr.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Fuy2BDS9W2.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	checkip.dyndns.org/
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	8wvP84hzFu.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Payment_Draft_confirmation.xla.xlsx	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	xdd6BRIg0O.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	checkip.dyndns.org/
	Mquqdysqqv.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Trojan.PackedNET.2725.19533.14530.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	gZIZ5eyCtS.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	edlyEKgpaz.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	edlyEKgpaz.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	PsBygexGwH.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	58208 Teklif.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	Zarefy4bOs.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	VI3 Operation Guide_tech Info versionfdp.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	132.226.8.169
	Remittance_copy.pdf.scr.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	SAT8765456000.xlam.xlsx	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	158.101.44.242
	request-2.doc.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	132.226.8.169
reallyfreegeoip.org	gZIZ5eyCtS.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	edlyEKgpaz.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	edlyEKgpaz.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	PsBygexGwH.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	58208 Teklif.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	Zarefy4bOs.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	Remittance_copy.pdf.scr.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	SAT8765456000.xlam.xlsx	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	104.21.67.152
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	Fuy2BDS9W2.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	172.67.177.134

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	RFQ.doc	Get hash	malicious	Unknown	Browse	104.21.25.202
	Bill-Transcript_6ZB6-IJYD3B-SEH0.html	Get hash	malicious	HTMLPhisher	Browse	104.26.13.205
	https://helpmetasuite.pagepolicy-supportnow.com/metabusiness-standard-id796817528	Get hash	malicious	Unknown	Browse	104.21.95.34
	https://koks.top/	Get hash	malicious	Unknown	Browse	172.67.205.109
	Icb8TBhjRB.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	euFL17ioCm.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	03224.doc	Get hash	malicious	AgentTesla	Browse	172.67.134.136
	http://cf-ipfs.com	Get hash	malicious	Unknown	Browse	104.16.123.96
	f4GQGaxIzp.elf	Get hash	malicious	Mirai	Browse	104.26.226.217
	uvaXiyELu9.elf	Get hash	malicious	Mirai	Browse	104.24.135.124
UTMEMUS	edlyEKgpaz.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	VI3 Operation Guide_tech Info versionfdp.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	132.226.8.169
	1WOxWETNbC.elf	Get hash	malicious	Unknown	Browse	132.226.89.213
	Remittance_copy.pdf.scr.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	request-2.doc.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	132.226.8.169
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	Fuy2BDS9W2.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	132.226.247.73
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	FGT5000800000.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	132.226.8.169

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	gZIZ5eyCtS.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	edlyEKgpaz.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	edlyEKgpaz.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	PsBygexGwH.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	58208 Teklif.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	Zarefy4bOs.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	VI3 Operation Guide_tech Info versionfdp.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	172.67.177.134
	Remittance_copy.pdf.scr.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	file.exe	Get hash	malicious	SmokeLoader, Xehook Stealer	Browse	172.67.177.134
	request-2.doc.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	172.67.177.134

Process:	C:\Users\user\Desktop\BmLue8t2V7.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1510
Entropy (8bit):	5.380493107040482
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNl+84xp3/VclT:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAA
MD5:	3C7E5782E6C100B90932CBDED08ADE42
SHA1:	D498EE0833BB8C85592FB3B1E482267362DB3F74
SHA-256:	361A6FF160343A2400F7D3FA4A009EA20C994B9788C190EB9D53E544BB376490
SHA-512:	3A90D61631F4DC920860AEA31FDB5E56A102206311705D5D084E809D364F680B4E95F19CE9849D3F9CB3C2C273393FD2F2C67720BAAA885125EE358D59462B0A
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ffVsTPS.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\ffVsTPS.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1510
Entropy (8bit):	5.380493107040482
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNl+84xp3/VclT:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAA
MD5:	3C7E5782E6C100B90932CBDED08ADE42
SHA1:	D498EE0833BB8C85592FB3B1E482267362DB3F74
SHA-256:	361A6FF160343A2400F7D3FA4A009EA20C994B9788C190EB9D53E544BB376490
SHA-512:	3A90D61631F4DC920860AEA31FDB5E56A102206311705D5D084E809D364F680B4E95F19CE9849D3F9CB3C2C273393FD2F2C67720BAAA885125EE358D59462B0A
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:NlllulJnp/p:NllU
MD5:	BC6DB77EB243BF62DC31267706650173
SHA1:	9E42FEFC2E92DE0DB2A2C9911C866320E41B30FF
SHA-256:	5B000939E436B6D314E3262887D8DB6E489A0DDF1E10E5D3D80F55AA25C9FC27
SHA-512:	91DC4935874ECA2A4C8DE303D83081FE945C590208BB844324D1E0C88068495E30AAE2321B3BA8A762BA08DAAEB75D9931522A47C5317766C27E6CE7D04BEEA9
Malicious:	false
Preview:	@...e.................................X..............@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kj2eusyt.qx5.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nyebbyir.n1o.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_obhwozox.xnq.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oiskpibc.lbw.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmpB438.tmp

Download File

Process:	C:\Users\user\Desktop\BmLue8t2V7.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1580
Entropy (8bit):	5.1065804128812635
Encrypted:	false
SSDEEP:	24:2di4+S2qhtJ12iy1mcrUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtvxvn:cgeLAYrFdOFzOzN33ODOiDdKrsuTpv
MD5:	6300D64D1DA257F5568363CB771057CF
SHA1:	DA021F7F7802B1EF97367AFB36A5E4BA4A99298D
SHA-256:	5987A94571E78163F3AE56CFBBA609A786D6E0E03D5875F098B9BC504A2B0CF9
SHA-512:	39A548EF49202D39881A80163F4E6875ADE0AF8691ADB7F88EB4D1A2E12B9A8DF06E531769AF6911891CB1CF90C092AA8977D7A6743C2B18E1EF8267CCA44188
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Local\Temp\tmpBC08.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\ffVsTPS.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1580
Entropy (8bit):	5.1065804128812635
Encrypted:	false
SSDEEP:	24:2di4+S2qhtJ12iy1mcrUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtvxvn:cgeLAYrFdOFzOzN33ODOiDdKrsuTpv
MD5:	6300D64D1DA257F5568363CB771057CF
SHA1:	DA021F7F7802B1EF97367AFB36A5E4BA4A99298D
SHA-256:	5987A94571E78163F3AE56CFBBA609A786D6E0E03D5875F098B9BC504A2B0CF9
SHA-512:	39A548EF49202D39881A80163F4E6875ADE0AF8691ADB7F88EB4D1A2E12B9A8DF06E531769AF6911891CB1CF90C092AA8977D7A6743C2B18E1EF8267CCA44188
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Roaming\ffVsTPS.exe

Download File

Process:	C:\Users\user\Desktop\BmLue8t2V7.exe
File Type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	573440
Entropy (8bit):	7.895892183380107
Encrypted:	false
SSDEEP:	12288:1bQNl/WqCYWjgAXty1e6AhQn/rXuoW+sr6RfO12K8Q0:1bmbWjgktYnzvdKcI2K8Q0
MD5:	0C84A5727488A29D79506AAD7B9E8FCA
SHA1:	71BB901C18F2C9CF8514E9BFB9C9462398AD30C6
SHA-256:	1E2754B3CDCF417CF8A396DF60F61B3F75F10CC61D27807991882C5149E9C681
SHA-512:	82FECBD6EAA17CE089BDD851272FF254114B28E37C46CB565F05D5868FA956221A558C68482CC2FCCD43DFDF4C2B2244E6801009B36F086B1E1718F78B9C5888
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 58%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...m..f.........."...0...... ........... .....@..... ... ....................... ........@...@......@............... ............................................................................................................................... ..H............text....q... ....... .............. ..`.rsrc............ ..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\ffVsTPS.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\BmLue8t2V7.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.895892183380107
TrID:	Win64 Executable GUI Net Framework (217006/5) 49.65% Win64 Executable GUI (202006/5) 46.21% Win64 Executable (generic) (12005/4) 2.75% Win16/32 Executable Delphi generic (2074/23) 0.47% Generic Win/DOS Executable (2004/3) 0.46%
File name:	BmLue8t2V7.exe
File size:	573'440 bytes
MD5:	0c84a5727488a29d79506aad7b9e8fca
SHA1:	71bb901c18f2c9cf8514e9bfb9c9462398ad30c6
SHA256:	1e2754b3cdcf417cf8a396df60f61b3f75f10cc61d27807991882c5149e9c681
SHA512:	82fecbd6eaa17ce089bdd851272ff254114b28e37c46cb565f05d5868fa956221a558c68482cc2fccd43dfdf4c2b2244e6801009b36f086b1e1718f78b9c5888
SSDEEP:	12288:1bQNl/WqCYWjgAXty1e6AhQn/rXuoW+sr6RfO12K8Q0:1bmbWjgktYnzvdKcI2K8Q0
TLSH:	4AC423447BF87726EDF29BB20572590407BB9552B82BE37C4CE1A4D549B2F48C292F23
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...m..f.........."...0...... ........... .....@..... ... ....................... ........@...@......@............... .....

File Icon


Icon Hash:	a6aa8a9e96008245

Static PE Info

General

Entrypoint:	0x140000000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6604D46D [Thu Mar 28 02:22:37 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8a000	0x17f4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x871a0	0x88000	44c5ad64199d7a555f3f14ffe1d4fbab	False	0.9603038114659926	data	7.956288237929535	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x8a000	0x17f4	0x2000	d0896cec7e62564545113c4865b00004	False	0.5963134765625	data	5.738329122964126	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x8a100	0x1186	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9152920196165849
RT_GROUP_ICON	0x8b298	0x14	data	1.05
RT_VERSION	0x8b2bc	0x338	data	0.4211165048543689
RT_MANIFEST	0x8b604	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 9, 2024 15:35:17.340325117 CEST	49707	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:17.540965080 CEST	80	49707	132.226.247.73	192.168.2.8
Apr 9, 2024 15:35:17.541157961 CEST	49707	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:17.541385889 CEST	49707	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:17.737617970 CEST	80	49707	132.226.247.73	192.168.2.8
Apr 9, 2024 15:35:17.738066912 CEST	80	49707	132.226.247.73	192.168.2.8
Apr 9, 2024 15:35:17.745531082 CEST	49707	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:17.982444048 CEST	80	49707	132.226.247.73	192.168.2.8
Apr 9, 2024 15:35:18.843837976 CEST	80	49707	132.226.247.73	192.168.2.8
Apr 9, 2024 15:35:18.890970945 CEST	49707	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:18.951891899 CEST	49709	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:18.951951981 CEST	443	49709	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:18.952042103 CEST	49709	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:18.962331057 CEST	49709	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:18.962369919 CEST	443	49709	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:19.155309916 CEST	443	49709	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:19.155394077 CEST	49709	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:19.161364079 CEST	49709	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:19.161377907 CEST	443	49709	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:19.161818981 CEST	443	49709	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:19.203473091 CEST	49709	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:19.236597061 CEST	49709	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:19.280235052 CEST	443	49709	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:19.647212029 CEST	49710	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:19.682476044 CEST	443	49709	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:19.682576895 CEST	443	49709	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:19.682672977 CEST	49709	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:19.689205885 CEST	49709	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:19.692859888 CEST	49707	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:19.843496084 CEST	80	49710	132.226.247.73	192.168.2.8
Apr 9, 2024 15:35:19.843586922 CEST	49710	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:19.873924971 CEST	49710	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:19.888947964 CEST	80	49707	132.226.247.73	192.168.2.8
Apr 9, 2024 15:35:19.889678955 CEST	80	49707	132.226.247.73	192.168.2.8
Apr 9, 2024 15:35:19.893964052 CEST	49711	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:19.894005060 CEST	443	49711	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:19.894079924 CEST	49711	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:19.894330978 CEST	49711	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:19.894340992 CEST	443	49711	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:19.937953949 CEST	49707	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:20.070219040 CEST	80	49710	132.226.247.73	192.168.2.8
Apr 9, 2024 15:35:20.070534945 CEST	80	49710	132.226.247.73	192.168.2.8
Apr 9, 2024 15:35:20.080881119 CEST	443	49711	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:20.082716942 CEST	49711	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:20.082740068 CEST	443	49711	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:20.084609985 CEST	49710	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:20.281280041 CEST	80	49710	132.226.247.73	192.168.2.8
Apr 9, 2024 15:35:20.290510893 CEST	49713	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:20.290568113 CEST	443	49713	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:20.290676117 CEST	49713	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:20.294761896 CEST	49713	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:20.294797897 CEST	443	49713	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:20.310038090 CEST	443	49711	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:20.310153008 CEST	443	49711	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:20.310225964 CEST	49711	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:20.327435017 CEST	49711	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:20.328471899 CEST	49710	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:20.332520008 CEST	49707	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:20.333937883 CEST	49714	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:20.489743948 CEST	443	49713	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:20.489835978 CEST	49713	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:20.491386890 CEST	49713	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:20.491399050 CEST	443	49713	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:20.491947889 CEST	443	49713	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:20.528739929 CEST	80	49707	132.226.247.73	192.168.2.8
Apr 9, 2024 15:35:20.528951883 CEST	49707	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:20.530658960 CEST	80	49714	132.226.247.73	192.168.2.8
Apr 9, 2024 15:35:20.530834913 CEST	49714	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:20.530953884 CEST	49714	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:20.547205925 CEST	49713	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:20.550889015 CEST	49713	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:20.592242956 CEST	443	49713	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:20.715917110 CEST	443	49713	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:20.716696024 CEST	443	49713	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:20.716779947 CEST	49713	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:20.720073938 CEST	49713	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:20.723026991 CEST	49710	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:20.727547884 CEST	80	49714	132.226.247.73	192.168.2.8
Apr 9, 2024 15:35:20.728429079 CEST	80	49714	132.226.247.73	192.168.2.8
Apr 9, 2024 15:35:20.729777098 CEST	49716	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:20.729824066 CEST	443	49716	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:20.729898930 CEST	49716	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:20.730200052 CEST	49716	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:20.730210066 CEST	443	49716	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:20.781611919 CEST	49714	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:20.919991016 CEST	80	49710	132.226.247.73	192.168.2.8
Apr 9, 2024 15:35:20.922523975 CEST	49717	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:20.922609091 CEST	443	49717	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:20.922696114 CEST	49717	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:20.922765970 CEST	443	49716	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:20.923152924 CEST	49717	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:20.923196077 CEST	443	49717	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:20.924160957 CEST	49716	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:20.924192905 CEST	443	49716	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:20.969094992 CEST	49710	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:21.107681990 CEST	443	49717	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:21.109325886 CEST	49717	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:21.109375954 CEST	443	49717	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:21.158484936 CEST	443	49716	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:21.158767939 CEST	443	49716	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:21.158876896 CEST	49716	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:21.159308910 CEST	49716	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:21.163110018 CEST	49714	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:21.164326906 CEST	49718	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:21.342901945 CEST	443	49717	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:21.343008995 CEST	443	49717	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:21.343131065 CEST	49717	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:21.343633890 CEST	49717	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:21.357733965 CEST	49710	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:21.359004974 CEST	49719	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:21.359678984 CEST	80	49714	132.226.247.73	192.168.2.8
Apr 9, 2024 15:35:21.359787941 CEST	49714	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:21.362828016 CEST	80	49718	132.226.247.73	192.168.2.8
Apr 9, 2024 15:35:21.362917900 CEST	49718	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:21.363058090 CEST	49718	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:21.554012060 CEST	80	49710	132.226.247.73	192.168.2.8
Apr 9, 2024 15:35:21.554083109 CEST	49710	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:21.554769039 CEST	80	49719	132.226.247.73	192.168.2.8
Apr 9, 2024 15:35:21.554841042 CEST	49719	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:21.555087090 CEST	49719	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:21.561610937 CEST	80	49718	132.226.247.73	192.168.2.8
Apr 9, 2024 15:35:21.562176943 CEST	80	49718	132.226.247.73	192.168.2.8
Apr 9, 2024 15:35:21.563544989 CEST	49720	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:21.563584089 CEST	443	49720	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:21.563669920 CEST	49720	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:21.563937902 CEST	49720	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:21.563957930 CEST	443	49720	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:21.609710932 CEST	49718	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:21.748903990 CEST	443	49720	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:21.750206947 CEST	49720	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:21.750245094 CEST	443	49720	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:21.751161098 CEST	80	49719	132.226.247.73	192.168.2.8
Apr 9, 2024 15:35:21.751997948 CEST	80	49719	132.226.247.73	192.168.2.8
Apr 9, 2024 15:35:21.753089905 CEST	49721	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:21.753129959 CEST	443	49721	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:21.753185987 CEST	49721	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:21.753488064 CEST	49721	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:21.753504038 CEST	443	49721	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:21.797245026 CEST	49719	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:21.948925018 CEST	443	49721	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:21.952086926 CEST	49721	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:21.952130079 CEST	443	49721	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:21.979559898 CEST	443	49720	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:21.979669094 CEST	443	49720	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:21.979732037 CEST	49720	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:21.980472088 CEST	49720	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:22.006702900 CEST	49722	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:22.175643921 CEST	443	49721	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:22.175913095 CEST	443	49721	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:22.175976038 CEST	49721	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:22.176584005 CEST	49721	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:22.180816889 CEST	49723	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:22.203656912 CEST	80	49722	132.226.247.73	192.168.2.8
Apr 9, 2024 15:35:22.203833103 CEST	49722	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:22.203911066 CEST	49722	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:22.378305912 CEST	80	49723	132.226.247.73	192.168.2.8
Apr 9, 2024 15:35:22.378458023 CEST	49723	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:22.378627062 CEST	49723	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:22.401424885 CEST	80	49722	132.226.247.73	192.168.2.8
Apr 9, 2024 15:35:22.402062893 CEST	80	49722	132.226.247.73	192.168.2.8
Apr 9, 2024 15:35:22.403620958 CEST	49724	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:22.403661966 CEST	443	49724	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:22.403759003 CEST	49724	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:22.404074907 CEST	49724	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:22.404084921 CEST	443	49724	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:22.453490973 CEST	49722	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:22.576045036 CEST	80	49723	132.226.247.73	192.168.2.8
Apr 9, 2024 15:35:22.576437950 CEST	80	49723	132.226.247.73	192.168.2.8
Apr 9, 2024 15:35:22.578083038 CEST	49725	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:22.578161955 CEST	443	49725	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:22.578322887 CEST	49725	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:22.578794956 CEST	49725	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:22.578829050 CEST	443	49725	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:22.591365099 CEST	443	49724	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:22.592688084 CEST	49724	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:22.592751026 CEST	443	49724	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:22.625365973 CEST	49723	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:22.776565075 CEST	443	49725	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:22.777911901 CEST	49725	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:22.777957916 CEST	443	49725	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:22.819225073 CEST	443	49724	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:22.819324970 CEST	443	49724	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:22.819518089 CEST	49724	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:22.820036888 CEST	49724	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:22.823286057 CEST	49722	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:22.824254990 CEST	49726	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:23.005453110 CEST	443	49725	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:23.005717039 CEST	443	49725	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:23.005776882 CEST	49725	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:23.006344080 CEST	49725	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:23.011271954 CEST	49723	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:23.011986971 CEST	49727	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:23.019964933 CEST	80	49726	132.226.247.73	192.168.2.8
Apr 9, 2024 15:35:23.020046949 CEST	49726	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:23.020195961 CEST	49726	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:23.020251036 CEST	80	49722	132.226.247.73	192.168.2.8
Apr 9, 2024 15:35:23.020410061 CEST	49722	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:23.208717108 CEST	80	49723	132.226.247.73	192.168.2.8
Apr 9, 2024 15:35:23.208803892 CEST	49723	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:23.210316896 CEST	80	49727	132.226.247.73	192.168.2.8
Apr 9, 2024 15:35:23.210400105 CEST	49727	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:23.210566998 CEST	49727	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:23.215919018 CEST	80	49726	132.226.247.73	192.168.2.8
Apr 9, 2024 15:35:23.216644049 CEST	80	49726	132.226.247.73	192.168.2.8
Apr 9, 2024 15:35:23.217999935 CEST	49728	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:23.218039989 CEST	443	49728	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:23.218276978 CEST	49728	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:23.218528986 CEST	49728	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:23.218540907 CEST	443	49728	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:23.266037941 CEST	49726	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:23.403238058 CEST	443	49728	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:23.404514074 CEST	49728	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:23.404546022 CEST	443	49728	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:23.408871889 CEST	80	49727	132.226.247.73	192.168.2.8
Apr 9, 2024 15:35:23.409710884 CEST	80	49727	132.226.247.73	192.168.2.8
Apr 9, 2024 15:35:23.410871983 CEST	49729	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:23.410911083 CEST	443	49729	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:23.410993099 CEST	49729	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:23.411220074 CEST	49729	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:23.411233902 CEST	443	49729	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:23.453484058 CEST	49727	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:23.607148886 CEST	443	49729	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:23.608339071 CEST	49729	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:23.608371973 CEST	443	49729	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:23.636209965 CEST	443	49728	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:23.636329889 CEST	443	49728	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:23.636373997 CEST	49728	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:23.636822939 CEST	49728	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:23.639869928 CEST	49726	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:23.640922070 CEST	49730	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:23.834140062 CEST	443	49729	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:23.834429979 CEST	443	49729	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:23.834482908 CEST	49729	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:23.834973097 CEST	49729	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:23.835364103 CEST	80	49726	132.226.247.73	192.168.2.8
Apr 9, 2024 15:35:23.835680008 CEST	49726	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:23.836684942 CEST	80	49730	132.226.247.73	192.168.2.8
Apr 9, 2024 15:35:23.836786985 CEST	49730	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:23.837950945 CEST	49730	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:23.838587046 CEST	49727	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:23.839545965 CEST	49731	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:24.033817053 CEST	80	49730	132.226.247.73	192.168.2.8
Apr 9, 2024 15:35:24.034111023 CEST	80	49730	132.226.247.73	192.168.2.8
Apr 9, 2024 15:35:24.035190105 CEST	49732	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:24.035219908 CEST	443	49732	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:24.035839081 CEST	80	49731	132.226.247.73	192.168.2.8
Apr 9, 2024 15:35:24.035904884 CEST	49732	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:24.035943985 CEST	49731	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:24.036204100 CEST	49732	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:24.036221027 CEST	443	49732	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:24.036407948 CEST	49731	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:24.037034035 CEST	80	49727	132.226.247.73	192.168.2.8
Apr 9, 2024 15:35:24.037168026 CEST	49727	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:24.078593969 CEST	49730	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:24.220349073 CEST	443	49732	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:24.221951008 CEST	49732	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:24.221988916 CEST	443	49732	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:24.232866049 CEST	80	49731	132.226.247.73	192.168.2.8
Apr 9, 2024 15:35:24.233645916 CEST	80	49731	132.226.247.73	192.168.2.8
Apr 9, 2024 15:35:24.235043049 CEST	49733	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:24.235099077 CEST	443	49733	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:24.235182047 CEST	49733	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:24.235419989 CEST	49733	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:24.235435009 CEST	443	49733	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:24.281733990 CEST	49731	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:24.428704023 CEST	443	49733	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:24.434164047 CEST	49733	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:24.434201002 CEST	443	49733	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:24.446238995 CEST	443	49732	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:24.446340084 CEST	443	49732	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:24.446542025 CEST	49732	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:24.446796894 CEST	49732	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:24.451172113 CEST	49730	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:24.452047110 CEST	49734	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:24.646744967 CEST	80	49730	132.226.247.73	192.168.2.8
Apr 9, 2024 15:35:24.646816015 CEST	49730	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:24.649116039 CEST	80	49734	132.226.247.73	192.168.2.8
Apr 9, 2024 15:35:24.649199963 CEST	49734	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:24.649338961 CEST	49734	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:24.653529882 CEST	443	49733	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:24.653672934 CEST	443	49733	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:24.653726101 CEST	49733	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:24.654314041 CEST	49733	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:24.657733917 CEST	49731	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:24.658972025 CEST	49735	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:24.846323013 CEST	80	49734	132.226.247.73	192.168.2.8
Apr 9, 2024 15:35:24.846988916 CEST	80	49734	132.226.247.73	192.168.2.8
Apr 9, 2024 15:35:24.848346949 CEST	49736	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:24.848386049 CEST	443	49736	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:24.848449945 CEST	49736	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:24.848701000 CEST	49736	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:24.848716021 CEST	443	49736	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:24.853980064 CEST	80	49731	132.226.247.73	192.168.2.8
Apr 9, 2024 15:35:24.854149103 CEST	49731	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:24.854557991 CEST	80	49735	132.226.247.73	192.168.2.8
Apr 9, 2024 15:35:24.854618073 CEST	49735	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:24.854882956 CEST	49735	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:24.891011953 CEST	49734	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:25.034475088 CEST	443	49736	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:25.035600901 CEST	49736	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:25.035633087 CEST	443	49736	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:25.050379992 CEST	80	49735	132.226.247.73	192.168.2.8
Apr 9, 2024 15:35:25.052484035 CEST	80	49735	132.226.247.73	192.168.2.8
Apr 9, 2024 15:35:25.053670883 CEST	49737	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:25.053704023 CEST	443	49737	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:25.053772926 CEST	49737	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:25.054109097 CEST	49737	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:25.054125071 CEST	443	49737	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:25.094311953 CEST	49735	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:25.246422052 CEST	443	49737	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:25.247868061 CEST	49737	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:25.247909069 CEST	443	49737	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:25.261770010 CEST	443	49736	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:25.261854887 CEST	443	49736	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:25.261908054 CEST	49736	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:25.262274027 CEST	49736	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:25.356497049 CEST	49718	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:25.356673002 CEST	49734	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:25.474509001 CEST	443	49737	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:25.474801064 CEST	443	49737	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:25.475034952 CEST	49737	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:25.475245953 CEST	49737	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:25.479945898 CEST	49735	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:25.481642008 CEST	49738	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:25.675995111 CEST	80	49735	132.226.247.73	192.168.2.8
Apr 9, 2024 15:35:25.676167011 CEST	49735	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:25.677172899 CEST	80	49738	132.226.247.73	192.168.2.8
Apr 9, 2024 15:35:25.677290916 CEST	49738	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:25.677426100 CEST	49738	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:25.873039007 CEST	80	49738	132.226.247.73	192.168.2.8
Apr 9, 2024 15:35:25.873717070 CEST	80	49738	132.226.247.73	192.168.2.8
Apr 9, 2024 15:35:25.875170946 CEST	49739	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:25.875197887 CEST	443	49739	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:25.875282049 CEST	49739	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:25.875741005 CEST	49739	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:25.875756025 CEST	443	49739	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:25.922238111 CEST	49738	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:26.061342001 CEST	443	49739	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:26.063438892 CEST	49739	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:26.063457966 CEST	443	49739	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:26.288336039 CEST	443	49739	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:26.288489103 CEST	443	49739	172.67.177.134	192.168.2.8
Apr 9, 2024 15:35:26.288686037 CEST	49739	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:26.290932894 CEST	49739	443	192.168.2.8	172.67.177.134
Apr 9, 2024 15:35:26.443574905 CEST	49738	80	192.168.2.8	132.226.247.73
Apr 9, 2024 15:35:26.443676949 CEST	49719	80	192.168.2.8	132.226.247.73

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 9, 2024 15:35:17.237782001 CEST	53301	53	192.168.2.8	1.1.1.1
Apr 9, 2024 15:35:17.327397108 CEST	53	53301	1.1.1.1	192.168.2.8
Apr 9, 2024 15:35:18.861677885 CEST	58372	53	192.168.2.8	1.1.1.1
Apr 9, 2024 15:35:18.950994015 CEST	53	58372	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 9, 2024 15:35:17.237782001 CEST	192.168.2.8	1.1.1.1	0x4ac1	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Apr 9, 2024 15:35:18.861677885 CEST	192.168.2.8	1.1.1.1	0xba6b	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 9, 2024 15:35:17.327397108 CEST	1.1.1.1	192.168.2.8	0x4ac1	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 9, 2024 15:35:17.327397108 CEST	1.1.1.1	192.168.2.8	0x4ac1	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Apr 9, 2024 15:35:17.327397108 CEST	1.1.1.1	192.168.2.8	0x4ac1	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Apr 9, 2024 15:35:17.327397108 CEST	1.1.1.1	192.168.2.8	0x4ac1	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Apr 9, 2024 15:35:17.327397108 CEST	1.1.1.1	192.168.2.8	0x4ac1	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Apr 9, 2024 15:35:17.327397108 CEST	1.1.1.1	192.168.2.8	0x4ac1	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Apr 9, 2024 15:35:18.950994015 CEST	1.1.1.1	192.168.2.8	0xba6b	No error (0)	reallyfreegeoip.org		172.67.177.134	A (IP address)	IN (0x0001)	false
Apr 9, 2024 15:35:18.950994015 CEST	1.1.1.1	192.168.2.8	0xba6b	No error (0)	reallyfreegeoip.org		104.21.67.152	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49707	132.226.247.73	80	7260	C:\Users\user\Desktop\BmLue8t2V7.exe

Timestamp	Bytes transferred	Direction	Data
Apr 9, 2024 15:35:17.541385889 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 9, 2024 15:35:17.738066912 CEST	323	IN	HTTP/1.1 200 OK Date: Tue, 09 Apr 2024 13:35:17 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 4da2fa53f52c606766433c9472b5a777 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 39 31 2e 39 36 2e 32 32 37 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 191.96.227.228</body></html>
Apr 9, 2024 15:35:17.745531082 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Apr 9, 2024 15:35:18.843837976 CEST	323	IN	HTTP/1.1 200 OK Date: Tue, 09 Apr 2024 13:35:18 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 810ac9581d4416c3adb699d0ca1edf13 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 39 31 2e 39 36 2e 32 32 37 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 191.96.227.228</body></html>
Apr 9, 2024 15:35:19.692859888 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Apr 9, 2024 15:35:19.889678955 CEST	323	IN	HTTP/1.1 200 OK Date: Tue, 09 Apr 2024 13:35:19 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: ee6c19057a3666f4e324db0fd27eaf7f Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 39 31 2e 39 36 2e 32 32 37 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 191.96.227.228</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49710	132.226.247.73	80	7492	C:\Users\user\AppData\Roaming\ffVsTPS.exe

Timestamp	Bytes transferred	Direction	Data
Apr 9, 2024 15:35:19.873924971 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 9, 2024 15:35:20.070534945 CEST	323	IN	HTTP/1.1 200 OK Date: Tue, 09 Apr 2024 13:35:19 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 29843e2f361815b0f806863f458af359 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 39 31 2e 39 36 2e 32 32 37 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 191.96.227.228</body></html>
Apr 9, 2024 15:35:20.084609985 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Apr 9, 2024 15:35:20.281280041 CEST	323	IN	HTTP/1.1 200 OK Date: Tue, 09 Apr 2024 13:35:20 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 94d00802b06e6a3d560c952d39665f31 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 39 31 2e 39 36 2e 32 32 37 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 191.96.227.228</body></html>
Apr 9, 2024 15:35:20.723026991 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Apr 9, 2024 15:35:20.919991016 CEST	323	IN	HTTP/1.1 200 OK Date: Tue, 09 Apr 2024 13:35:20 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: f0dd44eb4a55f9136d1fa12de6660a95 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 39 31 2e 39 36 2e 32 32 37 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 191.96.227.228</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49714	132.226.247.73	80	7260	C:\Users\user\Desktop\BmLue8t2V7.exe

Timestamp	Bytes transferred	Direction	Data
Apr 9, 2024 15:35:20.530953884 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Apr 9, 2024 15:35:20.728429079 CEST	323	IN	HTTP/1.1 200 OK Date: Tue, 09 Apr 2024 13:35:20 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 00620b9090427fc73401cfe858a59f5f Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 39 31 2e 39 36 2e 32 32 37 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 191.96.227.228</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49718	132.226.247.73	80	7260	C:\Users\user\Desktop\BmLue8t2V7.exe

Timestamp	Bytes transferred	Direction	Data
Apr 9, 2024 15:35:21.363058090 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Apr 9, 2024 15:35:21.562176943 CEST	323	IN	HTTP/1.1 200 OK Date: Tue, 09 Apr 2024 13:35:21 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 445f9d1aab3abf1a592e5baef4dfdca5 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 39 31 2e 39 36 2e 32 32 37 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 191.96.227.228</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49719	132.226.247.73	80	7492	C:\Users\user\AppData\Roaming\ffVsTPS.exe

Timestamp	Bytes transferred	Direction	Data
Apr 9, 2024 15:35:21.555087090 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Apr 9, 2024 15:35:21.751997948 CEST	323	IN	HTTP/1.1 200 OK Date: Tue, 09 Apr 2024 13:35:21 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 0594ddf36fbf567f041c49f74e7a1bdc Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 39 31 2e 39 36 2e 32 32 37 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 191.96.227.228</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49722	132.226.247.73	80	7260	C:\Users\user\Desktop\BmLue8t2V7.exe

Timestamp	Bytes transferred	Direction	Data
Apr 9, 2024 15:35:22.203911066 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 9, 2024 15:35:22.402062893 CEST	323	IN	HTTP/1.1 200 OK Date: Tue, 09 Apr 2024 13:35:22 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: ba8982bfa59677400e82a2b92147f00c Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 39 31 2e 39 36 2e 32 32 37 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 191.96.227.228</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49723	132.226.247.73	80	7492	C:\Users\user\AppData\Roaming\ffVsTPS.exe

Timestamp	Bytes transferred	Direction	Data
Apr 9, 2024 15:35:22.378627062 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 9, 2024 15:35:22.576437950 CEST	323	IN	HTTP/1.1 200 OK Date: Tue, 09 Apr 2024 13:35:22 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: fedc8d15f916d36eb2e43e9c09ba9d52 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 39 31 2e 39 36 2e 32 32 37 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 191.96.227.228</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	49726	132.226.247.73	80	7260	C:\Users\user\Desktop\BmLue8t2V7.exe

Timestamp	Bytes transferred	Direction	Data
Apr 9, 2024 15:35:23.020195961 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 9, 2024 15:35:23.216644049 CEST	323	IN	HTTP/1.1 200 OK Date: Tue, 09 Apr 2024 13:35:23 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 7281b105c357cca4e338f2df26491945 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 39 31 2e 39 36 2e 32 32 37 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 191.96.227.228</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.8	49727	132.226.247.73	80	7492	C:\Users\user\AppData\Roaming\ffVsTPS.exe

Timestamp	Bytes transferred	Direction	Data
Apr 9, 2024 15:35:23.210566998 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 9, 2024 15:35:23.409710884 CEST	323	IN	HTTP/1.1 200 OK Date: Tue, 09 Apr 2024 13:35:23 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5d7fad8d1e2fa582bb46176d9eec66a9 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 39 31 2e 39 36 2e 32 32 37 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 191.96.227.228</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.8	49730	132.226.247.73	80	7260	C:\Users\user\Desktop\BmLue8t2V7.exe

Timestamp	Bytes transferred	Direction	Data
Apr 9, 2024 15:35:23.837950945 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 9, 2024 15:35:24.034111023 CEST	323	IN	HTTP/1.1 200 OK Date: Tue, 09 Apr 2024 13:35:23 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: ee1e7a1f0757c6b0490eb9593e4d6752 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 39 31 2e 39 36 2e 32 32 37 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 191.96.227.228</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.8	49731	132.226.247.73	80	7492	C:\Users\user\AppData\Roaming\ffVsTPS.exe

Timestamp	Bytes transferred	Direction	Data
Apr 9, 2024 15:35:24.036407948 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 9, 2024 15:35:24.233645916 CEST	323	IN	HTTP/1.1 200 OK Date: Tue, 09 Apr 2024 13:35:24 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 3e38072bc3407dcc031945a9903dca39 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 39 31 2e 39 36 2e 32 32 37 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 191.96.227.228</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.8	49734	132.226.247.73	80	7260	C:\Users\user\Desktop\BmLue8t2V7.exe

Timestamp	Bytes transferred	Direction	Data
Apr 9, 2024 15:35:24.649338961 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 9, 2024 15:35:24.846988916 CEST	323	IN	HTTP/1.1 200 OK Date: Tue, 09 Apr 2024 13:35:24 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 9ec216b9cd10f732b3fc35a67c5c9994 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 39 31 2e 39 36 2e 32 32 37 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 191.96.227.228</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.8	49735	132.226.247.73	80	7492	C:\Users\user\AppData\Roaming\ffVsTPS.exe

Timestamp	Bytes transferred	Direction	Data
Apr 9, 2024 15:35:24.854882956 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 9, 2024 15:35:25.052484035 CEST	323	IN	HTTP/1.1 200 OK Date: Tue, 09 Apr 2024 13:35:24 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 4fc6f4130666536e37cc8df81c0974b4 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 39 31 2e 39 36 2e 32 32 37 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 191.96.227.228</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.8	49738	132.226.247.73	80	7492	C:\Users\user\AppData\Roaming\ffVsTPS.exe

Timestamp	Bytes transferred	Direction	Data
Apr 9, 2024 15:35:25.677426100 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 9, 2024 15:35:25.873717070 CEST	323	IN	HTTP/1.1 200 OK Date: Tue, 09 Apr 2024 13:35:25 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5c250e4241e1e6bed06eab1255f26967 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 39 31 2e 39 36 2e 32 32 37 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 191.96.227.228</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49709	172.67.177.134	443	7260	C:\Users\user\Desktop\BmLue8t2V7.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-09 13:35:19 UTC	87	OUT	GET /xml/191.96.227.228 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-04-09 13:35:19 UTC	707	IN	HTTP/1.1 200 OK Date: Tue, 09 Apr 2024 13:35:19 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: MISS Last-Modified: Tue, 09 Apr 2024 13:35:19 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=d1uPxye0HXSUWff064%2F6iWGl2W6qqJVsrHCL6vc0T9Fllmr54SgASgjkC4UM%2FWw%2BvC2H6shCoF%2B0bxS3VOT3q%2FGRIKCOcX%2FR6cJ%2F92bwtjuj0X9SMKA4O%2F%2Fa0svrW8Rfwk2hRyt4"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 871ae131ba6d80cd-EWR alt-svc: h3=":443"; ma=86400
2024-04-09 13:35:19 UTC	369	IN	Data Raw: 31 36 61 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 39 31 2e 39 36 2e 32 32 37 2e 32 32 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 41 5a 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 41 72 69 7a 6f 6e 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 50 68 6f 65 6e 69 78 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 38 35 30 30 34 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 50 68 6f 65 6e 69 78 3c 2f 54 69 Data Ascii: 16a<Response><IP>191.96.227.228</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>AZ</RegionCode><RegionName>Arizona</RegionName><City>Phoenix</City><ZipCode>85004</ZipCode><TimeZone>America/Phoenix</Ti
2024-04-09 13:35:19 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49711	172.67.177.134	443	7260	C:\Users\user\Desktop\BmLue8t2V7.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-09 13:35:20 UTC	63	OUT	GET /xml/191.96.227.228 HTTP/1.1 Host: reallyfreegeoip.org
2024-04-09 13:35:20 UTC	706	IN	HTTP/1.1 200 OK Date: Tue, 09 Apr 2024 13:35:20 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 1 Last-Modified: Tue, 09 Apr 2024 13:35:19 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Fa9sV%2BGiLSNhF3se%2BOAmbZQdP49bKUNViR6AjA7e73845aPnGUvs%2FPLV%2FQRN5AcRVLPsqJPlj0l6KQL1URUzLOPykXcuVS0eEvwcd3pm%2BkL6YMU3UCWJ9tVvvdvwa9BxlCl85kKw"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 871ae1379b3c8c29-EWR alt-svc: h3=":443"; ma=86400
2024-04-09 13:35:20 UTC	369	IN	Data Raw: 31 36 61 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 39 31 2e 39 36 2e 32 32 37 2e 32 32 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 41 5a 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 41 72 69 7a 6f 6e 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 50 68 6f 65 6e 69 78 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 38 35 30 30 34 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 50 68 6f 65 6e 69 78 3c 2f 54 69 Data Ascii: 16a<Response><IP>191.96.227.228</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>AZ</RegionCode><RegionName>Arizona</RegionName><City>Phoenix</City><ZipCode>85004</ZipCode><TimeZone>America/Phoenix</Ti
2024-04-09 13:35:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49713	172.67.177.134	443	7492	C:\Users\user\AppData\Roaming\ffVsTPS.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-09 13:35:20 UTC	87	OUT	GET /xml/191.96.227.228 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-04-09 13:35:20 UTC	698	IN	HTTP/1.1 200 OK Date: Tue, 09 Apr 2024 13:35:20 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 1 Last-Modified: Tue, 09 Apr 2024 13:35:19 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5zYqHdx1PJBz8J%2BbbwyVCvefx7dquBh4xTRjRf0o7vLekfXnCufBIoa2YptN7SrCLxuJPpEKRjtJP5MTw3hjNzWRer4MuKCiVEQyEUeoLEgXHZTj2N5rSVQC5mEm7IfANqOA0lyf"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 871ae13a1a8118b1-EWR alt-svc: h3=":443"; ma=86400
2024-04-09 13:35:20 UTC	369	IN	Data Raw: 31 36 61 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 39 31 2e 39 36 2e 32 32 37 2e 32 32 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 41 5a 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 41 72 69 7a 6f 6e 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 50 68 6f 65 6e 69 78 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 38 35 30 30 34 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 50 68 6f 65 6e 69 78 3c 2f 54 69 Data Ascii: 16a<Response><IP>191.96.227.228</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>AZ</RegionCode><RegionName>Arizona</RegionName><City>Phoenix</City><ZipCode>85004</ZipCode><TimeZone>America/Phoenix</Ti
2024-04-09 13:35:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49716	172.67.177.134	443	7260	C:\Users\user\Desktop\BmLue8t2V7.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-09 13:35:20 UTC	87	OUT	GET /xml/191.96.227.228 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-04-09 13:35:21 UTC	704	IN	HTTP/1.1 200 OK Date: Tue, 09 Apr 2024 13:35:21 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 2 Last-Modified: Tue, 09 Apr 2024 13:35:19 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oeqGO8dEJ5o8mQYboDGW9Nzxp0pkTCTl%2FoqUqzADLg0jcRapP7WIc642ycMhnx%2F8GmEcNAXYoPj%2BoqGPo3iJcNmPnH%2BwZcP9653eWgkkg1RygxjdI6N0CELfSWGxGqzgFKn1H9Ni"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 871ae13ccdb2c427-EWR alt-svc: h3=":443"; ma=86400
2024-04-09 13:35:21 UTC	369	IN	Data Raw: 31 36 61 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 39 31 2e 39 36 2e 32 32 37 2e 32 32 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 41 5a 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 41 72 69 7a 6f 6e 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 50 68 6f 65 6e 69 78 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 38 35 30 30 34 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 50 68 6f 65 6e 69 78 3c 2f 54 69 Data Ascii: 16a<Response><IP>191.96.227.228</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>AZ</RegionCode><RegionName>Arizona</RegionName><City>Phoenix</City><ZipCode>85004</ZipCode><TimeZone>America/Phoenix</Ti
2024-04-09 13:35:21 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49717	172.67.177.134	443	7492	C:\Users\user\AppData\Roaming\ffVsTPS.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-09 13:35:21 UTC	63	OUT	GET /xml/191.96.227.228 HTTP/1.1 Host: reallyfreegeoip.org
2024-04-09 13:35:21 UTC	710	IN	HTTP/1.1 200 OK Date: Tue, 09 Apr 2024 13:35:21 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 2 Last-Modified: Tue, 09 Apr 2024 13:35:19 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6Wr86Zh8TcfnvdnSHhdkxeEOeX%2BpxbQ%2ByJXKO7eAkdO51%2BmziBLB%2FYmou8uWWMvbzlJaTQ%2Fb0X1yDC7nIL3iGfxmVV3515K4hcAA1Cg2%2BFWbSLr1JeXTx0ezxTnyAkQn3A9H1%2BQ1"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 871ae13dfe3a424c-EWR alt-svc: h3=":443"; ma=86400
2024-04-09 13:35:21 UTC	369	IN	Data Raw: 31 36 61 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 39 31 2e 39 36 2e 32 32 37 2e 32 32 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 41 5a 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 41 72 69 7a 6f 6e 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 50 68 6f 65 6e 69 78 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 38 35 30 30 34 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 50 68 6f 65 6e 69 78 3c 2f 54 69 Data Ascii: 16a<Response><IP>191.96.227.228</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>AZ</RegionCode><RegionName>Arizona</RegionName><City>Phoenix</City><ZipCode>85004</ZipCode><TimeZone>America/Phoenix</Ti
2024-04-09 13:35:21 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49720	172.67.177.134	443	7260	C:\Users\user\Desktop\BmLue8t2V7.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-09 13:35:21 UTC	63	OUT	GET /xml/191.96.227.228 HTTP/1.1 Host: reallyfreegeoip.org
2024-04-09 13:35:21 UTC	702	IN	HTTP/1.1 200 OK Date: Tue, 09 Apr 2024 13:35:21 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 2 Last-Modified: Tue, 09 Apr 2024 13:35:19 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0XDf2ITjGJZ7tOtHqu97hV4slq1tL%2BywBHbIyHWlgW71XnapXa7WMZPvSnNiyzF74yeGfvpJOL9%2FlMMqZZbOkEfbrG22D11TV9Yw3L%2BiGNbY9a32Ibr4fqhv4SVX0OPo1n6lpJps"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 871ae141f87d42c9-EWR alt-svc: h3=":443"; ma=86400
2024-04-09 13:35:21 UTC	369	IN	Data Raw: 31 36 61 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 39 31 2e 39 36 2e 32 32 37 2e 32 32 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 41 5a 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 41 72 69 7a 6f 6e 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 50 68 6f 65 6e 69 78 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 38 35 30 30 34 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 50 68 6f 65 6e 69 78 3c 2f 54 69 Data Ascii: 16a<Response><IP>191.96.227.228</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>AZ</RegionCode><RegionName>Arizona</RegionName><City>Phoenix</City><ZipCode>85004</ZipCode><TimeZone>America/Phoenix</Ti
2024-04-09 13:35:21 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49721	172.67.177.134	443	7492	C:\Users\user\AppData\Roaming\ffVsTPS.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-09 13:35:21 UTC	63	OUT	GET /xml/191.96.227.228 HTTP/1.1 Host: reallyfreegeoip.org
2024-04-09 13:35:22 UTC	712	IN	HTTP/1.1 200 OK Date: Tue, 09 Apr 2024 13:35:22 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 3 Last-Modified: Tue, 09 Apr 2024 13:35:19 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=O%2F1Ipq%2BaPDxzeGLZDBMF73wdnNinlPPQQyqdeEdPXRAgP%2FuTPpvWCJvzOAm2mWck3w0YH%2FfeuFeIPGEv%2FrCGsJoPahl%2B5jGEQV%2FL708rV4SD6vsYU%2BvNQd3AIMvWVxnuiN3fNO5s"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 871ae1433e8572a7-EWR alt-svc: h3=":443"; ma=86400
2024-04-09 13:35:22 UTC	369	IN	Data Raw: 31 36 61 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 39 31 2e 39 36 2e 32 32 37 2e 32 32 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 41 5a 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 41 72 69 7a 6f 6e 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 50 68 6f 65 6e 69 78 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 38 35 30 30 34 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 50 68 6f 65 6e 69 78 3c 2f 54 69 Data Ascii: 16a<Response><IP>191.96.227.228</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>AZ</RegionCode><RegionName>Arizona</RegionName><City>Phoenix</City><ZipCode>85004</ZipCode><TimeZone>America/Phoenix</Ti
2024-04-09 13:35:22 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	49724	172.67.177.134	443	7260	C:\Users\user\Desktop\BmLue8t2V7.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-09 13:35:22 UTC	87	OUT	GET /xml/191.96.227.228 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-04-09 13:35:22 UTC	712	IN	HTTP/1.1 200 OK Date: Tue, 09 Apr 2024 13:35:22 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 3 Last-Modified: Tue, 09 Apr 2024 13:35:19 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CSAVRWk0bc%2B3OnWFKAPUlmiL2WC37j3e%2BXuH7HKaflkdIf2HF7%2F00kowMvYsqhQgG5H0xHWtsahUNZHaDpDS8k%2B%2FSm0w%2BAinV5%2Fvv9OzwJU4fisZILEuzPDz9iGDF69Wffp4%2B2TE"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 871ae1474a7f191e-EWR alt-svc: h3=":443"; ma=86400
2024-04-09 13:35:22 UTC	369	IN	Data Raw: 31 36 61 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 39 31 2e 39 36 2e 32 32 37 2e 32 32 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 41 5a 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 41 72 69 7a 6f 6e 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 50 68 6f 65 6e 69 78 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 38 35 30 30 34 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 50 68 6f 65 6e 69 78 3c 2f 54 69 Data Ascii: 16a<Response><IP>191.96.227.228</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>AZ</RegionCode><RegionName>Arizona</RegionName><City>Phoenix</City><ZipCode>85004</ZipCode><TimeZone>America/Phoenix</Ti
2024-04-09 13:35:22 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.8	49725	172.67.177.134	443	7492	C:\Users\user\AppData\Roaming\ffVsTPS.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-09 13:35:22 UTC	87	OUT	GET /xml/191.96.227.228 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-04-09 13:35:23 UTC	702	IN	HTTP/1.1 200 OK Date: Tue, 09 Apr 2024 13:35:22 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 3 Last-Modified: Tue, 09 Apr 2024 13:35:19 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SY2jKboL6f5qA7YgLaqGeXUCMO3iA1F%2FxopEaA3naromyWYzcxo3Nh5VNL5cYhxMQUt8TRMliGwsWescbE7dISGdb%2BMvnzG4AJkeBkWPQapHaLvYoF7tlllhLdqbqje7Iv%2FtY8H4"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 871ae1486ed98c35-EWR alt-svc: h3=":443"; ma=86400
2024-04-09 13:35:23 UTC	369	IN	Data Raw: 31 36 61 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 39 31 2e 39 36 2e 32 32 37 2e 32 32 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 41 5a 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 41 72 69 7a 6f 6e 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 50 68 6f 65 6e 69 78 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 38 35 30 30 34 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 50 68 6f 65 6e 69 78 3c 2f 54 69 Data Ascii: 16a<Response><IP>191.96.227.228</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>AZ</RegionCode><RegionName>Arizona</RegionName><City>Phoenix</City><ZipCode>85004</ZipCode><TimeZone>America/Phoenix</Ti
2024-04-09 13:35:23 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.8	49728	172.67.177.134	443	7260	C:\Users\user\Desktop\BmLue8t2V7.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-09 13:35:23 UTC	87	OUT	GET /xml/191.96.227.228 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-04-09 13:35:23 UTC	708	IN	HTTP/1.1 200 OK Date: Tue, 09 Apr 2024 13:35:23 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 4 Last-Modified: Tue, 09 Apr 2024 13:35:19 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PFJxFFz1zRk4zEl4d1o8UaB0DjOqq%2FMnxMzVs%2Fv3b%2F0xqwmFYJownSwlipa7vJKsVMsf%2F8wM7Q%2BvynEwVa%2FemuM1REY7FDzRu0LXWsbcqHYEaBOJOOdlbETvZavPHWwcETHMKhLL"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 871ae14c5b0f1835-EWR alt-svc: h3=":443"; ma=86400
2024-04-09 13:35:23 UTC	369	IN	Data Raw: 31 36 61 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 39 31 2e 39 36 2e 32 32 37 2e 32 32 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 41 5a 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 41 72 69 7a 6f 6e 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 50 68 6f 65 6e 69 78 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 38 35 30 30 34 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 50 68 6f 65 6e 69 78 3c 2f 54 69 Data Ascii: 16a<Response><IP>191.96.227.228</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>AZ</RegionCode><RegionName>Arizona</RegionName><City>Phoenix</City><ZipCode>85004</ZipCode><TimeZone>America/Phoenix</Ti
2024-04-09 13:35:23 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.8	49729	172.67.177.134	443	7492	C:\Users\user\AppData\Roaming\ffVsTPS.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-09 13:35:23 UTC	87	OUT	GET /xml/191.96.227.228 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-04-09 13:35:23 UTC	708	IN	HTTP/1.1 200 OK Date: Tue, 09 Apr 2024 13:35:23 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 4 Last-Modified: Tue, 09 Apr 2024 13:35:19 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CCInjSAUckXMBi%2F6Kb99C7Jwd1POCKpstVlXhmLEUPlomzHMzpK6jmEeAmKc6d9W%2FlY%2BF%2BfXB54YacsUsWcmSABHWgJPj5jFs7vdOUoE3D4ON%2Bg6MGkvBRHe0Y%2FnnscqmOuKwkeJ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 871ae14d9b080f6f-EWR alt-svc: h3=":443"; ma=86400
2024-04-09 13:35:23 UTC	369	IN	Data Raw: 31 36 61 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 39 31 2e 39 36 2e 32 32 37 2e 32 32 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 41 5a 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 41 72 69 7a 6f 6e 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 50 68 6f 65 6e 69 78 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 38 35 30 30 34 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 50 68 6f 65 6e 69 78 3c 2f 54 69 Data Ascii: 16a<Response><IP>191.96.227.228</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>AZ</RegionCode><RegionName>Arizona</RegionName><City>Phoenix</City><ZipCode>85004</ZipCode><TimeZone>America/Phoenix</Ti
2024-04-09 13:35:23 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.8	49732	172.67.177.134	443	7260	C:\Users\user\Desktop\BmLue8t2V7.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-09 13:35:24 UTC	87	OUT	GET /xml/191.96.227.228 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-04-09 13:35:24 UTC	712	IN	HTTP/1.1 200 OK Date: Tue, 09 Apr 2024 13:35:24 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 5 Last-Modified: Tue, 09 Apr 2024 13:35:19 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=umlCHTZA1wvkSRREBo75NtxY%2F0rvl5ju%2F7ET%2BF%2FGV2ilAbEIojnf50GjVGczWEFnWij%2Bf%2FxT2K235q4KaPV19IqTyZ%2BASB51MfMWeCySwSlclRJB%2FO7QzHFxptOeJbHeckdDpxqX"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 871ae1516ea78c1d-EWR alt-svc: h3=":443"; ma=86400
2024-04-09 13:35:24 UTC	369	IN	Data Raw: 31 36 61 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 39 31 2e 39 36 2e 32 32 37 2e 32 32 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 41 5a 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 41 72 69 7a 6f 6e 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 50 68 6f 65 6e 69 78 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 38 35 30 30 34 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 50 68 6f 65 6e 69 78 3c 2f 54 69 Data Ascii: 16a<Response><IP>191.96.227.228</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>AZ</RegionCode><RegionName>Arizona</RegionName><City>Phoenix</City><ZipCode>85004</ZipCode><TimeZone>America/Phoenix</Ti
2024-04-09 13:35:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.8	49733	172.67.177.134	443	7492	C:\Users\user\AppData\Roaming\ffVsTPS.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-09 13:35:24 UTC	63	OUT	GET /xml/191.96.227.228 HTTP/1.1 Host: reallyfreegeoip.org
2024-04-09 13:35:24 UTC	708	IN	HTTP/1.1 200 OK Date: Tue, 09 Apr 2024 13:35:24 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 5 Last-Modified: Tue, 09 Apr 2024 13:35:19 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kDrZh%2FshkFV4HvKlpVIMjgBEl7b%2FhwdZ4fjB0sWquscWFNAp2RqBXjCidxxt4%2FAHZeuDvKAGVvdNasN9rrEHlpZ%2Bg51J4qIMbAWML7wWBlvqBKffpjmqt1sY%2F7p7EcbF%2B58hVdqi"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 871ae152bf420c78-EWR alt-svc: h3=":443"; ma=86400
2024-04-09 13:35:24 UTC	369	IN	Data Raw: 31 36 61 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 39 31 2e 39 36 2e 32 32 37 2e 32 32 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 41 5a 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 41 72 69 7a 6f 6e 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 50 68 6f 65 6e 69 78 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 38 35 30 30 34 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 50 68 6f 65 6e 69 78 3c 2f 54 69 Data Ascii: 16a<Response><IP>191.96.227.228</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>AZ</RegionCode><RegionName>Arizona</RegionName><City>Phoenix</City><ZipCode>85004</ZipCode><TimeZone>America/Phoenix</Ti
2024-04-09 13:35:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.8	49736	172.67.177.134	443	7260	C:\Users\user\Desktop\BmLue8t2V7.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-09 13:35:25 UTC	63	OUT	GET /xml/191.96.227.228 HTTP/1.1 Host: reallyfreegeoip.org
2024-04-09 13:35:25 UTC	706	IN	HTTP/1.1 200 OK Date: Tue, 09 Apr 2024 13:35:25 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 6 Last-Modified: Tue, 09 Apr 2024 13:35:19 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rNWFq%2FfH26wjiybtRcu1vvpIdG%2B30prgITKykVOEyXNKd72Ls2VRJNh3hCCsZQr%2BugRJOGfhInyc5%2FBb1LLJqsnBzrR2RUjTeBXdzGw0ScL8eT7uwvf30sJNMYKSyFtinQpthb%2BH"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 871ae15689c4420a-EWR alt-svc: h3=":443"; ma=86400
2024-04-09 13:35:25 UTC	369	IN	Data Raw: 31 36 61 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 39 31 2e 39 36 2e 32 32 37 2e 32 32 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 41 5a 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 41 72 69 7a 6f 6e 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 50 68 6f 65 6e 69 78 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 38 35 30 30 34 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 50 68 6f 65 6e 69 78 3c 2f 54 69 Data Ascii: 16a<Response><IP>191.96.227.228</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>AZ</RegionCode><RegionName>Arizona</RegionName><City>Phoenix</City><ZipCode>85004</ZipCode><TimeZone>America/Phoenix</Ti
2024-04-09 13:35:25 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.8	49737	172.67.177.134	443	7492	C:\Users\user\AppData\Roaming\ffVsTPS.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-09 13:35:25 UTC	63	OUT	GET /xml/191.96.227.228 HTTP/1.1 Host: reallyfreegeoip.org
2024-04-09 13:35:25 UTC	704	IN	HTTP/1.1 200 OK Date: Tue, 09 Apr 2024 13:35:25 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 6 Last-Modified: Tue, 09 Apr 2024 13:35:19 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=e6BNJRETtFBc44hbTUWd9ftO5amhVM4Rc3Apvh1Wd%2FobZxbMPoL1wVDs0t8neJ46toB3USxo3flm0%2BjLLyY3D8X55laZCNFKfjFFRazbbEiXzaa3yNuY9R%2BAqmPI9M%2Bg6iPwKtn7"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 871ae157d920726e-EWR alt-svc: h3=":443"; ma=86400
2024-04-09 13:35:25 UTC	369	IN	Data Raw: 31 36 61 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 39 31 2e 39 36 2e 32 32 37 2e 32 32 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 41 5a 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 41 72 69 7a 6f 6e 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 50 68 6f 65 6e 69 78 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 38 35 30 30 34 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 50 68 6f 65 6e 69 78 3c 2f 54 69 Data Ascii: 16a<Response><IP>191.96.227.228</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>AZ</RegionCode><RegionName>Arizona</RegionName><City>Phoenix</City><ZipCode>85004</ZipCode><TimeZone>America/Phoenix</Ti
2024-04-09 13:35:25 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.8	49739	172.67.177.134	443	7492	C:\Users\user\AppData\Roaming\ffVsTPS.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-09 13:35:26 UTC	63	OUT	GET /xml/191.96.227.228 HTTP/1.1 Host: reallyfreegeoip.org
2024-04-09 13:35:26 UTC	712	IN	HTTP/1.1 200 OK Date: Tue, 09 Apr 2024 13:35:26 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 7 Last-Modified: Tue, 09 Apr 2024 13:35:19 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Jxqd%2BG4Ehk%2Bx3yiy9BsCBdmxBg5kb0Z6zmFF%2FeA8D4q4v3FElLYVXL0W%2BHn2g59nFf60WTY2x9HuAq7%2FOPl7tf5XPoPd1uEkCwVKITU9yce%2F2B8Wg9PGIALoAlcHU1Foms4%2Fp%2BFK"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 871ae15cfccf183d-EWR alt-svc: h3=":443"; ma=86400
2024-04-09 13:35:26 UTC	369	IN	Data Raw: 31 36 61 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 39 31 2e 39 36 2e 32 32 37 2e 32 32 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 41 5a 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 41 72 69 7a 6f 6e 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 50 68 6f 65 6e 69 78 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 38 35 30 30 34 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 50 68 6f 65 6e 69 78 3c 2f 54 69 Data Ascii: 16a<Response><IP>191.96.227.228</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>AZ</RegionCode><RegionName>Arizona</RegionName><City>Phoenix</City><ZipCode>85004</ZipCode><TimeZone>America/Phoenix</Ti
2024-04-09 13:35:26 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	15:35:13
Start date:	09/04/2024
Path:	C:\Users\user\Desktop\BmLue8t2V7.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\BmLue8t2V7.exe"
Imagebase:	0xa70000
File size:	573'440 bytes
MD5 hash:	0C84A5727488A29D79506AAD7B9E8FCA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1397872704.000000001E1A1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.1397872704.000000001E1A1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1397872704.000000001E1A1000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.1397872704.000000001E1A1000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1393374776.0000000013FCB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.1393374776.0000000013FCB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1393374776.0000000013FCB000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.1393374776.0000000013FCB000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:35:15
Start date:	09/04/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ffVsTPS.exe"
Imagebase:	0x7ff6cb6b0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	15:35:15
Start date:	09/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	15:35:15
Start date:	09/04/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ffVsTPS" /XML "C:\Users\user\AppData\Local\Temp\tmpB438.tmp"
Imagebase:	0x7ff742810000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	15:35:15
Start date:	09/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	15:35:15
Start date:	09/04/2024
Path:	C:\Users\user\Desktop\BmLue8t2V7.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\BmLue8t2V7.exe
Imagebase:	0x490000
File size:	573'440 bytes
MD5 hash:	0C84A5727488A29D79506AAD7B9E8FCA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.1478842928.0000000140002000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000007.00000002.1478842928.0000000140002000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000007.00000002.1478842928.0000000140002000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000007.00000002.1478842928.0000000140002000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000007.00000002.1476046135.00000000036D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	15:35:16
Start date:	09/04/2024
Path:	C:\Users\user\AppData\Roaming\ffVsTPS.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\ffVsTPS.exe
Imagebase:	0xd70000
File size:	573'440 bytes
MD5 hash:	0C84A5727488A29D79506AAD7B9E8FCA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 58%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	15:35:17
Start date:	09/04/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ffVsTPS" /XML "C:\Users\user\AppData\Local\Temp\tmpBC08.tmp"
Imagebase:	0x7ff742810000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	15:35:17
Start date:	09/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	15:35:17
Start date:	09/04/2024
Path:	C:\Users\user\AppData\Roaming\ffVsTPS.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\ffVsTPS.exe
Imagebase:	0x3f0000
File size:	573'440 bytes
MD5 hash:	0C84A5727488A29D79506AAD7B9E8FCA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000B.00000002.1486729273.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	15:35:18
Start date:	09/04/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff605670000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	15:35:24
Start date:	09/04/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\BmLue8t2V7.exe"
Imagebase:	0x7ff64f6e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	15:35:24
Start date:	09/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	15:35:24
Start date:	09/04/2024
Path:	C:\Windows\System32\choice.exe
Wow64 process (32bit):	false
Commandline:	choice /C Y /N /D Y /T 3
Imagebase:	0x7ff680f50000
File size:	35'840 bytes
MD5 hash:	1A9804F0C374283B094E9E55DC5EE128
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	15:35:25
Start date:	09/04/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\AppData\Roaming\ffVsTPS.exe"
Imagebase:	0x7ff64f6e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	15:35:25
Start date:	09/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	15:35:25
Start date:	09/04/2024
Path:	C:\Windows\System32\choice.exe
Wow64 process (32bit):	false
Commandline:	choice /C Y /N /D Y /T 3
Imagebase:	0x7ff680f50000
File size:	35'840 bytes
MD5 hash:	1A9804F0C374283B094E9E55DC5EE128
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Function 00007FFB4B26BBFF Relevance: 1.5, Strings: 1, Instructions: 297COMMON

Download Yara Rule

Strings

R0K, xrefs: 00007FFB4B26BC77

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID: R0K
API String ID: 0-2049922371
Opcode ID: 406734a2e61849fab7fa3298e132ace8de7dbae1d7ace84f126f1917a6be45d3
Instruction ID: 8ee7965b9c61ad720e282769462177e572c0e54e16564ed2f2da8da429b4caf3
Opcode Fuzzy Hash: 406734a2e61849fab7fa3298e132ace8de7dbae1d7ace84f126f1917a6be45d3
Instruction Fuzzy Hash: 6B91F87190D6C98FD356EF38C85A5A57FE0FF46304B0945FED089C71A3EA28A846C751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B26E1D1 Relevance: .7, Instructions: 709COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17078f978d3b146f017457a5f2c87cbe4942ce4271d7bbb2a4c7296a1fc8ed9c
Instruction ID: fe2970088e8b1742b1591877af05195748a279ae396dde2dd038fac0bef90b91
Opcode Fuzzy Hash: 17078f978d3b146f017457a5f2c87cbe4942ce4271d7bbb2a4c7296a1fc8ed9c
Instruction Fuzzy Hash: 36123DA7A0D6A14AE3127B7DF8522EA3F50DF8363570845F7D6C98D093ED18244B87B1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B26214C Relevance: .6, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3b52c0b5fac2acc3aac979aac73870a666167b0819cb32d9050910f1c563567
Instruction ID: f0f374cc47d54131fbb0b75015934dfbac358571c44803267efb3f88c38c5021
Opcode Fuzzy Hash: f3b52c0b5fac2acc3aac979aac73870a666167b0819cb32d9050910f1c563567
Instruction Fuzzy Hash: 04220E70A1995D8FDB98EF28C899BA9B7E1FF58300F5041F9D40DD72A5CE34A981CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B26239D Relevance: .4, Instructions: 377COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 797f06c4f5c2b86ce831e3ee6758fa9cf403b3df22a21a467e52205e5466e9e5
Instruction ID: ae4b0682612dfd2d47e72a98c8b7ece443650edb22fcd8d5686a514dc2a76ddb
Opcode Fuzzy Hash: 797f06c4f5c2b86ce831e3ee6758fa9cf403b3df22a21a467e52205e5466e9e5
Instruction Fuzzy Hash: 80E1DA70A09A1D8FDB99EF28C899BA9B7E1FF59301F5041E9D40DD72A1CE35A981CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B266078 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9dbbaf734e126988ecdfdf016f36ad26c6314946e54fc184e4b9f7c5ec2a872
Instruction ID: 40c8e378a58c08de4824e1ecdaf85bcf7bdbaabe77f6ae8c61b3df987506f9e1
Opcode Fuzzy Hash: d9dbbaf734e126988ecdfdf016f36ad26c6314946e54fc184e4b9f7c5ec2a872
Instruction Fuzzy Hash: 82F02B91A0CB4A5FE345AB6C88922A13FC5EF69200F84457CD58DC71E3D918D9448342

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B265208 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

`, xrefs: 00007FFB4B265234
a, xrefs: 00007FFB4B2653A3
!, xrefs: 00007FFB4B2653AB

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID: !$`$a
API String ID: 0-2522460808
Opcode ID: 8f752f9d70ac25145387c4fd847536abd5c92b61261b3965d74b61aeb8a199ba
Instruction ID: d26eeea962213475421367cfdf6f18c5b34fe813e53d67dbcf5b136173310162
Opcode Fuzzy Hash: 8f752f9d70ac25145387c4fd847536abd5c92b61261b3965d74b61aeb8a199ba
Instruction Fuzzy Hash: 9C31C29080D7C65FE3566B7888602657FE0EF17610F0982BEE5C6C70E3DA18A815C362

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B26524A Relevance: 3.8, Strings: 3, Instructions: 97COMMON

Download Yara Rule

Strings

), xrefs: 00007FFB4B26524B
a, xrefs: 00007FFB4B2653A3
!, xrefs: 00007FFB4B2653AB

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID: !$)$a
API String ID: 0-3910272199
Opcode ID: 910fd519e530fe71359c6b2ae2007183b3e1772674657d7569cd7bb429cbd1e3
Instruction ID: 2378bbaec76318344165682e8e8c7e520856d5641672c6cf5452678712241353
Opcode Fuzzy Hash: 910fd519e530fe71359c6b2ae2007183b3e1772674657d7569cd7bb429cbd1e3
Instruction Fuzzy Hash: CB31D4A050D3C65FE346BB7888602617FE0EF57710F0942EED4C9C70E3DA18A815C362

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B2667B6 Relevance: 2.6, Strings: 2, Instructions: 106COMMON

Download Yara Rule

Strings

h/0K, xrefs: 00007FFB4B266820
K;, xrefs: 00007FFB4B2667C2

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID: h/0K$K;
API String ID: 0-2744862773
Opcode ID: 51c00d61adcb291ed904633a148db304eeb7a4acfb833bebaaa9c92b47a1b983
Instruction ID: 063f63d71dd55bdc78322611b90352e335bcd582d33b93a107903692012e64e2
Opcode Fuzzy Hash: 51c00d61adcb291ed904633a148db304eeb7a4acfb833bebaaa9c92b47a1b983
Instruction Fuzzy Hash: C731E691A0CA8A0FE79BBA7CCD642A52FD1EF95250F1841BED189C71EBCC1CAD058351

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B2685C1 Relevance: 2.6, Strings: 2, Instructions: 90COMMON

Download Yara Rule

Strings

0A0K, xrefs: 00007FFB4B2686D9
@A0K, xrefs: 00007FFB4B2686E9

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID: 0A0K$@A0K
API String ID: 0-11981079
Opcode ID: 64bc2b5d53054139c1d691f5770af3051663775306c41cd556b1e62b3404eb79
Instruction ID: d4a2f7a6dd3b9a1f52cb3991a4c77a5007b118d71987c5a4f8621e0b7ed30f45
Opcode Fuzzy Hash: 64bc2b5d53054139c1d691f5770af3051663775306c41cd556b1e62b3404eb79
Instruction Fuzzy Hash: E1318FA190E7C54FE317AB389C651547FB1AF57210B1A81EBD084CB0F7E9189D4AC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B2666C3 Relevance: 2.5, Strings: 2, Instructions: 32COMMON

Download Yara Rule

Strings

%, xrefs: 00007FFB4B2666D3
r, xrefs: 00007FFB4B2666CB

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID: %$r
API String ID: 0-2384768175
Opcode ID: 1f14e374075f8c81c8d9480aec91b4c3fc9f5ee421e5eb8827edc5746c32228f
Instruction ID: d67d24d2a1a3a971fd4019ec967dbea5bbf7c5410bc711e7e6d756ad1bfcc5a8
Opcode Fuzzy Hash: 1f14e374075f8c81c8d9480aec91b4c3fc9f5ee421e5eb8827edc5746c32228f
Instruction Fuzzy Hash: A2F0C26190C70A8FD354AF6CC980766BAE1FF84345F54827DE58C82296DB78E984C685

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B269B95 Relevance: 1.6, Strings: 1, Instructions: 302COMMON

Download Yara Rule

Strings

], xrefs: 00007FFB4B269D67

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID: ]
API String ID: 0-3352871620
Opcode ID: 1255790b228e59723957faa21f456429f2f3ef6bbeceea2cd7b760b265b67d0a
Instruction ID: 24de2413f7e7f8fa9f47e87a782c3c8eb21e6d65bc3736f85e82a88f3a81bdc1
Opcode Fuzzy Hash: 1255790b228e59723957faa21f456429f2f3ef6bbeceea2cd7b760b265b67d0a
Instruction Fuzzy Hash: 8BA1BD7080D7998FD716EF78C8516A97FB1EF5A310F1941BFD089CB1A3DA286806C792

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B264630 Relevance: 1.5, Strings: 1, Instructions: 284COMMON

Download Yara Rule

Strings

0?&K, xrefs: 00007FFB4B26484A

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID: 0?&K
API String ID: 0-3699940908
Opcode ID: d6c9b96c00709e4f602cf6deae3569c15b891a45032c2d7e3e96aac518e6b129
Instruction ID: 8c568a831e26e311c687a8f5c147eef04d223c31af89b3e6ed3a8b99ab6292c8
Opcode Fuzzy Hash: d6c9b96c00709e4f602cf6deae3569c15b891a45032c2d7e3e96aac518e6b129
Instruction Fuzzy Hash: 79A1F47191DB8A4FD306EF78C8646A97FB1FF5A300F1445FAC05AC72A2CA292846C791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B26590A Relevance: 1.5, Strings: 1, Instructions: 218COMMON

Download Yara Rule

Strings

y, xrefs: 00007FFB4B265F29

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID: y
API String ID: 0-4225443349
Opcode ID: d5cffa52f7187b734ae19617cf7d1f2381b2231529a7c98187e52deb3d3a397f
Instruction ID: 1367ffa4b1152352cd6cca3855082d8c9a58667fc0acb4e681de5a6ef2b3e704
Opcode Fuzzy Hash: d5cffa52f7187b734ae19617cf7d1f2381b2231529a7c98187e52deb3d3a397f
Instruction Fuzzy Hash: EF71CF6040D3C65FD3179B7888A56A57FF0EF57220F1986EFD4C9CB0A3E628684AC752

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B26B019 Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

r, xrefs: 00007FFB4B26B031

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID: r
API String ID: 0-1812594589
Opcode ID: 614c04918d5ab70be9136515624727e8b042a866c5b5203de1b4e18ee6a04e5f
Instruction ID: 21f3cf87a7b09d01b26e25eaec5b7c5bea9751034f54c7d2a4a8ba6d4b4a8ea9
Opcode Fuzzy Hash: 614c04918d5ab70be9136515624727e8b042a866c5b5203de1b4e18ee6a04e5f
Instruction Fuzzy Hash: F851067190C6859FE71AAF7CC8965A57FE1EF47310F1982EED089C71A3DA2868068352

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B26A750 Relevance: 1.4, Strings: 1, Instructions: 120COMMON

Download Yara Rule

Strings

), xrefs: 00007FFB4B26A775

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID: )
API String ID: 0-2427484129
Opcode ID: 0fc95aa3c60edb1221b13a06211455ee3146e7f57b3e2d2d8f2e7f2b4184d932
Instruction ID: 938404e9dba1512f452c1a2f9b0b152a0420a43c9c71e4b9bafaee14a37cb6dc
Opcode Fuzzy Hash: 0fc95aa3c60edb1221b13a06211455ee3146e7f57b3e2d2d8f2e7f2b4184d932
Instruction Fuzzy Hash: 3741237190D3C65FD31ABA7888554657FA0EF47320B1A42FFD08A870E3E95C6857C792

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B26E822 Relevance: 1.3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

r, xrefs: 00007FFB4B26E82F

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID: r
API String ID: 0-1812594589
Opcode ID: 3b0bf5ae16f88d55457b9bdcdbf4a4d3d2785542857b17a8467aaad93102f440
Instruction ID: 4a42cc46ee15ac0c60b77a0c07071a833349d813c5625f0a3c3b9903b41577ed
Opcode Fuzzy Hash: 3b0bf5ae16f88d55457b9bdcdbf4a4d3d2785542857b17a8467aaad93102f440
Instruction Fuzzy Hash: A6317F6180E3C68FE357BB3489611997FB0AF03214F1A85EFD095CA4F3E91C594AC762

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B26E8E5 Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

B, xrefs: 00007FFB4B26E8E6

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID: B
API String ID: 0-1255198513
Opcode ID: ffee83b873c8cef175988e416cab1d2a187d98f2984c67ee8703b26a6b9243ae
Instruction ID: beee4688247a5a6590b5bba85c910638405750e3d12bcdd73e0ca4c9db8afa5a
Opcode Fuzzy Hash: ffee83b873c8cef175988e416cab1d2a187d98f2984c67ee8703b26a6b9243ae
Instruction Fuzzy Hash: C421296084E3C69FE3576B748921195BFB06F03214F1A86EFD1D5CA4E3E65C184AC722

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B26BC61 Relevance: 1.3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

Strings

R0K, xrefs: 00007FFB4B26BC77

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID: R0K
API String ID: 0-2049922371
Opcode ID: cdfe457810d6b3c8fa61fea04cbc70d1650b7435708c904168401e79162775a6
Instruction ID: 9003905908bcba3b4fb975daf5a90fdd5326ff1faa66c842404b9e77885eafc1
Opcode Fuzzy Hash: cdfe457810d6b3c8fa61fea04cbc70d1650b7435708c904168401e79162775a6
Instruction Fuzzy Hash: 090128B2A0C9498FD388FF2CC49A5743BC1EFA5250B04817FD04DC76B1DD255D428301

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B268925 Relevance: .6, Instructions: 643COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad5fd8bd4f8f466c452558fca393e3a56a057211e62dd19d255c809ac6229c55
Instruction ID: c084e1ca1cb805275031a2c266087f4ade3715fd22c888121dd10dc38e5b1f88
Opcode Fuzzy Hash: ad5fd8bd4f8f466c452558fca393e3a56a057211e62dd19d255c809ac6229c55
Instruction Fuzzy Hash: 863282B180D2868FEB19EF28DD516A93FA0FF15315F1841BFD948CB1A3F62C581A8791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B267F5A Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2caa5357af9955fdee029a557cc50f7903bcd45709a8a522645f4a439ddb989b
Instruction ID: 09526501d6c9dd750a83092cb81b1732ec8915224a756b627001f776c54ecf4f
Opcode Fuzzy Hash: 2caa5357af9955fdee029a557cc50f7903bcd45709a8a522645f4a439ddb989b
Instruction Fuzzy Hash: 3A81E2A180D7C54FE31AAB7888656617FE0EF57310F1981EFD5CACB0E3EA586806C752

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B26A5F5 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3932029fac9049c1ffa613f6bd9d07e9952e10c0dafe11141df961db5c7be6b7
Instruction ID: 30564357c7c51d86705498c8e992cd6169e3b8dbcf3e5155c5ffc8b2ca078a13
Opcode Fuzzy Hash: 3932029fac9049c1ffa613f6bd9d07e9952e10c0dafe11141df961db5c7be6b7
Instruction Fuzzy Hash: B77116A190E7C55FE31ABA788C550657FA1EF97210B1982FFD189CB0A3E8586817C391

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B2641F2 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fb223ee9f751c0c141c3d06bc1d803eaa2684fc91591f509f129f21aa8914a9
Instruction ID: b5b1c3b155cca99a7faa97976d18c635aac716ce8f0a02802d96e6340a66258e
Opcode Fuzzy Hash: 5fb223ee9f751c0c141c3d06bc1d803eaa2684fc91591f509f129f21aa8914a9
Instruction Fuzzy Hash: 8F5139D2D0DAC64BE746BA7CD8621F97FA1EF65220B1941FBD5D88B0A3DD0428068391

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B260658 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bbe9335c08ce1e0572eec78d8f9dfc187719bb801871bc69f937d4945e2bf6b
Instruction ID: 59bda17afabda0d3a6e815fdce495bc35e87295268f8b4695753796d2a3ab88b
Opcode Fuzzy Hash: 5bbe9335c08ce1e0572eec78d8f9dfc187719bb801871bc69f937d4945e2bf6b
Instruction Fuzzy Hash: 1E51A4B1E0C65E8BDB49EE7CC9955AE7BE2EF98300F14417DD14DE3291CE3459028791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B260A29 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78a1fc521b153c415ed5c06d68c2851848896074b366bd99208398df4fded2b3
Instruction ID: 61cf5a1e15804efd27e6691ce8c278cc2488f0eea22aedca3eb63cbf27caec94
Opcode Fuzzy Hash: 78a1fc521b153c415ed5c06d68c2851848896074b366bd99208398df4fded2b3
Instruction Fuzzy Hash: 01512FB1D18A4D8EDB95EFA8C4956EDBFB1FF68300F4441BAD14CE32A2DE245841CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B2610BF Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b81d93d28d0ab1f6cb9ec61a166b9d8c44c5f434ef3003c5956fb2b116070eac
Instruction ID: 935864235196d29a180a97eb0b071996698fc738d1df9dd76bbb15f31475543e
Opcode Fuzzy Hash: b81d93d28d0ab1f6cb9ec61a166b9d8c44c5f434ef3003c5956fb2b116070eac
Instruction Fuzzy Hash: A55142B161CA8A8FDB88DF2CC8A5A653B92FF98354B14459CE45DC72D6CB35E862C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B260A40 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e97878b4f63c377b853611c145b00434cb14fed42bdfa63b66a45ac73630581
Instruction ID: 56411da89653d47771ef215dbed78860f0b79e29959bbec0fd8006ae5efbb42c
Opcode Fuzzy Hash: 9e97878b4f63c377b853611c145b00434cb14fed42bdfa63b66a45ac73630581
Instruction Fuzzy Hash: CE512DB1D1894D8EEB95EFA8C4956FDBBB1FF68300F5041BAD10CE32A2DE3458418B51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B269191 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9596ebfa52fe6f500d1464ce344ed09c7afc88261b8917b6ba85b26820bee5d6
Instruction ID: 51223468d8a01ddcbee7096d3e6b44356ef2bd638998f7d570b32eef8f7e372c
Opcode Fuzzy Hash: 9596ebfa52fe6f500d1464ce344ed09c7afc88261b8917b6ba85b26820bee5d6
Instruction Fuzzy Hash: D05192B190825A8FEF58FE58C9416FA77A1FF59301F10447DD90993291DE38A846CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B2692FD Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 635670e71744a321b44b53f092bbf03b7c55a5c33d6d981b8e9a4918d8e48eda
Instruction ID: 1702ee8ffde1a8f90ce335c18fc74ad84bd6e7ce10d0423b333233f33d1fa7cd
Opcode Fuzzy Hash: 635670e71744a321b44b53f092bbf03b7c55a5c33d6d981b8e9a4918d8e48eda
Instruction Fuzzy Hash: 87414070D1865E8FDB49EF68D8919FEB7B1FF99300F00542DE51AA3291CE34A852CB85

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B268E7D Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd2b03a2b76887de16ee0e9924c675b99ff86884daacb3aaf890bf79be0b05ee
Instruction ID: f2c0d2f20ae7565daedc3cf0446740f0ce77dfae11e8c071c5e17264535fcbaa
Opcode Fuzzy Hash: bd2b03a2b76887de16ee0e9924c675b99ff86884daacb3aaf890bf79be0b05ee
Instruction Fuzzy Hash: 3C412CB1918A4D8FDF45EF68D8959EDBBF1FF58300F00416AE809E7292DB34A945CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B261157 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ebde37aa8405ed2bb8343c9d2df4b5ffaa1d900487d112f73c05c61f873507a
Instruction ID: 14ef17ff9a3eacec69e85069c7c23069256bd27ca50954150befef4c21d4abf5
Opcode Fuzzy Hash: 9ebde37aa8405ed2bb8343c9d2df4b5ffaa1d900487d112f73c05c61f873507a
Instruction Fuzzy Hash: CD4142B161CA898FDB89DF2CC8E5A653B92FF98344B14019CE45DC72D2CB75E862C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B26A161 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cb9a02fffbd29ae0a01d04c60a85c8f3d0ac9ab1bb4ea07eb14e9eb818d8801
Instruction ID: c54fa8312faa32a67de0025c14c36f45df269e562dbef3eea86ada30c00498b1
Opcode Fuzzy Hash: 3cb9a02fffbd29ae0a01d04c60a85c8f3d0ac9ab1bb4ea07eb14e9eb818d8801
Instruction Fuzzy Hash: 3E318D5260E7C95FD747AA3C98A16307FE2DB5721070D80FFD18ACB1A7D8089C468366

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B26B600 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05633dfc93f8adf5a02f045195569699af565dbec15d4520a5e110b261db79fa
Instruction ID: b07b5d8de6d71f1523e3fbed56b716e6e7b8cb27044d5d74eda6ee03778b119b
Opcode Fuzzy Hash: 05633dfc93f8adf5a02f045195569699af565dbec15d4520a5e110b261db79fa
Instruction Fuzzy Hash: 2831A06180D3C14FE31BAB348C565A17FB0EF53310B1942EFD485C71A3EA18581AC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B265FAB Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1bcac74abb5e4de6d30cc1511ec34742d2ae70e2df7be9c7f91149a92679ead
Instruction ID: f8a330112889dd15d0d1f17daaee0dd8a429ef39a8b2644cfdd9243cd44c6b01
Opcode Fuzzy Hash: c1bcac74abb5e4de6d30cc1511ec34742d2ae70e2df7be9c7f91149a92679ead
Instruction Fuzzy Hash: E6315A6194E7C25FD30BAB7888621A47FE0AF57214B1981FFD0C9CB1E3D61C984AC762

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B264E04 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba61968f535c809606bf511c0cbec38a2cd22b35ebd2676cd7efb7ba6bc69bff
Instruction ID: a3dbf165c4de7dfcda77f665eade75b00f3cc5ceb831a29d098647a1628009dd
Opcode Fuzzy Hash: ba61968f535c809606bf511c0cbec38a2cd22b35ebd2676cd7efb7ba6bc69bff
Instruction Fuzzy Hash: 9821D5A1F089198FE798FE6CC415769BBE6FBA8300F10827AD45DD3296DE349C424790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B261CC8 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75bc20ac265d31ed49461c13c7c10e64825fdf499423ebb80b377c8ab2ac9c9f
Instruction ID: 0e07095a3425d186cf51a984f321d55e8ed60387f856faa9113118bfa4081dc8
Opcode Fuzzy Hash: 75bc20ac265d31ed49461c13c7c10e64825fdf499423ebb80b377c8ab2ac9c9f
Instruction Fuzzy Hash: 7D21C1F291DA994EE7A5EA2CD8062E9BFE1FB44711F0041BAD08CE2191EB242D518B91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B264295 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8797a4d9a22f0cfc089c53c1dc50d136adc7add41eec542e356a39f512526e9e
Instruction ID: 272bc3a98e9a186a8f4f87ee4ed0ce713c1fe5ed5a40709d221d9d46ab4772b0
Opcode Fuzzy Hash: 8797a4d9a22f0cfc089c53c1dc50d136adc7add41eec542e356a39f512526e9e
Instruction Fuzzy Hash: 2021A2A1D0D98A8ED746BF7CC8211FD7FB1EF95214F5401FAD488D71A3CD28281587A2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B268260 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eff5b6ccbddd2d1e5fc85431b6d20442cf73f36061b1e563d8c9add96224fdff
Instruction ID: 3e5e739681604d45b7ecaacc5bbd673f7add52a592c06143bb3dbe38cde160a4
Opcode Fuzzy Hash: eff5b6ccbddd2d1e5fc85431b6d20442cf73f36061b1e563d8c9add96224fdff
Instruction Fuzzy Hash: 3A217AA190D7C54FE357AB3888652547FE0AF17310B1A85EFD0CACB1F3EA585846C752

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B26E887 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a919499c0309760bb4f2d1b3bfeebf3083b4149e394a8a97c37bb138633af5f4
Instruction ID: 2a721cb9ee88afbbd1417f9ce41f9b88c0c99cbc456fc3aff52c30d36ff81a6d
Opcode Fuzzy Hash: a919499c0309760bb4f2d1b3bfeebf3083b4149e394a8a97c37bb138633af5f4
Instruction Fuzzy Hash: 1231716094E3C68FE3977B7889212A47FB1AF43210F0986FFD199CA4E3D91C1849C762

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B2642E5 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47c4b35164713cbfdc8700b96b1370870c587f704981c8d4369d73da9b996365
Instruction ID: e529560176f2173b300433deb487339f9bc5442ccab718a269dff822a3a715e7
Opcode Fuzzy Hash: 47c4b35164713cbfdc8700b96b1370870c587f704981c8d4369d73da9b996365
Instruction Fuzzy Hash: C421A3A1D0DA8E8ED746AFBCC8211FDBFB1EF99210F4401FAD488D7193DD24295587A2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B266636 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fe355d9dc17befae81d09357c5d08d3068c3a484b01e088e436bb6eec8df422
Instruction ID: 8f782fd5604d44d4154e7778bd2414098be8840cb8659c54506cbb365418698f
Opcode Fuzzy Hash: 6fe355d9dc17befae81d09357c5d08d3068c3a484b01e088e436bb6eec8df422
Instruction Fuzzy Hash: 1A2105A1D0CA5A8FE3A5BE2CC9413A5BED1FF55300F94C2B9E54C83196DD38AD818B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B26828A Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cd85438a3e9fd4d927d0fa2837a304b85db4878045f4a85a4c65b4a5aeca236
Instruction ID: 7a69b3d96acedbec35fa5deedd0262ab3f3c228695574e3c26634ecdee31280a
Opcode Fuzzy Hash: 7cd85438a3e9fd4d927d0fa2837a304b85db4878045f4a85a4c65b4a5aeca236
Instruction Fuzzy Hash: 46218CA190E7C64FE3476B3898651947FA0AF17314B1982EFC1CACB1E3E95C1847C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B26823C Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 618a0f696514c7402b5f26e098c24ac725c60c65233cb95d4b1ff4f0ea58d190
Instruction ID: b5d064dd91fd24e461e67629add2676f4a277d76436153176e91e3e63e4d939f
Opcode Fuzzy Hash: 618a0f696514c7402b5f26e098c24ac725c60c65233cb95d4b1ff4f0ea58d190
Instruction Fuzzy Hash: B821A1A190D7C54FE3176B7888651907FA0AF17310F1982EFC1CACB0E3E66C5846C762

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B26098D Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c5f8e108cc6c4f4d8296b98068c50762177613286b9878674955b01e3a0c08d
Instruction ID: 3d5d2173cdc32573298311af6d7f0d4469b5439ce35c5fa442361839da7a706b
Opcode Fuzzy Hash: 7c5f8e108cc6c4f4d8296b98068c50762177613286b9878674955b01e3a0c08d
Instruction Fuzzy Hash: 27113D71C1964E9FEB80FF78C8856EA7BF1FF59301F0444AAE418D71A1DA38A951C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B26640C Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45ac224f8b31f046b7d8a2345fdcdb3e50ed09cdf3c5e25f30e7b6024670ed0e
Instruction ID: 9de72910fe11aa1f6c089057a273cf7e2aed4eab245ff374ed05ac8340d9f4f1
Opcode Fuzzy Hash: 45ac224f8b31f046b7d8a2345fdcdb3e50ed09cdf3c5e25f30e7b6024670ed0e
Instruction Fuzzy Hash: DA11C4B09085599FD759EF28C850AF6B6A5EB45320F0442B9E14EC3296DA34AD82CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B261DAE Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b8bfbdc1104fd395a018cfc832014e595606b8f5e6fda3d9cb3328969da544d
Instruction ID: bda42b3d338667df7b9761de2c8e0d6738e1908a6162952b72151275da0a6d91
Opcode Fuzzy Hash: 6b8bfbdc1104fd395a018cfc832014e595606b8f5e6fda3d9cb3328969da544d
Instruction Fuzzy Hash: 8F1133B191895E8FE7D9FE18C885BD973A1FF58304F0441B9D40DE3155CE34AD928B90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B261EF1 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd47fdf93eeb00d82dbddc1cc8f1b640a83d743b7fe7dc7a60029f945f6dcbaf
Instruction ID: ccdf21a8b289500650977a0b80a9ed456d5b8256f7c2c2e8acab9f1c0f754e74
Opcode Fuzzy Hash: dd47fdf93eeb00d82dbddc1cc8f1b640a83d743b7fe7dc7a60029f945f6dcbaf
Instruction Fuzzy Hash: D111E9B091895E8FDB95FF18C884BE977A1FF58304F5442F9941DD3256CE34AE828B80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B26B063 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c242048d12e4acd38b56070c498778ed18d4eb0b3f97519696fbff282a73323c
Instruction ID: 60153f7fa630f84278a587a817f568f6fc79f21c39067d6f6782a9cfc90a0e40
Opcode Fuzzy Hash: c242048d12e4acd38b56070c498778ed18d4eb0b3f97519696fbff282a73323c
Instruction Fuzzy Hash: E71170B1A0C6495BE748AF1CC4957A97BE2FB88304F50426DB18DD32D6DF3899068781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B260538 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65cc90c4a9743bb3b031e69a043935f76278e3abc8e9a3cdbf45fb20ea686faa
Instruction ID: 3771bfc241dcef059406a2d5fff04e82dfc79919e9e958d06b4adb09a9a8b853
Opcode Fuzzy Hash: 65cc90c4a9743bb3b031e69a043935f76278e3abc8e9a3cdbf45fb20ea686faa
Instruction Fuzzy Hash: 8D01F57151CA495BD788FE2CD45056B7BD1FFD8390F40463DA149D33A0DD25AC008781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B260CF5 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1e8812527b5924d24e02c54ebff718b0219f98456f61c77a31aac1f0e004f7e
Instruction ID: 2ae3d38b17564c4698c9e1b5c97f181a64135cffc83e10803b54f1d6d39f7f5f
Opcode Fuzzy Hash: e1e8812527b5924d24e02c54ebff718b0219f98456f61c77a31aac1f0e004f7e
Instruction Fuzzy Hash: F801B57041DBC95FD786EB38D4905A77FE0EF8A310F4406BFE185D72A2CA6499458782

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B26085D Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3397a63cf09ccdac4136197d8e84c7cae7fe09758acebbe400a0199797f4c257
Instruction ID: 64410a2cf800b4352515457f4f53fdd60ae6427f5f9f96525086aaf425a7b49b
Opcode Fuzzy Hash: 3397a63cf09ccdac4136197d8e84c7cae7fe09758acebbe400a0199797f4c257
Instruction Fuzzy Hash: 18F0A9E280EB8A9EE355BFB8C9950A57FE0FF52300F154CBAD485D10D3DD255444C281

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B26A7C7 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5272c912a877834adb87be8cda99f6068bcf79aa78d2fd41f8944f168d381dd6
Instruction ID: 1a1ad9c8832a28ad67e1d967ac2f079e8eca4320b14f33f43a6fc022db7c0515
Opcode Fuzzy Hash: 5272c912a877834adb87be8cda99f6068bcf79aa78d2fd41f8944f168d381dd6
Instruction Fuzzy Hash: 98014CB390C7421BD358AE1C85421A97FD1FBA6310F10463DE2CA822E1DE2859174382

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B264EE7 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa009e298f1fb2179aea79ed6216601de169243702a2ca0b92a18ce1b7ac3d74
Instruction ID: f2d28a69aea837e43d849dfba63de19e8d8ecc964257a60128828af67dc4aba7
Opcode Fuzzy Hash: fa009e298f1fb2179aea79ed6216601de169243702a2ca0b92a18ce1b7ac3d74
Instruction Fuzzy Hash: 4C018FA1E1CA4A4FEB98BF7CC55567966E1EF14300B508079E65DC71A7ED28AC028280

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B264D98 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45c0c11b1a54286985a3ce578bb20f332dc1184fdc558a99bc4a398676f1d5ca
Instruction ID: e263e371f9efbdf9d0f6adefc71c61aaa10fbac3b63b546c83b4c54eecd3e0da
Opcode Fuzzy Hash: 45c0c11b1a54286985a3ce578bb20f332dc1184fdc558a99bc4a398676f1d5ca
Instruction Fuzzy Hash: 53014F60E1C94A9BEB84FF7CC15566DAAE2FF48300F54817DE65DC3297DE29AC428740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B2661C5 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87e6fe00133f725e4a92169ad8243466398af5d7be1e8439bdc0487de1cf4848
Instruction ID: c049726b5c40fd4856d8a3d84793518ee0f9abd40e86caad8228e4c99b8629e7
Opcode Fuzzy Hash: 87e6fe00133f725e4a92169ad8243466398af5d7be1e8439bdc0487de1cf4848
Instruction Fuzzy Hash: D1F06891B1CA850BE784BE6C89553B569D2FFC8304F44817D914DC26D7DE2898054341

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B26625B Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a13f6bf18392fde88c2bacf69421ae8c41647f87a176c1cf1205d0859078e60
Instruction ID: 9e78b112ecfb478571cf15e302d9f5a04b5737e83346ada6bc2da9a8df3437aa
Opcode Fuzzy Hash: 6a13f6bf18392fde88c2bacf69421ae8c41647f87a176c1cf1205d0859078e60
Instruction Fuzzy Hash: 53F0C2A1E0D6890FE782FF6DC95579ABFE2EF94200F5480AD81498B196DA399901C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B264C2B Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9faccd5f4c907a0759bb21f941a1c072eeceb0a1a6d539b3bffdb49507e9e79b
Instruction ID: f2a79d4d9395d35ec02278cc0653571ce4c5d438ab70ddaed1acdd0739de2f6c
Opcode Fuzzy Hash: 9faccd5f4c907a0759bb21f941a1c072eeceb0a1a6d539b3bffdb49507e9e79b
Instruction Fuzzy Hash: ADF0A7A1B0CE498BE754EE2C88163697AC2EF9C754F0842B89488C3381DD345C014BD2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B267AE8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 481094350463d188656e56d3c64582b28c30a93539853618f7e2da37064cd61b
Instruction ID: 1c6d3e540af8be4a3d95f36d3a2668ed31f55e2dfa93f59316394514c2e0b524
Opcode Fuzzy Hash: 481094350463d188656e56d3c64582b28c30a93539853618f7e2da37064cd61b
Instruction Fuzzy Hash: 9DF06D3035C5488FE628FE1CE891B7833D5EB99321F10416DD48BC32A6D924ED468785

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B26B21F Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77ec930edb4bb9be69695570ac02b521ed1a5577c0d4899b9997c74480d7114e
Instruction ID: 600faf469b324c05c38ba62aa6a28fb87a5faef81b4effe9ec5c27f626ff5894
Opcode Fuzzy Hash: 77ec930edb4bb9be69695570ac02b521ed1a5577c0d4899b9997c74480d7114e
Instruction Fuzzy Hash: 73E01A92F6C98617E25C782CA4663B90AD6D798714F95813EE24AC32EAEC285C130295

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B265264 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ec3ba39cdca25b4970a40eb53dca0275a1bff2c67187d70d45502fc78636ebc
Instruction ID: 1e2fbf9ed3b8dba5242fab471ff207343cac2a91876a0cd39648f016fe43d05d
Opcode Fuzzy Hash: 0ec3ba39cdca25b4970a40eb53dca0275a1bff2c67187d70d45502fc78636ebc
Instruction Fuzzy Hash: A3E0D83251C12A0AE36C7929D85117572C0E755721F14537ADDDBC32E1F81C99151384

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B268070 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b10f011042a37bc8a8c86e4ae7e84f0185a822edd4a8e766bcbfeef6a87cf9eb
Instruction ID: e6a65d7a7e88d03d755c5cbb265364ab18e20f864d51857e7176cfcd8c3b7647
Opcode Fuzzy Hash: b10f011042a37bc8a8c86e4ae7e84f0185a822edd4a8e766bcbfeef6a87cf9eb
Instruction Fuzzy Hash: D0E0863072C5454FD71CBA2CEDA167473C6D7D5B11B10427ED84BC36E6DC546A064185

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B264BE4 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce3eb40c0d3570a1e3a8177799502166fe64b61516c1b3958a6d9ec276cfee12
Instruction ID: 6368554dc6723f48ffcb423ecd195aa4c5a39dd0e245adcf780afe3c68be5578
Opcode Fuzzy Hash: ce3eb40c0d3570a1e3a8177799502166fe64b61516c1b3958a6d9ec276cfee12
Instruction Fuzzy Hash: F8F03061A5C6960FD395EB6CC8113657EE1AF99244F0881BEE188C7396DD2465054345

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B265F6D Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1af224a32e6a29eb71e1e0311cfc928e0788061fda39c5e3bc2fe77daab46768
Instruction ID: 07945baeb0ae6e7af76756d9d1e382f4344d428d3beb624b45310b8c9428e491
Opcode Fuzzy Hash: 1af224a32e6a29eb71e1e0311cfc928e0788061fda39c5e3bc2fe77daab46768
Instruction Fuzzy Hash: A8E0BF7170880E8FEB50FE1CD894AA437D2EBA9351B15467BE40AC72B4ED24ED558781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B26BDCF Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8c336576c8e46eb8a1e0d0f9c0c667d5467dde64f811f45215f0ef9ea0fd79b
Instruction ID: 3cdecb714c7a9d7a6d818218cacf1812a8be4d641c2d0f606c928bbaf899c3d2
Opcode Fuzzy Hash: d8c336576c8e46eb8a1e0d0f9c0c667d5467dde64f811f45215f0ef9ea0fd79b
Instruction Fuzzy Hash: 4FE0EC716088098FEBA4FF1CC499EA837E1FB65311B11457AD519CB2B5E924ED448B80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B267CAB Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe9d82237d221178e2a9853b93d35a1c49d0400f85bdcefe5a847f79d882c48c
Instruction ID: 86f5bb83612436b4cea80c0868263f32565817badc2de83c5080f1d5b466b13e
Opcode Fuzzy Hash: fe9d82237d221178e2a9853b93d35a1c49d0400f85bdcefe5a847f79d882c48c
Instruction Fuzzy Hash: 89E0123130C80D8FE754FE28D894A6937D1FB647517154ABAD81AC72B5ED24ED418B80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B2678D0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8481d587090343ca1ff8d565a1bd2cce300d404187bf24c40dc3718068b061f9
Instruction ID: bd27196f3fbe4fb9c7a00ca3b1f54b3dd760499f0b6c89a2c318d966c0fa8617
Opcode Fuzzy Hash: 8481d587090343ca1ff8d565a1bd2cce300d404187bf24c40dc3718068b061f9
Instruction Fuzzy Hash: 06D012707185098B861DEE1CE495135F3E1FB89B0571043A9AC8B83295DE28EC4386C5

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B26691D Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e9dc09bfc9150a11c9971f7d10c380b48e4a8949386328dea4e42f05e6dfcfa
Instruction ID: 26bffe3e6e06de80d445720423b187f60640342fd1624b1e8173b3d41726dbdd
Opcode Fuzzy Hash: 4e9dc09bfc9150a11c9971f7d10c380b48e4a8949386328dea4e42f05e6dfcfa
Instruction Fuzzy Hash: 91E0ED70D0851A9AD799EB29C8402A8FAA2BF86300F54C1F9D15D97196CA3869868B41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B268419 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8928d25c24105fba9769791af1c4a186e0c969cddfa5c2f4aa968483d4b038a2
Instruction ID: b1109c8111d9a29299c4afd54950c1bce247896379bf8a65955f82ff625b74ce
Opcode Fuzzy Hash: 8928d25c24105fba9769791af1c4a186e0c969cddfa5c2f4aa968483d4b038a2
Instruction Fuzzy Hash: 1CD05E31A0C8068BF711FF28C844ABC73C1E765320F148A7BD905C72E1ED6CE99406C5

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B263F40 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39a33272408cea843f1f04c13d94f488a6c7f029a3f2fab35f88e10771ab05a1
Instruction ID: 0e689f79c55b88bb119253c1f24e506e1d002c1442ddc4873ee9d9edaba90884
Opcode Fuzzy Hash: 39a33272408cea843f1f04c13d94f488a6c7f029a3f2fab35f88e10771ab05a1
Instruction Fuzzy Hash: 13D0A742E1D44507E348753D59AA2202E80EF9630CFA84079D18DC5297DC0C19134243

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B2608CA Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65d427a394dd64d5362107ed1a250e32827e6e3cc70b9e02b9d39ce7150b6246
Instruction ID: 57bf7d593e0bca80e82cc64346bce22ef0db1c92e2e92aa7d516665742e7b58e
Opcode Fuzzy Hash: 65d427a394dd64d5362107ed1a250e32827e6e3cc70b9e02b9d39ce7150b6246
Instruction Fuzzy Hash: 63D0C9B1D0980CAEDB50EFA8E8415FDBBB4EF45211F4051B6D90DD3151DE312A518740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B26EDD1 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42a55199834cc5a5706c1854d2d8e023cf56aaa5f78bf69f987e7e80eefdc46c
Instruction ID: f7c5f88c79d436d8e8e56d8086f693bf6ffc45fa681984037feb25557b8afbb8
Opcode Fuzzy Hash: 42a55199834cc5a5706c1854d2d8e023cf56aaa5f78bf69f987e7e80eefdc46c
Instruction Fuzzy Hash: 5AD0C9A0D6955B8AE7A4FF2CC8107FC76A5BF48200F4041F8800DD2692EE342D419F40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B264B71 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ad763b775a44c65e5a1e1bb6475bd7932b9eb9f2ef4167b60cfb9e6b7936a3d
Instruction ID: 97439ea53d999ac4e94665ac6cdb4e5b8f899e4be16b0a38f3755ee047a15f2e
Opcode Fuzzy Hash: 1ad763b775a44c65e5a1e1bb6475bd7932b9eb9f2ef4167b60cfb9e6b7936a3d
Instruction Fuzzy Hash: 30B09B90D4C51546F744BE6CD14136858909B4D300F20407DD35DD11D2CA1C14004115

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B2653CD Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 869d90da78b6449758a5a24cad5b9a6c9d330cfcea81b9add533d9d980bea100
Instruction ID: 7d68303e5bde10d1e0a4d69e4c409cb106a4fd647fb1bdd1347df227c92d5538
Opcode Fuzzy Hash: 869d90da78b6449758a5a24cad5b9a6c9d330cfcea81b9add533d9d980bea100
Instruction Fuzzy Hash: 01A0028160C64E8AE2A0BC6C964033414C0075C600E108035471DC2292E8991C551206

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFB4B266C28 Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c93cc5f0d98da7611dda2ebc372885181bd08e004086cf56e0fcc18d6bee9055
Instruction ID: 5e0285f09fb15505eeba1f5a70f2202b18b6bb56aafaac1d5ed9b460a897f4de
Opcode Fuzzy Hash: c93cc5f0d98da7611dda2ebc372885181bd08e004086cf56e0fcc18d6bee9055
Instruction Fuzzy Hash: 4ED1B3A180E7C15FE317AB788CA55A17FB0EF17210B1A45EFD4C5CB0E3E518680AC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B26A950 Relevance: .3, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b6d76df18597abf81fbc9f23b3797611c216b1c263141bc2ac4498bdbcd8315
Instruction ID: ea3624d0cc9be9a9f5522fb434cde0cd9487ce5bca7b17d454c97bc5d7ba4b47
Opcode Fuzzy Hash: 3b6d76df18597abf81fbc9f23b3797611c216b1c263141bc2ac4498bdbcd8315
Instruction Fuzzy Hash: F2B1D27180D3C55FE31AAA348C151627FF5EF53214F0A81EFD589CB1A3E9196C16C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B26E6FA Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd576eb99548688316d73dd7739eaf99ff3749676103e7cd5ad17a3991789ab5
Instruction ID: 7f3700dcddf9b7cb16871d68c72acc495658ead385189ce8ad42736f47a8313e
Opcode Fuzzy Hash: dd576eb99548688316d73dd7739eaf99ff3749676103e7cd5ad17a3991789ab5
Instruction Fuzzy Hash: 904139B7D0C5D60BE79A7A3D9CA54FA7F90FF8235470944BFD288860E3E80D28068251

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B2686C0 Relevance: 12.7, Strings: 10, Instructions: 248COMMON

Download Yara Rule

Strings

hA0K, xrefs: 00007FFB4B268719
PA0K, xrefs: 00007FFB4B2686F9
@0K, xrefs: 00007FFB4B2686C9
0A0K, xrefs: 00007FFB4B2686D9
0B0K, xrefs: 00007FFB4B2687F9
@A0K, xrefs: 00007FFB4B2686E9
xA0K, xrefs: 00007FFB4B268729
PB0K, xrefs: 00007FFB4B268819
A0K, xrefs: 00007FFB4B268799
`A0K, xrefs: 00007FFB4B268709

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID: 0A0K$0B0K$@A0K$PA0K$PB0K$`A0K$hA0K$xA0K$@0K$A0K
API String ID: 0-2611885568
Opcode ID: e5d2f72255b5fda64a2832da70c2394b2618c0cfe2f0653a40fa2c259ab19b71
Instruction ID: a788f2e52e50369a68e8a9c83d01883d3fbe933d773b1e5899545f1879d147a2
Opcode Fuzzy Hash: e5d2f72255b5fda64a2832da70c2394b2618c0cfe2f0653a40fa2c259ab19b71
Instruction Fuzzy Hash: CD8128C790E6C60FE35AB9BD59161256EE1FF9225075980FFD1C44F0ABE8189E098392

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B2685F6 Relevance: 11.6, Strings: 9, Instructions: 308COMMON

Download Yara Rule

Strings

hA0K, xrefs: 00007FFB4B268719
PA0K, xrefs: 00007FFB4B2686F9
0A0K, xrefs: 00007FFB4B2686D9
0B0K, xrefs: 00007FFB4B2687F9
@A0K, xrefs: 00007FFB4B2686E9
xA0K, xrefs: 00007FFB4B268729
PB0K, xrefs: 00007FFB4B268819
A0K, xrefs: 00007FFB4B268799
`A0K, xrefs: 00007FFB4B268709

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID: 0A0K$0B0K$@A0K$PA0K$PB0K$`A0K$hA0K$xA0K$A0K
API String ID: 0-1603871924
Opcode ID: 9337b401f8f58c54f1100f16a1836ebd53d52b55373e18c41ad9f2c7dffec8af
Instruction ID: 41087ac74cc2ebe63b8575b5f8887af7ac74eb9f9571f1211928d2baed336749
Opcode Fuzzy Hash: 9337b401f8f58c54f1100f16a1836ebd53d52b55373e18c41ad9f2c7dffec8af
Instruction Fuzzy Hash: 51A1279690E7C60FE31ABA7C98151647FE1FF52250B1981FFD1C48F0EBE9189D0A8392

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B268626 Relevance: 11.6, Strings: 9, Instructions: 304COMMON

Download Yara Rule

Strings

hA0K, xrefs: 00007FFB4B268719
PA0K, xrefs: 00007FFB4B2686F9
0A0K, xrefs: 00007FFB4B2686D9
0B0K, xrefs: 00007FFB4B2687F9
@A0K, xrefs: 00007FFB4B2686E9
xA0K, xrefs: 00007FFB4B268729
PB0K, xrefs: 00007FFB4B268819
A0K, xrefs: 00007FFB4B268799
`A0K, xrefs: 00007FFB4B268709

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID: 0A0K$0B0K$@A0K$PA0K$PB0K$`A0K$hA0K$xA0K$A0K
API String ID: 0-1603871924
Opcode ID: 6d0701809dbe70c3d80a54865fe8e818075a6ca5b316c31a27731a0c668571e2
Instruction ID: deae841eacae1767bf740b663c27a8466f0db915ba7b5961edfd17d97dfdd308
Opcode Fuzzy Hash: 6d0701809dbe70c3d80a54865fe8e818075a6ca5b316c31a27731a0c668571e2
Instruction Fuzzy Hash: 58A1178690E7C60FE31ABA7C98551647FE1FF52250B1981FFD1C48F0EBE9189D0A8392

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B268738 Relevance: 5.1, Strings: 4, Instructions: 104COMMON

Download Yara Rule

Strings

hA0K, xrefs: 00007FFB4B268719
xA0K, xrefs: 00007FFB4B268729
A0K, xrefs: 00007FFB4B268799
`A0K, xrefs: 00007FFB4B268709

Memory Dump Source

Source File: 00000000.00000002.1399546110.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b260000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID: `A0K$hA0K$xA0K$A0K
API String ID: 0-257056950
Opcode ID: a2dd61d8640761e7de0a2124f44a4775313b35f25129b6a24a2fa81eaf873ce7
Instruction ID: 4b7d89832cb84a8fd7323f949fde3160e83d65231cc6a2100b5b3ed39e0dbd76
Opcode Fuzzy Hash: a2dd61d8640761e7de0a2124f44a4775313b35f25129b6a24a2fa81eaf873ce7
Instruction Fuzzy Hash: CA310ACB50EAC21BF31E79AD69561245FE1FF9129075980FFD1C44F0DF98289E4983A1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: BmLue8t2V7.exePID: 7260, Parent PID: 1240COMMON

Executed Functions

Function 00007FFB4B2908D3 Relevance: 2.8, Strings: 2, Instructions: 330COMMON

Download Yara Rule

Strings

K;M, xrefs: 00007FFB4B29096F
;M_^, xrefs: 00007FFB4B290901

Memory Dump Source

Source File: 00000007.00000002.1479328592.00007FFB4B290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b290000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID: ;M_^$K;M
API String ID: 0-263230361
Opcode ID: ba5d918d391a185d4a84ae667bb0f11232bc99164c40274fdbea81ea0895bdd7
Instruction ID: 74a0a557b6a3ef6e6217e5b6c8b1b1a00b55884cb614fab9b70a9551e0e782db
Opcode Fuzzy Hash: ba5d918d391a185d4a84ae667bb0f11232bc99164c40274fdbea81ea0895bdd7
Instruction Fuzzy Hash: 69A15D71A0992D8FDB94EF6CD885BEDBBB1FF59311F0042AAD04DD7252DA34A881CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B2908D8 Relevance: 2.8, Strings: 2, Instructions: 324COMMON

Download Yara Rule

Strings

K;M, xrefs: 00007FFB4B29096F
;M_^, xrefs: 00007FFB4B290901

Memory Dump Source

Source File: 00000007.00000002.1479328592.00007FFB4B290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b290000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID: ;M_^$K;M
API String ID: 0-263230361
Opcode ID: 0b49426d924aca38fa5010209dcc0c3162607230ec82fefee721971aa9258140
Instruction ID: 1cadc1be83442ab42f5db96ee6725c17eb5f11d7846523e5e75e383c06001610
Opcode Fuzzy Hash: 0b49426d924aca38fa5010209dcc0c3162607230ec82fefee721971aa9258140
Instruction Fuzzy Hash: 26A15C71A0992D8FDB94EF6CD885BECBBB1FF59311F0042AAD04DD7252DA34A881CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B2908E8 Relevance: 2.8, Strings: 2, Instructions: 315COMMON

Download Yara Rule

Strings

K;M, xrefs: 00007FFB4B29096F
;M_^, xrefs: 00007FFB4B290901

Memory Dump Source

Source File: 00000007.00000002.1479328592.00007FFB4B290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b290000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID: ;M_^$K;M
API String ID: 0-263230361
Opcode ID: ac130c1c5c14a8d88073ca80f060fa4493e1c8bddbd54ccc7d7d5eaae916d6ad
Instruction ID: bd27ebe5bc9c0988b18097b6dc3c80cb7cf0a1df2ea7286e2e65159df9f00ed8
Opcode Fuzzy Hash: ac130c1c5c14a8d88073ca80f060fa4493e1c8bddbd54ccc7d7d5eaae916d6ad
Instruction Fuzzy Hash: ECA13A71A0992D8FDB94EF6CD885BEDBBB1FF59311F0041AAD40DE7252DA34A881CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B2908F8 Relevance: 2.8, Strings: 2, Instructions: 308COMMON

Download Yara Rule

Strings

K;M, xrefs: 00007FFB4B29096F
;M_^, xrefs: 00007FFB4B290901

Memory Dump Source

Source File: 00000007.00000002.1479328592.00007FFB4B290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b290000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID: ;M_^$K;M
API String ID: 0-263230361
Opcode ID: 71bf3d5a433b02c8b9231bde78de1de7bc326e4d7c812af5fe63ef23e1f73d43
Instruction ID: 315cb6d06dd16cd2a78d0d6313ef3a03c84a7138ca2bf5327fb98a31c22d3df6
Opcode Fuzzy Hash: 71bf3d5a433b02c8b9231bde78de1de7bc326e4d7c812af5fe63ef23e1f73d43
Instruction Fuzzy Hash: E2A12871A0992D8FDB94EF6CD885BEDBBB1FF59311F0041AAD40DE7252DA34A881CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B2908B8 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

K;M, xrefs: 00007FFB4B29096F

Memory Dump Source

Source File: 00000007.00000002.1479328592.00007FFB4B290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b290000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID: K;M
API String ID: 0-1666167106
Opcode ID: eca38899b3304db5a3103291055c753ea2897638bd4aef7098a2d47b5d7e7682
Instruction ID: 5204724a05803f73eeea4567c3d123f3bb4522faa309124aed82163c016d69c8
Opcode Fuzzy Hash: eca38899b3304db5a3103291055c753ea2897638bd4aef7098a2d47b5d7e7682
Instruction Fuzzy Hash: 04A12B71A0992D8FDB94EF6CD885BEDBBB1FF59311F0041AAD40DE7252DA34A881CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B2908C8 Relevance: 1.6, Strings: 1, Instructions: 304COMMON

Download Yara Rule

Strings

K;M, xrefs: 00007FFB4B29096F

Memory Dump Source

Source File: 00000007.00000002.1479328592.00007FFB4B290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b290000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID: K;M
API String ID: 0-1666167106
Opcode ID: 4db2abeaf43b6e350357f798b538c6b32438e640a3549d8a742a1a5bec8a6b55
Instruction ID: f1a98828750d043fb0712bc6c88e659522f77e5670c8293c3f35e27c763bddad
Opcode Fuzzy Hash: 4db2abeaf43b6e350357f798b538c6b32438e640a3549d8a742a1a5bec8a6b55
Instruction Fuzzy Hash: 83A11971A0992D8FDB94EF6CD885BEDBBB1FF59311F0041AAD40DE7252DA34A881CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B290908 Relevance: 1.6, Strings: 1, Instructions: 302COMMON

Download Yara Rule

Strings

K;M, xrefs: 00007FFB4B29096F

Memory Dump Source

Source File: 00000007.00000002.1479328592.00007FFB4B290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b290000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID: K;M
API String ID: 0-1666167106
Opcode ID: 5731a37b0e7eebf1484540209256e0c4a5d82e44f058d4f03a4947c55b8d9ecc
Instruction ID: a96faef228b062466bab4be053338473da35d40cff57d5efce28474565b484a0
Opcode Fuzzy Hash: 5731a37b0e7eebf1484540209256e0c4a5d82e44f058d4f03a4947c55b8d9ecc
Instruction Fuzzy Hash: D0A10871A0992D8FDB94EF6CD885BEDBBB1FF59311F0041AAD40DE7252DA34A881CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B290CF0 Relevance: .6, Instructions: 550COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1479328592.00007FFB4B290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b290000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e890ed8fefb547e428644fbd8b363af9022a5bce3c09f3b93d99466fee435f3e
Instruction ID: 2a8c906ce514d0dbc3aab1efc66e91a8f9cceb7309df3b1c6ced6f30c380986a
Opcode Fuzzy Hash: e890ed8fefb547e428644fbd8b363af9022a5bce3c09f3b93d99466fee435f3e
Instruction Fuzzy Hash: 1E22B070A1892D8FDB94FF28C899BA9BBB5FB98305F5041A9D44DD3265CF34AD818F40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B293A97 Relevance: .3, Instructions: 317COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1479328592.00007FFB4B290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b290000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 667c5871dbc1fd586847d67392fe7aa0ee92a9cb605503cb39a6c9b9293411b7
Instruction ID: 511c4e1b671909cc5a5760e7570927e13adb24eb95828c010ee31ce4dbd0fc78
Opcode Fuzzy Hash: 667c5871dbc1fd586847d67392fe7aa0ee92a9cb605503cb39a6c9b9293411b7
Instruction Fuzzy Hash: 76B16DB1A0CA5D8FEB95EF68C8557E9BBF1FF59300F0440AAD04DE32A2CA355981CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B295276 Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1479328592.00007FFB4B290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b290000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d06c1e9d112726c17b16fb74d92a955dce3481f83e86c7890f801d90a023a17c
Instruction ID: 64f23ece007d7a1e038b8c02a8d254e07d99fa4dd43af586a02286436ad84308
Opcode Fuzzy Hash: d06c1e9d112726c17b16fb74d92a955dce3481f83e86c7890f801d90a023a17c
Instruction Fuzzy Hash: 7FB12C70E0CA5D8FDB95EF68C895BA8BBF1FF59300F1441AAD04DE7292DA349985CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B2946A6 Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1479328592.00007FFB4B290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b290000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64ab2efa2808dfbb8775dd9f3e7e037e7fd1948346714c38c1805a27d07cb620
Instruction ID: 35ea80d2b98e4e25a608483e6d4663b0ec2e6f422a001faa8278dff6c2d42cdb
Opcode Fuzzy Hash: 64ab2efa2808dfbb8775dd9f3e7e037e7fd1948346714c38c1805a27d07cb620
Instruction Fuzzy Hash: 20B11F70E0CA5D8FDB95EF68C894BA8BBF1FF59300F1441AAD04DE7292DA349985CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B2932FA Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1479328592.00007FFB4B290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b290000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f76855e88600dd82e0b558876d2c54bfefec564cf01b53fccdb8186d1651ab7
Instruction ID: e61fc9ccb8a9de55a6e26444cc7290a78f330101cc0c4010b0b14abf81d3022b
Opcode Fuzzy Hash: 0f76855e88600dd82e0b558876d2c54bfefec564cf01b53fccdb8186d1651ab7
Instruction Fuzzy Hash: BDB10E70E1895D8FDB94EF68C895BA9BBF1FF59300F1040AAD00DE32A1DA359985CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B294EAA Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1479328592.00007FFB4B290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b290000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c0930cf8890d0c45327183cc553baa6ec901bca26e71619cc4d1795cdd6202a
Instruction ID: 9a4b38660b5ee4601ae4d8df29a414876e6e7363b06acff2ff9c2d0e1e89e388
Opcode Fuzzy Hash: 2c0930cf8890d0c45327183cc553baa6ec901bca26e71619cc4d1795cdd6202a
Instruction Fuzzy Hash: 20A130B0E08A5D8FDB94EF68C894BACBBF1FF69300F1041AAD04DE3291DA355985CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B294A96 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1479328592.00007FFB4B290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b290000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54cabcb82b6d9116b3c62ec43d36bfff620150145b4dc09cb48a5f705f8ff34c
Instruction ID: a8076f6719962b1164385f72562894a68ab1c09d433018f71c966de6b7b0e352
Opcode Fuzzy Hash: 54cabcb82b6d9116b3c62ec43d36bfff620150145b4dc09cb48a5f705f8ff34c
Instruction Fuzzy Hash: D2A12C70E0CA5D8FDB95EF68C855BA8BBF1FF59300F1041AAD04DE3292CA356985CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B293A98 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1479328592.00007FFB4B290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b290000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9aca28024d86eda758de148235e799fae38077303a3516338f973e2a7d045d5
Instruction ID: 7e32be2cfd874a109b6232860cf0cfe127ab401d02f8304d72c7a0fdc04a614a
Opcode Fuzzy Hash: e9aca28024d86eda758de148235e799fae38077303a3516338f973e2a7d045d5
Instruction Fuzzy Hash: 7EA15CB0A0CA5D8FEB95EF68C8557E9BBF1FF59310F0440AAD04DE32A2CA355981CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B293F48 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1479328592.00007FFB4B290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b290000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46c6a0a46225e9d0160504d5f3068d73389e97b90e23075962882e5898461d2e
Instruction ID: 7437304c1c0db8bbea127aa00661ef6d33a8994f38a97b8f24a35c894481405f
Opcode Fuzzy Hash: 46c6a0a46225e9d0160504d5f3068d73389e97b90e23075962882e5898461d2e
Instruction Fuzzy Hash: E491BAB0E1891D8FDB94EF68C895BACBBF1FF68301F5041AAD00DE7251DA35A985CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B294332 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1479328592.00007FFB4B290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b290000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 733b790c43db39666b870f4489d6e1e8d9d980819be8538f353ed255cc226d0d
Instruction ID: f59c8be5f1717fbb74296669ca86cc3b11c7de2f54af32438f3a711f002aca97
Opcode Fuzzy Hash: 733b790c43db39666b870f4489d6e1e8d9d980819be8538f353ed255cc226d0d
Instruction Fuzzy Hash: 3391C9B0E1891D8FDB94EF68C895BACBBF1FF68301F5041AAD00DE7251DA35A981CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B29568A Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1479328592.00007FFB4B290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b290000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dd2ec8ced65541a1ca5593e6044c20adc4bda69fd6600edb4757ab9651beba3
Instruction ID: 7eb356ba9be33ecb80b6f63536ebfadd1b6daa01ea8586ea675aa2e53350790b
Opcode Fuzzy Hash: 4dd2ec8ced65541a1ca5593e6044c20adc4bda69fd6600edb4757ab9651beba3
Instruction Fuzzy Hash: 7B81B670A08A5D8FDF94EF68C895BACBBF1FF69301F0041AAD44DE7261DA749881CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B2909A0 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1479328592.00007FFB4B290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b290000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0e4fd32c80c4560c016facd3e52c787211dd5bdca0705273ab898439a89d56c
Instruction ID: 90ef61e710c375af2c618a57fbcc1bc321ec3562af99b70b642852cabf4a31a9
Opcode Fuzzy Hash: c0e4fd32c80c4560c016facd3e52c787211dd5bdca0705273ab898439a89d56c
Instruction Fuzzy Hash: E871A670A08A1D9FDF94EF68C895BACBBF1FB69301F5041A9E40DE7251DB74A881CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B29204A Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1479328592.00007FFB4B290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b290000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fc1aa9abc4e3861543f36556983ec358e1f60f08c0670df050964704b1402ee
Instruction ID: 27dd7538337753b846c6bcfbf6295b67652fee17d199d3be0236548b2cf95ab4
Opcode Fuzzy Hash: 2fc1aa9abc4e3861543f36556983ec358e1f60f08c0670df050964704b1402ee
Instruction Fuzzy Hash: B271DA70A09A5D9FDF95EF68C895AADBBF1FF59301F5040A9D04DE7262CB35A881CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B292060 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1479328592.00007FFB4B290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b290000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d16222807a9d302415112e6fbf28b086a71b3a188e8bcf3d9872bd3b86e3c15
Instruction ID: 577e762d2f8ef14cbdebfcf5f71bdc58ca64ee6cac12bac3c72940ea920963bc
Opcode Fuzzy Hash: 5d16222807a9d302415112e6fbf28b086a71b3a188e8bcf3d9872bd3b86e3c15
Instruction Fuzzy Hash: FE71B670A09A1D9FDF95EF68C895AADBBF1FF69301F504069E00DE7261CB35A881CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B290B0D Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1479328592.00007FFB4B290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b290000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dadf5b20cca408817bead7fb9969cc6fd73019000afae0d0a5401f6b6390da8d
Instruction ID: 567754890745849e354a49f07e3781981ad4b0af72bed31f3c4d7b2ed497ac1a
Opcode Fuzzy Hash: dadf5b20cca408817bead7fb9969cc6fd73019000afae0d0a5401f6b6390da8d
Instruction Fuzzy Hash: 43313BB2A0DA8D8FE342BF78C4622E97F71EF49214F0441BAC588D61D7DE281403C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B295E9E Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1479328592.00007FFB4B290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b290000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54755c7ea80e264654e8b51e1a5c32f29cb6ec3c1d037ba7571047b18aceafa4
Instruction ID: 60b3f33a885c33224bb4a9d1bb2173119909ff5866dba3bc6d24e48a1727f4ae
Opcode Fuzzy Hash: 54755c7ea80e264654e8b51e1a5c32f29cb6ec3c1d037ba7571047b18aceafa4
Instruction Fuzzy Hash: 7831E470D0A64E8FDB46FBB8C8516EDBBF1EF4A300F000079D549D7692CA799882CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B290B30 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1479328592.00007FFB4B290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b290000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a40ab6e8c1b0c1f5d2f1f6916257b4f6dc41163cf46cfe77e62e0cf380104640
Instruction ID: 9fcc10d47896e11639d7b69a69468c6bfb5066376aee7a4b477655342290e974
Opcode Fuzzy Hash: a40ab6e8c1b0c1f5d2f1f6916257b4f6dc41163cf46cfe77e62e0cf380104640
Instruction Fuzzy Hash: 353137A1A1DA8D8EE741BF38C4622E97FB1EF89214F4441B9D589D72E6CE2818038760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B290B38 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1479328592.00007FFB4B290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b290000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78c7f0afb7c798a795032041e2895aaa28245908f344fd5413b63c4dbe15588f
Instruction ID: 57b90b5e4353d48b3d1debaa004301b77c418e73bf29dc8f9098fe6ac61e7aa9
Opcode Fuzzy Hash: 78c7f0afb7c798a795032041e2895aaa28245908f344fd5413b63c4dbe15588f
Instruction Fuzzy Hash: 142149A1A1DA8D8FE741BF38C4622E97F71EF89310F4441B9D58DD76D6CE2818078760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B290B40 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1479328592.00007FFB4B290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b290000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 747add6d465a058b0026529b861234171b3d7a224f96bc4c694ceb9a31227bf5
Instruction ID: 81b7dfea28758fa99c9c1e09d013764393c5d49999e10420a29cd00a53aa00a5
Opcode Fuzzy Hash: 747add6d465a058b0026529b861234171b3d7a224f96bc4c694ceb9a31227bf5
Instruction Fuzzy Hash: 322109A1A1DA8D8EE741BF38C4662E97F71EF49310F4441B9D589D76D6CE2818068760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B295D81 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1479328592.00007FFB4B290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b290000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d0d2db74ca954a3e2250a0492a35ca19fddcc3a42b474e37f423c73a597161d
Instruction ID: 6896b5a3313cf962c2c0d86f2515cc2b42042a3811a80250e96b8379b025365c
Opcode Fuzzy Hash: 4d0d2db74ca954a3e2250a0492a35ca19fddcc3a42b474e37f423c73a597161d
Instruction Fuzzy Hash: 172106B0E09A1E8FEB41EFA8C4596EDBBB0FF59300F54546AD50CE3291DB38A945CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B290B48 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1479328592.00007FFB4B290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b290000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1119436550d6c583744c478492216791998d3aac37b453e796ccddc536742ccc
Instruction ID: 5554cca3708928eb7ec5a00571c477bdfcc79ed6b1b3584079f3c8bcc264db8d
Opcode Fuzzy Hash: 1119436550d6c583744c478492216791998d3aac37b453e796ccddc536742ccc
Instruction Fuzzy Hash: C52137B1A1DA8D8FE781BF38C4662E97FB1EF49300F4441B9D589D76D6CE281802C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B290B50 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1479328592.00007FFB4B290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b290000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0a737c5c9004cbbe83eba2cf307fba8bbad0d20e7475f85d4110830cfa9aa6c
Instruction ID: f771c8d74ec10ca3e1621857fcbfb80a0aff7b22904461b1e64806732ecfd249
Opcode Fuzzy Hash: c0a737c5c9004cbbe83eba2cf307fba8bbad0d20e7475f85d4110830cfa9aa6c
Instruction Fuzzy Hash: D721F4A1A1DA8D8EE781BF38C4652EA7FB1EF49300F4441B9D589D7696CE281802C361

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B291F85 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1479328592.00007FFB4B290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b290000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42d0562318e7faa2af15909c7ed873813edbb215bb221e5b277419d52487a75e
Instruction ID: f2c8567767893da66476ebc1ce8f411a4ea06aa21e2592acb76ba17357d5d497
Opcode Fuzzy Hash: 42d0562318e7faa2af15909c7ed873813edbb215bb221e5b277419d52487a75e
Instruction Fuzzy Hash: 4A21F870D0DA4D8FDB41EFA8C859AECBBB1FF69311F04046AD408E3291DB38A8518B41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B290C32 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1479328592.00007FFB4B290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b290000_BmLue8t2V7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68f0eb9b6eadfcb82f530cbaa813a7d19caef3b43f2a2ed76606385f8126f84a
Instruction ID: 2073cf6267ba1075c58646a8e21a46c1fa52aacec3f5659470f8f9fa0f560930
Opcode Fuzzy Hash: 68f0eb9b6eadfcb82f530cbaa813a7d19caef3b43f2a2ed76606385f8126f84a
Instruction Fuzzy Hash: D1D09EA2B3C91D6EE794FF78E955AAD67B1FF84600B40423AA15ED25A1DE2828028650

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ffVsTPS.exePID: 7372, Parent PID: 660COMMON

Executed Functions

Function 00007FFB4B27BBFF Relevance: 1.5, Strings: 1, Instructions: 297COMMON

Download Yara Rule

Strings

R1K, xrefs: 00007FFB4B27BC77

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID: R1K
API String ID: 0-1664377858
Opcode ID: 2514811d5efe976ed4abacef7d7d1fdab58999ca8300fd8fbd7c4822f92026aa
Instruction ID: d9a24e6b724c484695f940ba67e917bd93559dd4461f165ba1e5c30ccec363f2
Opcode Fuzzy Hash: 2514811d5efe976ed4abacef7d7d1fdab58999ca8300fd8fbd7c4822f92026aa
Instruction Fuzzy Hash: 4D91087190C6C98FD756EF38C8695A57FE0FF46304B0982FED089C71A3DA28A846CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B27E1D1 Relevance: .7, Instructions: 707COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba62ac830e6bd1fa020fd6f5fa8683286f462e3a72d2152483acfcce96fd85e2
Instruction ID: 2bd1d016d9efb1d32017162296d756ee69cf9740c690820bd84dcaf99e76dc17
Opcode Fuzzy Hash: ba62ac830e6bd1fa020fd6f5fa8683286f462e3a72d2152483acfcce96fd85e2
Instruction Fuzzy Hash: 7912E7A7A0D6B24BD3127B7CF8522EA7F54DF4223570841F7D6C9CA093E918244B8BE5

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B27214C Relevance: .6, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03245d542858cede7fcf566d10aef7d3619504f5a86d6f9b546ab848452874b7
Instruction ID: 98945d44f50e308c4d149134cc586e77ffa28890b165eeba7e31783ef2c5f7cb
Opcode Fuzzy Hash: 03245d542858cede7fcf566d10aef7d3619504f5a86d6f9b546ab848452874b7
Instruction Fuzzy Hash: 43220D70A1995D8FDB94EF28C899BA9B7A1FF59300F1042F9D44DD72A1CE34A981CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B27239D Relevance: .4, Instructions: 377COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56396e5e7d95583ad0a0be50660c417bd3a7ed6f4123e20636d454e23f0b01f2
Instruction ID: ee9c42cc8014a6aede2c79c987ba5e6bbf6a2248a46eaa693283095ec14e8b8e
Opcode Fuzzy Hash: 56396e5e7d95583ad0a0be50660c417bd3a7ed6f4123e20636d454e23f0b01f2
Instruction Fuzzy Hash: 19E1D970A09A1D8FDB99EF28C499BA9B7E1FF59300F5041E9D40DE72A1CE35A981CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B275208 Relevance: 3.9, Strings: 3, Instructions: 122COMMON

Download Yara Rule

Strings

!, xrefs: 00007FFB4B2753AB
a, xrefs: 00007FFB4B2753A3
`, xrefs: 00007FFB4B275234

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID: !$`$a
API String ID: 0-2522460808
Opcode ID: 95659ee32d8715be5e30812d4259540291d39ae2633855406fb46ecd70e0e9d3
Instruction ID: b436e0fa05d75857ebe4749134e18b4dcd069b7c61b4072afc18e92100247d89
Opcode Fuzzy Hash: 95659ee32d8715be5e30812d4259540291d39ae2633855406fb46ecd70e0e9d3
Instruction Fuzzy Hash: 2431C25080D7C65FE34A6B788860275BFE0EF17210F0982BEE5CAC70F3D618A815C766

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B27524A Relevance: 3.8, Strings: 3, Instructions: 98COMMON

Download Yara Rule

Strings

!, xrefs: 00007FFB4B2753AB
), xrefs: 00007FFB4B27524B
a, xrefs: 00007FFB4B2753A3

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID: !$)$a
API String ID: 0-3910272199
Opcode ID: de6114ccdabc92dab8963c0d5d4f191cad2bb50972a0a293e4e02186a96e336e
Instruction ID: c726b30236dc004b8daf0523a592deabf60d81aa2c6ddae505cbe70d072ae873
Opcode Fuzzy Hash: de6114ccdabc92dab8963c0d5d4f191cad2bb50972a0a293e4e02186a96e336e
Instruction Fuzzy Hash: 1D31D46050D7C65FE346BB748861261BFE0EF57310F0981FAD4C9C70E3DA18A816C762

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B2767B6 Relevance: 2.6, Strings: 2, Instructions: 106COMMON

Download Yara Rule

Strings

h/1K, xrefs: 00007FFB4B276820
K;, xrefs: 00007FFB4B2767C2

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID: h/1K$K;
API String ID: 0-1865500843
Opcode ID: 7842bf7ea044d810707c12c9c1da5b164af523610528042d00a3c10ffab82e3a
Instruction ID: f6e6d5a77ad3275d3ebb700044e8814b3b4c5c569e3ebf6ea7b083e80af5b24f
Opcode Fuzzy Hash: 7842bf7ea044d810707c12c9c1da5b164af523610528042d00a3c10ffab82e3a
Instruction Fuzzy Hash: DC314891A0CA8A0FE796BA7C8D642652FD1EF95390F1841BEC1C8C71EBCC1C9D05C745

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B2785C1 Relevance: 2.6, Strings: 2, Instructions: 90COMMON

Download Yara Rule

Strings

0A1K, xrefs: 00007FFB4B2786D9
@A1K, xrefs: 00007FFB4B2786E9

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID: 0A1K$@A1K
API String ID: 0-3218795490
Opcode ID: 12eb073501094e88ee1bb6b63a1977a0c771eac93d6946d075cddaf716a5444c
Instruction ID: 6beb9b5127617619d2c4cd3d8cfd472658b61bd88829ee826dc04aab461716e0
Opcode Fuzzy Hash: 12eb073501094e88ee1bb6b63a1977a0c771eac93d6946d075cddaf716a5444c
Instruction Fuzzy Hash: 3F31AFA190E7C15FE317AB349C651547FB0AF17310B1A81EBD0C4CB0B7E5189C0ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B2766C3 Relevance: 2.5, Strings: 2, Instructions: 32COMMON

Download Yara Rule

Strings

%, xrefs: 00007FFB4B2766D3
r, xrefs: 00007FFB4B2766CB

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID: %$r
API String ID: 0-2384768175
Opcode ID: 073334b1d3132105fff790ebf42cb937925a18bdfb185cdf3e525100bdf32ee9
Instruction ID: b67dc9ef1df4046e867407ac8cf2d2a2cb904650090262d5c6013b2fb649e2a8
Opcode Fuzzy Hash: 073334b1d3132105fff790ebf42cb937925a18bdfb185cdf3e525100bdf32ee9
Instruction Fuzzy Hash: 97F0C271A0C7098FD350BF68C940726BAE1FF84384F548379E58C86296D778D940CA89

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B279B95 Relevance: 1.6, Strings: 1, Instructions: 303COMMON

Download Yara Rule

Strings

], xrefs: 00007FFB4B279D67

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID: ]
API String ID: 0-3352871620
Opcode ID: d76c18f97c536e872444d7eb007e858cf1e01cbf5f5f7f57396b235d71eb8e6f
Instruction ID: 9c6a21bfa31eb3a714925ae2acc26e417490c5987948ce43020b2653b95b29cc
Opcode Fuzzy Hash: d76c18f97c536e872444d7eb007e858cf1e01cbf5f5f7f57396b235d71eb8e6f
Instruction Fuzzy Hash: 94A1EE7080D3999FD716EF78C8516A97FB0EF57310F1941AAD089CB1A3DA286806CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B274630 Relevance: 1.5, Strings: 1, Instructions: 286COMMON

Download Yara Rule

Strings

0?'K, xrefs: 00007FFB4B27484A

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID: 0?'K
API String ID: 0-3314790253
Opcode ID: 229403fd5a0b329efb9e4bfbb627b8875ed76e19c21c6aba0812f0482f83ee70
Instruction ID: ad3951ce4110ffb64120e97c2662b32cdb7c8d82f0aaf80436a3ed0eb5fa4c57
Opcode Fuzzy Hash: 229403fd5a0b329efb9e4bfbb627b8875ed76e19c21c6aba0812f0482f83ee70
Instruction Fuzzy Hash: 40A1177191DBC94FD306EF38C8646A97FB1FF9A300F1445FAC05AC72A2CA292846C795

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B27590A Relevance: 1.5, Strings: 1, Instructions: 220COMMON

Download Yara Rule

Strings

y, xrefs: 00007FFB4B275F29

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID: y
API String ID: 0-4225443349
Opcode ID: 3dff3e8685fc7e043bdfe63ace790ce71fd6fa7fd473e61e5191afc18e613a9e
Instruction ID: fb94f2e79c5bacbfc55d8b64d63ac3c093831414278839de91b87249d7551d09
Opcode Fuzzy Hash: 3dff3e8685fc7e043bdfe63ace790ce71fd6fa7fd473e61e5191afc18e613a9e
Instruction Fuzzy Hash: 4471D16040E3C65FD317AB7488A55A57FF0EF57210F1986EBD4C9CB0E3E628684AC752

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B27B019 Relevance: 1.4, Strings: 1, Instructions: 179COMMON

Download Yara Rule

Strings

r, xrefs: 00007FFB4B27B031

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID: r
API String ID: 0-1812594589
Opcode ID: cc69c4d395b9317bed4de014f4f6511eeb146a0bc43e6ad06139580b662ee4c4
Instruction ID: 8c56edd176a86e9d51bb4fd0106deba1a0c7153b08ead0d95dc45a9756f03083
Opcode Fuzzy Hash: cc69c4d395b9317bed4de014f4f6511eeb146a0bc43e6ad06139580b662ee4c4
Instruction Fuzzy Hash: 9951277190C6854FE71AAF78C8A55A97FE5EF47310F0582EAD0C9C71A3D9286806CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B27A750 Relevance: 1.4, Strings: 1, Instructions: 120COMMON

Download Yara Rule

Strings

), xrefs: 00007FFB4B27A775

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID: )
API String ID: 0-2427484129
Opcode ID: 27a99ce58ddae2e2cc0eb3a2eeaf099c66327b845d28c2e586e91678e868b906
Instruction ID: 4573972faf55dbf7297c2cd01220c591ebfffed76b97e2171e07157c2723f6d9
Opcode Fuzzy Hash: 27a99ce58ddae2e2cc0eb3a2eeaf099c66327b845d28c2e586e91678e868b906
Instruction Fuzzy Hash: 3A41F27190D3C59FD31AAA7488554667FA0DF47320B1A42FFD0CA870A3E95C6847CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B27E822 Relevance: 1.3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

r, xrefs: 00007FFB4B27E82F

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID: r
API String ID: 0-1812594589
Opcode ID: e9a860d56c1dc844e1dc6dfc0af90e0cef1a2dc187aae0d54246eb07a2e4603c
Instruction ID: e6d7eae64eaf9f0511a1cb3f2be2f394789a6d8dd6f60ef9b46b4526924a3917
Opcode Fuzzy Hash: e9a860d56c1dc844e1dc6dfc0af90e0cef1a2dc187aae0d54246eb07a2e4603c
Instruction Fuzzy Hash: F931816180D3C68FE3577B3489611A5BFB4AF03210F1A85EBD1D5CA4F3E91C594ACB22

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B27E8E5 Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

B, xrefs: 00007FFB4B27E8E6

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID: B
API String ID: 0-1255198513
Opcode ID: 5f4523e1da2c72d3282382121ff86d2542a2a42d11496e2c7f77e68818e7d781
Instruction ID: accac55cefd9f55c0b2b8e084d4cfcdd3343e7531220d0fbe19680933456531d
Opcode Fuzzy Hash: 5f4523e1da2c72d3282382121ff86d2542a2a42d11496e2c7f77e68818e7d781
Instruction Fuzzy Hash: 9C2129A184E3C69FE3576B748921195BFB06F03210F0A86EBD1D58A4E3E65C185ACB32

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B27BC61 Relevance: 1.3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

Strings

R1K, xrefs: 00007FFB4B27BC77

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID: R1K
API String ID: 0-1664377858
Opcode ID: d7097d64aeba85f85cf3076afc5c36e1b4cd4cd79cca57367766868dc33c2a48
Instruction ID: d6af53be24f9940b4f5621bf1380bb2562116b7b5bb70f55606b91a5df447ea0
Opcode Fuzzy Hash: d7097d64aeba85f85cf3076afc5c36e1b4cd4cd79cca57367766868dc33c2a48
Instruction Fuzzy Hash: 0501F1B2A089494FD388EF28C4AD1743BC1EBA9250B04C27FD08EC76B2CD2958428B05

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B278925 Relevance: .6, Instructions: 644COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cebfaa80382a4e9508d00b9c9efb4f8c7d74e9e1585025f1db7e70000d74d06
Instruction ID: 8131ed81acc42500dc557f32a8512da76f0158b5dded8c57c7826a1a68caf48a
Opcode Fuzzy Hash: 3cebfaa80382a4e9508d00b9c9efb4f8c7d74e9e1585025f1db7e70000d74d06
Instruction Fuzzy Hash: 4B32A2B180D2868FEB19FF24DD556A83FA0FF15315F0841BAD588CB1A3F72C941A8B95

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B277F5A Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 965c137c9d15c66784b40d13feb998f36e66635b61dfa0ad5dda9fd6051adfed
Instruction ID: 51ce42ac1ea205b4a719ec58237d02feb5280ca63e2793b78fee0a022521a8dd
Opcode Fuzzy Hash: 965c137c9d15c66784b40d13feb998f36e66635b61dfa0ad5dda9fd6051adfed
Instruction Fuzzy Hash: E281E1A180D7C54FE31AAB7588651617FE0EF57310F1981FED1CACB0A3EA186C06C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B27A5F5 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d80d40fda4b11a7d4b7a440bdcf9f452e11ebbba355c3d3f95baf83cf0d672b
Instruction ID: ea21388ecf174b2f0e6a1339ee5f91d7c8a0b0240836d815827e5d22cb7c3041
Opcode Fuzzy Hash: 0d80d40fda4b11a7d4b7a440bdcf9f452e11ebbba355c3d3f95baf83cf0d672b
Instruction Fuzzy Hash: AB715AA690D7C55FE31ABA748C650657FE1EF87220B1982FFD0C9CB0A3E8186807C795

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B2741F2 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0b326ef5a6d10afa1639c212c930b673140a5eed67cbb26f3a6dec64a1bf97b
Instruction ID: 790eabf7c0f0fa19a525a559161106fb3f48e0036ad0f00e0340671138edcb61
Opcode Fuzzy Hash: f0b326ef5a6d10afa1639c212c930b673140a5eed67cbb26f3a6dec64a1bf97b
Instruction Fuzzy Hash: 9E512A93D0DAC74BE746BA7CD8621F97FA0EF66220B0941B7C5D88A0A3DD142C068B91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B270658 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cedc0692d02eaa13654bdf5ddac00fc3e2dc4f40407803508ff830aaf4e3fca
Instruction ID: 2578839d10f66c89b441c16bca622a070b8b698838fa34b3bc34b5074118d8e2
Opcode Fuzzy Hash: 0cedc0692d02eaa13654bdf5ddac00fc3e2dc4f40407803508ff830aaf4e3fca
Instruction Fuzzy Hash: 2E51A4B1E0C64E8BDB48EEB8C9555AEBBE2EF98300F144179D18DE3291CE3459068B95

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B270A29 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f930f4527265de3a73c9445301c302d8fd688a84906c00a9b51c427c921b520d
Instruction ID: db37bdef23b061bc3f3785a47576b8f0f3c96aa93c984eb573e18ee5427d70b7
Opcode Fuzzy Hash: f930f4527265de3a73c9445301c302d8fd688a84906c00a9b51c427c921b520d
Instruction Fuzzy Hash: 4F5129B1D08A4D8FEB85EFA8C8656ADBFB1FF68200F4441BAD54CE3292DE2458458B51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B2710BF Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b8f0566fb7fd83505f2c503359a3904d584375a56d624030120b35f5b150fbd
Instruction ID: 456c466f72ca72071f8f69b5f286379919410eccbb09a16a6f31bedd5310b31c
Opcode Fuzzy Hash: 2b8f0566fb7fd83505f2c503359a3904d584375a56d624030120b35f5b150fbd
Instruction Fuzzy Hash: 645154B161CB498FDB88EF28C8A5A653BD2FF98314B14459CD49DCB2D2CB35E812CB04

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B270A40 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ed09c4a37997b30881aaf6d4585f9b6bfeab1dcca21140f6bb872fc16cd43c5
Instruction ID: 960e7bfe11927c0c3ce36e3547bf6aeb6d3e8e2bf17b0885072e38a233ce438f
Opcode Fuzzy Hash: 0ed09c4a37997b30881aaf6d4585f9b6bfeab1dcca21140f6bb872fc16cd43c5
Instruction Fuzzy Hash: 0D512BB1D1894D8FEB94EFA8C8556EDBBB1FF68300F4041BAD54CE3292DE3468458B51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B279191 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec4bad44d6955d6efc905da147ae39aa9067186f79146b0638dabf3e6dc42f4
Instruction ID: 3ad24a0b171208a327fdc476205295c6aa06832586bef7f7c669ed423b1bbf6c
Opcode Fuzzy Hash: dec4bad44d6955d6efc905da147ae39aa9067186f79146b0638dabf3e6dc42f4
Instruction Fuzzy Hash: ED51C47190C25A8FDF48FE58C8426FA77B1FF59300F104079D949D3291DA38A842CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B2792FD Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96604cfa8922a3772cbe0ffa394578dbb0bb72974157f890dcef9fe0206a85d6
Instruction ID: 445e65d93db18b9421dccfcad8c361f268d792212bc74f24226020e0c1e2ee39
Opcode Fuzzy Hash: 96604cfa8922a3772cbe0ffa394578dbb0bb72974157f890dcef9fe0206a85d6
Instruction Fuzzy Hash: 0C416270D1865E8FDB48EF68D8919FEB7B1FF99300F104029E55AA3291CE34A852CB85

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B278E7D Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cce4e7dbe99c292670d22c593f82d88494ecd38811636c716b79760053e88410
Instruction ID: 10001a68f7e45565c8ad87bbce6ed78a6d5052ae07ff7bf34020d8e3cb52178f
Opcode Fuzzy Hash: cce4e7dbe99c292670d22c593f82d88494ecd38811636c716b79760053e88410
Instruction Fuzzy Hash: AA415EB191864D8FDF44EF68D8959EDBBF1FF58300F0041AAE849E7291DB34A841CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B271157 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 327eed76cb33fed769b184df4d4a64e221f0087524845927c5cc52307fd9c532
Instruction ID: 0f10cc0461b7c417159ef9ae8aa794c03476d6fb5567cf0559ac911dc07f357d
Opcode Fuzzy Hash: 327eed76cb33fed769b184df4d4a64e221f0087524845927c5cc52307fd9c532
Instruction Fuzzy Hash: C74145B161CB498FDB88EF28C8A5A553B91FF98354B14015CE49DDB2D2CB75E812C705

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B27A161 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c7e2052df85cec3c39deef3a83dba5ae3bd56584b966ddc8576aa868f019081
Instruction ID: 1a93f7d15ad5489fa8d92bc45eda31e06ba40c1c6341d69cc5a40ca609d60e21
Opcode Fuzzy Hash: 2c7e2052df85cec3c39deef3a83dba5ae3bd56584b966ddc8576aa868f019081
Instruction Fuzzy Hash: 4F318D5261E7C55FE747AA3C98A16307FE2DF5722070D80FBD18ACB1A7D8089C46C366

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B27B600 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ccf5a9f4defa2acfaf96c2ed3aac7c93aac6dfc7f6e86483f09d96a34689b2f
Instruction ID: 1dcc12cf160e230f79688eb690e5ea8a9d1e8a85cfea68106cc18a281f21949a
Opcode Fuzzy Hash: 3ccf5a9f4defa2acfaf96c2ed3aac7c93aac6dfc7f6e86483f09d96a34689b2f
Instruction Fuzzy Hash: CD31AF6180D3C14FE317AB308C695A17FB0EF53310B1942EBD4C5CB1A3EA1C681AC7A6

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B275FAB Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 430e90713b14689f5d5851196b7ea7204aae4ad093b29f1865ad1029a93a9ad0
Instruction ID: 2a5baa6da7115fdef90f26f2f79a29c87a035940316d2b1324799e3d4d446045
Opcode Fuzzy Hash: 430e90713b14689f5d5851196b7ea7204aae4ad093b29f1865ad1029a93a9ad0
Instruction Fuzzy Hash: 75317C6154E7C25FD307AB7888621A17FE0AF47214B1D81EBD0C9CB0E3D61C984AC762

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B274E04 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c77900162f99741d4d254285db4d3009388006de7f8454172a4e697a80858cb
Instruction ID: 3b24f76d5f0dcd5e82e93dfade897a3b064ba9172ca5b4179d6db2b3a4f8f268
Opcode Fuzzy Hash: 1c77900162f99741d4d254285db4d3009388006de7f8454172a4e697a80858cb
Instruction Fuzzy Hash: 4C21C3A1B0881A8FE798EE6CC4157A9B7E6FB98310F108276D45DD3296CE349C424B91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B271CC8 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e5bde6e98b9536e175aaad5f426ecb23de627fce4af156979ad22f921497db5
Instruction ID: abcc1b1afdcc3fb63a17806d07357eadbe1169710b93b1e061ebc84774150c51
Opcode Fuzzy Hash: 2e5bde6e98b9536e175aaad5f426ecb23de627fce4af156979ad22f921497db5
Instruction Fuzzy Hash: BD2101F290DA994EE3A5EA68D8096E9BFE1FF44700F0081BAD08CE2192DB241C518B95

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B274295 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db7d685a6b09d186d9c6653ec7853d6141b0952511600709bcf0c338954a5123
Instruction ID: 190aae18293b099628eea2f15c2047e12e864e944ce1e2c4bd904e8c5d786967
Opcode Fuzzy Hash: db7d685a6b09d186d9c6653ec7853d6141b0952511600709bcf0c338954a5123
Instruction Fuzzy Hash: C321A2A1D0D98E8FD746BB78C8211EDBFB1EF95214F4401F6D49CD71A3CD2828058BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B278260 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15961c6c7f46d22edeb9d34a8e944ed0ba77ce2888f69df56398dbcbe799ca9d
Instruction ID: 7cc229896431cc5e3597648406d9f8293b54707f2a1e00698f735ad651afb329
Opcode Fuzzy Hash: 15961c6c7f46d22edeb9d34a8e944ed0ba77ce2888f69df56398dbcbe799ca9d
Instruction Fuzzy Hash: 5921ADA190D7C54FE357AB3988652543FE0AF17310B1985EBD0CACB1B3EA1C5C06CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B27E887 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30c8c14b88273afea9438bec083270c5a39edafa0a1dd4ef4a41df842bf79b68
Instruction ID: dab954106e4b54a555b7b8a35398f2120e7f5c35bdd987676f87ddaa67ba4057
Opcode Fuzzy Hash: 30c8c14b88273afea9438bec083270c5a39edafa0a1dd4ef4a41df842bf79b68
Instruction Fuzzy Hash: A0314F5194E3C68FE3977B7489212A4BFB15F43210F0986FBD1D9CA4E3D91C1859CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B2742E5 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2dc198b29f106d9c1ddc1097957819d292fa519d31f1aa3821f3396215813a8
Instruction ID: 1b9fde16961f91e2b0c4f7fd451c61809d10580ae4af7083a0937d35ccebd81e
Opcode Fuzzy Hash: c2dc198b29f106d9c1ddc1097957819d292fa519d31f1aa3821f3396215813a8
Instruction Fuzzy Hash: E52191A1D0DA8E8FD746AB78C8211EDBFB1FF99210F4402F6D498D3193DD2428058BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B276636 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2a7d94c605d59f90d193cedb17524178361ce443f0584dea3893bfb636c5ba6
Instruction ID: 031b0e8825d831a232fafe6f3b5e6531279d45acc7c1cd9f532d80a48ad543c1
Opcode Fuzzy Hash: c2a7d94c605d59f90d193cedb17524178361ce443f0584dea3893bfb636c5ba6
Instruction Fuzzy Hash: B02105A1D0CA5A8FE395FE28C941365BEE1FF45340F94C2B5E58C83196DD38AD818F89

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B27828A Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a7298defa04b02e168880e216bdbde715e1935ac0b126c47b167af9b65d7c13
Instruction ID: aaeb2b0743ffce1b04b476d7a273f5dfbaeea4d7bebf23785757b219b37e1f06
Opcode Fuzzy Hash: 6a7298defa04b02e168880e216bdbde715e1935ac0b126c47b167af9b65d7c13
Instruction Fuzzy Hash: B82190A190D7C64FE3476B7598651507FA0AF17310B1982FBC1C6CB0E3E55C1847C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B27823C Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 358253c5efb2437bf02e9e0a26d46850cd3470e879c63838b213a5e6b3123efe
Instruction ID: 75cea1078eb1111fa83cfea1c89f958b8dcdd7864ba2bf375aab656a5da10601
Opcode Fuzzy Hash: 358253c5efb2437bf02e9e0a26d46850cd3470e879c63838b213a5e6b3123efe
Instruction Fuzzy Hash: B421A1A190D7C58FE3176B7588651907FA0AF17310F1982EFC1CACB0E3E66D5846CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B27098D Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae8d524148e85f86bc0fda952b13eee363440a05c821438a69474b0d861c5b71
Instruction ID: fc532968305b5219c7e89a767d14f37ed0d5f20339919aa687a6d82dfc3b5e49
Opcode Fuzzy Hash: ae8d524148e85f86bc0fda952b13eee363440a05c821438a69474b0d861c5b71
Instruction Fuzzy Hash: C6116DB0C1864E8FEB80FFB8C8486EB7BE0FF59300F0044B6E458D71A1DA38A9548B50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B27640C Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c68dbe8053726f3c48bf7cf481ef6bbf00fb2751e165bac2723fc9047e9d5a7
Instruction ID: 735a1acd9a886ae734f4599907fc369ac5750a29c19dfd50385f744bbfabd068
Opcode Fuzzy Hash: 9c68dbe8053726f3c48bf7cf481ef6bbf00fb2751e165bac2723fc9047e9d5a7
Instruction Fuzzy Hash: 3E1104B09086599FD759FF24C850AE6B6A5EB06320F0442B9E14EC3286DA34AD81CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B271DAE Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d69a1adf41ed94bd0b4f53d0b7404801f9081fa9faa6d2ae133cdde566c0d56
Instruction ID: 3ba3918281005f5df9b1384d3e5416fc1c3fa24db761c3e426c6ec540feef9d7
Opcode Fuzzy Hash: 3d69a1adf41ed94bd0b4f53d0b7404801f9081fa9faa6d2ae133cdde566c0d56
Instruction Fuzzy Hash: 991160B192895E8FE795FE18C881BE9B3A1FF58304F0042B6D40DE3156CE34A9828F90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B271EF1 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce7f6d80756819a36cdd6280bd1b5541d466b74357c09342770b0a0c45ebc174
Instruction ID: 53f43a224dabde98c368836b0bb4034d071258edcad15d46f9e239c834ff0404
Opcode Fuzzy Hash: ce7f6d80756819a36cdd6280bd1b5541d466b74357c09342770b0a0c45ebc174
Instruction Fuzzy Hash: B611D4B091895E8FDB95EE28C885BE9B7A1FF58304F5042F5D41DD3256CE34AE828F80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B27B063 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8ceec896d5edad76ec3c096d811e72d011de85d44d31052c65b1ec835bffb68
Instruction ID: eba78efceadff2313149293fc28cb3f19f27a68d52d1f9d6d29e471a9a6aaa5f
Opcode Fuzzy Hash: c8ceec896d5edad76ec3c096d811e72d011de85d44d31052c65b1ec835bffb68
Instruction Fuzzy Hash: B711A0B0A1C6494BE748DF1CC4957A97BE2FB88304F40426DF08DD3291DF3899028B45

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B270538 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b54be6069bdc4c38ae33467a5c36290cf5ca2cc674ecf0bc554b18c44243504
Instruction ID: 0fc418c2c030e398a4b580ed1052d26a391a06fafd28208cb9704dd78f9bcd02
Opcode Fuzzy Hash: 8b54be6069bdc4c38ae33467a5c36290cf5ca2cc674ecf0bc554b18c44243504
Instruction Fuzzy Hash: D101F57151CB495BD788FE68D41096B7BD1FBC8350F80453DB189D33A0DD25AC048B85

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B270CF5 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 732e9ec3c0c4e3d94d4fe0815789e0399caf40663590cb8b9c4abfe7069752f9
Instruction ID: 706923bdf7c56a183d5392f9209289dca5fc47faf8e115f5dda50b1987f16351
Opcode Fuzzy Hash: 732e9ec3c0c4e3d94d4fe0815789e0399caf40663590cb8b9c4abfe7069752f9
Instruction Fuzzy Hash: 8E01B57040DBC95FD786EB74D4605E77FE0EF8A210F4405BFE1C5D72A2CA2499458782

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B27085D Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9656a49b8b32271c25f0d78a548d164e3233a6552db1f7b6317aad89aed0f0af
Instruction ID: 763dd40dfb03a5e64f332845d4926a6a438192734402e46fcad0954ce1171e39
Opcode Fuzzy Hash: 9656a49b8b32271c25f0d78a548d164e3233a6552db1f7b6317aad89aed0f0af
Instruction Fuzzy Hash: FBF0D1E280EB8A8EE355BFF489660A67FE0EF62300F0548F6D488C10E3D9295848C685

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B27A7C7 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3481feac590d8b03e9ac6d3c9218973ea83329288ce4f34c3bda5244b0f0677a
Instruction ID: 93e988beb8fa8935698966de01173a7b7d926834b75d3a342d732878c0949643
Opcode Fuzzy Hash: 3481feac590d8b03e9ac6d3c9218973ea83329288ce4f34c3bda5244b0f0677a
Instruction Fuzzy Hash: A6014CF790C7421BD758EE1CC5021A57FD1FB96320F10467DE2CA822E1DE2459074B87

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B274EE7 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95dfea4b60d5ff5c09f63a3600a116fef92c672e0e275a2beea63f3fa66d0781
Instruction ID: 8f0d61581ce25e56642309bf736ccae0674957f93fb1b3641fa5e2db0d5dcd0b
Opcode Fuzzy Hash: 95dfea4b60d5ff5c09f63a3600a116fef92c672e0e275a2beea63f3fa66d0781
Instruction Fuzzy Hash: 3E01DFA1E0C90A4FEB88FE7CC55567C66E1EF04300B408075E65DC31A7DD28AC028A85

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B274D98 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2335176d1e970be220d8f62925afe078a66d7815d721a6fe3126a82da160e726
Instruction ID: 40d316eba6e6e5871003b4fe6f7494fb61f30debe556619acb44232533cbb09c
Opcode Fuzzy Hash: 2335176d1e970be220d8f62925afe078a66d7815d721a6fe3126a82da160e726
Instruction Fuzzy Hash: 59018460A1C90A8FEB84FF3CC05166DA6E2FF44300F508179D68DC3197DE28AC428B85

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B276078 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f79b94a6499b7d3d3e3e3563cbb14210fd826fc2e0f751e2ea850d9fc1eb1468
Instruction ID: e7cf83d29f8713a7ff94c9446c468d39f41d3ca13754a4d046fcb537edf4eb7c
Opcode Fuzzy Hash: f79b94a6499b7d3d3e3e3563cbb14210fd826fc2e0f751e2ea850d9fc1eb1468
Instruction Fuzzy Hash: C9F02B91A0DB861FE345BB6C88921A13FC5EF69600B88457CD5CDC71E3D908D9448746

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B2761C5 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f39babceced5e739e90e49f8e6ef777696549507cdd21db546c12b320d9030df
Instruction ID: b702d41bd7d8a783d8b8ec9ee611de659fbb1e3d101f93753c2af54a07d959b2
Opcode Fuzzy Hash: f39babceced5e739e90e49f8e6ef777696549507cdd21db546c12b320d9030df
Instruction Fuzzy Hash: EEF062A1B2DA850FE788BE6C895527A69D2FFC8344F44817E918DC26D7DE2888058645

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B27625B Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a87908c58b1bee42d18e43ad7c6746bb0c79318589ae6918bf4a00156b903ca
Instruction ID: 86a91692147fb9b96d43d457a18883ce3c12039fdb2f236212a4428f19451d9d
Opcode Fuzzy Hash: 9a87908c58b1bee42d18e43ad7c6746bb0c79318589ae6918bf4a00156b903ca
Instruction Fuzzy Hash: D3F022A1E0C6890FE782FF68C91569ABFE2EF94200F5480B981899B192DA389901CB45

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B274C2B Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f475383f69908a5889767780496796d7fafe9ec2cb5ebf0747d93f77ec7197a
Instruction ID: b7e814258d7d2fb4827d0387819289e714b6e9141d21d47e762bdac182f6375c
Opcode Fuzzy Hash: 5f475383f69908a5889767780496796d7fafe9ec2cb5ebf0747d93f77ec7197a
Instruction Fuzzy Hash: 3BF0A7A1B0CA4A4BE758EE2C881A3697AC2EF9C754F0842B89488C3281CD345C014BD2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B277AE8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 481094350463d188656e56d3c64582b28c30a93539853618f7e2da37064cd61b
Instruction ID: 4d347df1725fe747e1f0a5a10634596306c28bfc93786ea8a69ac39ffa9f58c0
Opcode Fuzzy Hash: 481094350463d188656e56d3c64582b28c30a93539853618f7e2da37064cd61b
Instruction Fuzzy Hash: BFF06D3035C5488FE728FE1CE891A7833E6EB99311F10417DD08BC32A6D924ED468B85

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B27B21F Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1a310bc6abd3a4d1ca25c498bdf56cc07d43212b501407f1847c7dbb291ba6e
Instruction ID: 0d26aa21b593f24f70963d7d4bd6a2a421a6b5b652f477f06eb0f110bfea323d
Opcode Fuzzy Hash: b1a310bc6abd3a4d1ca25c498bdf56cc07d43212b501407f1847c7dbb291ba6e
Instruction Fuzzy Hash: F5E04892F5C85517F35C746C94662B919D6D798714F558039F18EC33E7EC185C0305DA

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B275264 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acab33f02120707501f0bc192bb0f2d971a4e90372dd895f5226d7802fec48d7
Instruction ID: dcd60784d388e257b1c130d96a0e7cf99f2d6eb56fa11117ab6b9ebf161a3d74
Opcode Fuzzy Hash: acab33f02120707501f0bc192bb0f2d971a4e90372dd895f5226d7802fec48d7
Instruction Fuzzy Hash: C7E0D83251C1290AE36C7926D85117572C0E745721F14533ADDDBC32E1F81C99161784

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B278070 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b2e6f53ef73d305d7e3794136a5624696e8304ff4571e3e5015ff31c6470f81
Instruction ID: 8873de7303a47db2ed6cd7a4d088e10a49de14ed3500c64ea7d34e07f4e17414
Opcode Fuzzy Hash: 1b2e6f53ef73d305d7e3794136a5624696e8304ff4571e3e5015ff31c6470f81
Instruction Fuzzy Hash: F6E0263072C9014FD31CBA28EDB113473C2D7D5701B10027EC44BC32E6DC146E0601CA

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B274BE4 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7d507f9d5869d0fa58d6a68968e32426989895fc2a684f098de118f36ea0879
Instruction ID: 0bb4316946825963fcbbe5d7f90edd4dee02da85dd82048ddb8a060eac907503
Opcode Fuzzy Hash: d7d507f9d5869d0fa58d6a68968e32426989895fc2a684f098de118f36ea0879
Instruction Fuzzy Hash: 81F0E5A0A1C6960FD385FF6CCC113653FE1FF89244F0881BEE1C8C72D6C9246505474A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B275F6D Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1af224a32e6a29eb71e1e0311cfc928e0788061fda39c5e3bc2fe77daab46768
Instruction ID: 3d085efb92a65e72a2bd362ff8c36ae8c90768f952cf0d47150ec6521468db97
Opcode Fuzzy Hash: 1af224a32e6a29eb71e1e0311cfc928e0788061fda39c5e3bc2fe77daab46768
Instruction Fuzzy Hash: 4FE0863030880A8FE780FE1CC894FA473D2EB68351B154277E40AC73B0ED24EC418B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B27BDCF Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8c336576c8e46eb8a1e0d0f9c0c667d5467dde64f811f45215f0ef9ea0fd79b
Instruction ID: 0f69b4cb7c7c61688fd2dfd3c059e9d438f9b01563ad8113f22e997a724ee302
Opcode Fuzzy Hash: d8c336576c8e46eb8a1e0d0f9c0c667d5467dde64f811f45215f0ef9ea0fd79b
Instruction Fuzzy Hash: 3DE0EC716088098FEBA4FF18C4A8EA837E1FB65311B114576D559C72B5E924ED448B84

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B277CAB Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe9d82237d221178e2a9853b93d35a1c49d0400f85bdcefe5a847f79d882c48c
Instruction ID: 066e1729e82c64bc74aa7885bfb45327dbef0b94d3263f0bb31078ac155e36a9
Opcode Fuzzy Hash: fe9d82237d221178e2a9853b93d35a1c49d0400f85bdcefe5a847f79d882c48c
Instruction Fuzzy Hash: E4E0123130C90D8FE754FE28C89496937D1FB6435171549B6D85AC72B5ED24ED418B84

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B2778D0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8481d587090343ca1ff8d565a1bd2cce300d404187bf24c40dc3718068b061f9
Instruction ID: 888e08a87fefb155fe8cdc8421fc22616e8c40746366960e86aa691cf76cdc69
Opcode Fuzzy Hash: 8481d587090343ca1ff8d565a1bd2cce300d404187bf24c40dc3718068b061f9
Instruction Fuzzy Hash: 1DD012707185498B861CEE1CD495035F3E1FB89B0571043A9A88B83295DE28EC4386C5

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B27691D Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4c1f46b21159e7d875583afe3f6bcb464fc4cfe38ac6b1492e42f6a4537f1fe
Instruction ID: 3c4f026e5566fcff10aef843ee14e220d5c08977340cf59cfc74ce9ff567d4e3
Opcode Fuzzy Hash: c4c1f46b21159e7d875583afe3f6bcb464fc4cfe38ac6b1492e42f6a4537f1fe
Instruction Fuzzy Hash: D6E01270D0C52A9FD795FB29C8402A8FAA3FF46300F54C1F5D19D97197CA3869868F45

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B278419 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7b57df98f4cbf8e0c34ecbc6364ee1720c6541eaf128801202f5584eee57c24
Instruction ID: 55dd7c2806e253857c706ad19da6c9751a2e96124eeb4c0fa4339857467995d0
Opcode Fuzzy Hash: a7b57df98f4cbf8e0c34ecbc6364ee1720c6541eaf128801202f5584eee57c24
Instruction Fuzzy Hash: 19D05E31A0C8064BF711FF29C844ABC73C1E765320F148A76D845C72E1ED6CE9840ACA

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B273F40 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30de1aedaa42d5d4fe86a6e4abe2af388141827e09d850d7a486a570af89735a
Instruction ID: 040c1b7b60fca783d09e14020ec5fd20855377bb54a477f137b84d9a51e3b138
Opcode Fuzzy Hash: 30de1aedaa42d5d4fe86a6e4abe2af388141827e09d850d7a486a570af89735a
Instruction Fuzzy Hash: 61D0A742E1D44507E348753E59AA2202E80EF95308F984070D2CCC9297EC0C19034747

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B2708CA Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47d60ed63380434d8751e8bb9fcb9fa2a2164d79d36f9302d328dc81b1609e95
Instruction ID: d703967d8c47580e75fb0387aa1983a1b269ef1ec9f2b3918d13f78b2e698351
Opcode Fuzzy Hash: 47d60ed63380434d8751e8bb9fcb9fa2a2164d79d36f9302d328dc81b1609e95
Instruction Fuzzy Hash: 44D0C9B1D0980CAEDB40EFA8E8555EDBBB4FF44214F5052B6D90DD3151DE302A518B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B27EDD1 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7576d655fafb6b95ade1286f3f6ec74a6fea2de0f7eaa45becdff2ed23e199f5
Instruction ID: 205c3429102f1b9725cca87dd1c47282050477c64bb3168449c34d588b1d12f3
Opcode Fuzzy Hash: 7576d655fafb6b95ade1286f3f6ec74a6fea2de0f7eaa45becdff2ed23e199f5
Instruction Fuzzy Hash: 97D0C9A0D6955B8AE7A4FF28C8107F8B6A5BF48200F4041F4804DD2692DE342D419F58

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B274B71 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ad763b775a44c65e5a1e1bb6475bd7932b9eb9f2ef4167b60cfb9e6b7936a3d
Instruction ID: d81394634775048584f1f361e938feddc05f619ac9f4699d243d04294f61b763
Opcode Fuzzy Hash: 1ad763b775a44c65e5a1e1bb6475bd7932b9eb9f2ef4167b60cfb9e6b7936a3d
Instruction Fuzzy Hash: B6B0929090C919CAFB48BE6CD2823A85890AB8C300F1080B9D39EE22D2CA2C28004A1F

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B2753CD Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 869d90da78b6449758a5a24cad5b9a6c9d330cfcea81b9add533d9d980bea100
Instruction ID: 207b2d134b771a61c11c46cc7310e8b1582b58faad207327721dbe3a468e927b
Opcode Fuzzy Hash: 869d90da78b6449758a5a24cad5b9a6c9d330cfcea81b9add533d9d980bea100
Instruction Fuzzy Hash: 03A0028160C60A8BE2A0BC68964033454C0474C200E108031475DC22A2E4991C45160A

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFB4B2786C0 Relevance: 12.7, Strings: 10, Instructions: 248COMMON

Download Yara Rule

Strings

xA1K, xrefs: 00007FFB4B278729
@1K, xrefs: 00007FFB4B2786C9
PA1K, xrefs: 00007FFB4B2786F9
0B1K, xrefs: 00007FFB4B2787F9
hA1K, xrefs: 00007FFB4B278719
`A1K, xrefs: 00007FFB4B278709
PB1K, xrefs: 00007FFB4B278819
A1K, xrefs: 00007FFB4B278799
0A1K, xrefs: 00007FFB4B2786D9
@A1K, xrefs: 00007FFB4B2786E9

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID: 0A1K$0B1K$@A1K$PA1K$PB1K$`A1K$hA1K$xA1K$@1K$A1K
API String ID: 0-2232836991
Opcode ID: 0e38516b3170e8211ef09641634c5084f31cc9335ad167674eac7d5134d2238c
Instruction ID: d125da88fd467209d6342c79cb0fa147e2e780d5141aa4fedbeeb93d37b80810
Opcode Fuzzy Hash: 0e38516b3170e8211ef09641634c5084f31cc9335ad167674eac7d5134d2238c
Instruction Fuzzy Hash: 268129C790E6C60FE359BDBA5D061256FD1FB4229075980FBD1C44F0ABE4289D0A8BD6

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B2785F6 Relevance: 11.6, Strings: 9, Instructions: 308COMMON

Download Yara Rule

Strings

xA1K, xrefs: 00007FFB4B278729
PA1K, xrefs: 00007FFB4B2786F9
0B1K, xrefs: 00007FFB4B2787F9
hA1K, xrefs: 00007FFB4B278719
`A1K, xrefs: 00007FFB4B278709
PB1K, xrefs: 00007FFB4B278819
A1K, xrefs: 00007FFB4B278799
0A1K, xrefs: 00007FFB4B2786D9
@A1K, xrefs: 00007FFB4B2786E9

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID: 0A1K$0B1K$@A1K$PA1K$PB1K$`A1K$hA1K$xA1K$A1K
API String ID: 0-3105209958
Opcode ID: 1a57e6b05a4392314369e908b231ecacf50edf4a9545c5baf804a153246175a7
Instruction ID: 1d73b341c48c5e17029bdbc74c5938182ba75cc19784eed9196e4b6bcaa50dd9
Opcode Fuzzy Hash: 1a57e6b05a4392314369e908b231ecacf50edf4a9545c5baf804a153246175a7
Instruction Fuzzy Hash: 9BA128D690E7C60FE31ABA799D161247FA1FF42350B1981FBD1C48F0A7E4189D0A8796

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B278626 Relevance: 11.6, Strings: 9, Instructions: 304COMMON

Download Yara Rule

Strings

xA1K, xrefs: 00007FFB4B278729
PA1K, xrefs: 00007FFB4B2786F9
0B1K, xrefs: 00007FFB4B2787F9
hA1K, xrefs: 00007FFB4B278719
`A1K, xrefs: 00007FFB4B278709
PB1K, xrefs: 00007FFB4B278819
A1K, xrefs: 00007FFB4B278799
0A1K, xrefs: 00007FFB4B2786D9
@A1K, xrefs: 00007FFB4B2786E9

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID: 0A1K$0B1K$@A1K$PA1K$PB1K$`A1K$hA1K$xA1K$A1K
API String ID: 0-3105209958
Opcode ID: 9baa96707404e33260a4a743a89f26e277dc8f65a7e0f59089d68f00f4d285a1
Instruction ID: 8a2dcdbcafc87c834f97c6b413b43fe7f71a95e355e310d10809a8fb26935078
Opcode Fuzzy Hash: 9baa96707404e33260a4a743a89f26e277dc8f65a7e0f59089d68f00f4d285a1
Instruction Fuzzy Hash: 8DA139D690E7C60FE31AAE799D161247FE1FF42350B1980FBD1C48F0A7E4189D0A8796

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B278738 Relevance: 5.1, Strings: 4, Instructions: 104COMMON

Download Yara Rule

Strings

xA1K, xrefs: 00007FFB4B278729
hA1K, xrefs: 00007FFB4B278719
`A1K, xrefs: 00007FFB4B278709
A1K, xrefs: 00007FFB4B278799

Memory Dump Source

Source File: 00000008.00000002.1425486322.00007FFB4B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4b270000_ffVsTPS.jbxd

Similarity

API ID:
String ID: `A1K$hA1K$xA1K$A1K
API String ID: 0-1272915098
Opcode ID: 47a5376709c59c14d65cb550ce705dae6a3838478f13b8d9336311d1dd93b47a
Instruction ID: 360bba6b5d89dc2bcc816dbf038550ba6754e03f3998363dc16dcd04f02b21b7
Opcode Fuzzy Hash: 47a5376709c59c14d65cb550ce705dae6a3838478f13b8d9336311d1dd93b47a
Instruction Fuzzy Hash: 0F3126CB90EBC20BF3597DAEAE061255FD2FB5129076980FBD1C44F0DB94289D0A87D9

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ffVsTPS.exePID: 7492, Parent PID: 7372COMMON

Executed Functions

Function 00007FFB4B2608D3 Relevance: 2.8, Strings: 2, Instructions: 330COMMON

Download Yara Rule

Strings

;P_^, xrefs: 00007FFB4B260901
K;P, xrefs: 00007FFB4B26096F

Memory Dump Source

Source File: 0000000B.00000002.1491462523.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb4b260000_ffVsTPS.jbxd

Similarity

API ID:
String ID: ;P_^$K;P
API String ID: 0-3202807064
Opcode ID: 900db028c50f2e77734a9942e86ac7fdcc342ae41c9e4e6d4e8d1473e539865d
Instruction ID: aa01c0c6a819697b2286220920cd6b34f1971e90bf804f32cbecb4dc7d5d0e0b
Opcode Fuzzy Hash: 900db028c50f2e77734a9942e86ac7fdcc342ae41c9e4e6d4e8d1473e539865d
Instruction Fuzzy Hash: 75A13C71A0892D8FDB94EF6CD885BEDBBB5FF58311F0041AAD14DD7252DA34A881CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B2608D8 Relevance: 2.8, Strings: 2, Instructions: 324COMMON

Download Yara Rule

Strings

;P_^, xrefs: 00007FFB4B260901
K;P, xrefs: 00007FFB4B26096F

Memory Dump Source

Source File: 0000000B.00000002.1491462523.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb4b260000_ffVsTPS.jbxd

Similarity

API ID:
String ID: ;P_^$K;P
API String ID: 0-3202807064
Opcode ID: 2a558ba16c893ab61694867318b2c74ddba9da8cf020eacd0a8d81dc45b4564e
Instruction ID: 78a7d4ae3d4f04ce7b7ba3ce9c49c8e95ccaedf276f964e01335a69f1e79dad9
Opcode Fuzzy Hash: 2a558ba16c893ab61694867318b2c74ddba9da8cf020eacd0a8d81dc45b4564e
Instruction Fuzzy Hash: 1DA13D71A0892D8FDB94EF6CD885BEDBBB5FF58311F0041AAD14DD7252DA34A881CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B2608E8 Relevance: 2.8, Strings: 2, Instructions: 315COMMON

Download Yara Rule

Strings

;P_^, xrefs: 00007FFB4B260901
K;P, xrefs: 00007FFB4B26096F

Memory Dump Source

Source File: 0000000B.00000002.1491462523.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb4b260000_ffVsTPS.jbxd

Similarity

API ID:
String ID: ;P_^$K;P
API String ID: 0-3202807064
Opcode ID: ef4d38d3c42638584efd15db6c4a593e568ff942b84f1123a5f7ae9cc146731b
Instruction ID: 1003a05cbcf5b9669bb90c2a16ae5d2c37884b70515647cad56c5c1b7f6294ca
Opcode Fuzzy Hash: ef4d38d3c42638584efd15db6c4a593e568ff942b84f1123a5f7ae9cc146731b
Instruction Fuzzy Hash: A9A11B71A0892D8FDB94EF6CD885BEDBBB5FF58311F0041AAD04DE7252DA34A881CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B2608F8 Relevance: 2.8, Strings: 2, Instructions: 308COMMON

Download Yara Rule

Strings

;P_^, xrefs: 00007FFB4B260901
K;P, xrefs: 00007FFB4B26096F

Memory Dump Source

Source File: 0000000B.00000002.1491462523.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb4b260000_ffVsTPS.jbxd

Similarity

API ID:
String ID: ;P_^$K;P
API String ID: 0-3202807064
Opcode ID: 501ebdeeb677a21962ba459ccb0efd06c0ddd8a74531fb7fd9b148558e51818c
Instruction ID: ea05790f0d1e10b70ebbf9873349690ca2e7ee330801526e10392e574d1b0b37
Opcode Fuzzy Hash: 501ebdeeb677a21962ba459ccb0efd06c0ddd8a74531fb7fd9b148558e51818c
Instruction Fuzzy Hash: C8A10971A0892D8FDB94EF6CD885BEDBBB5FF58311F0041AAD14DE7252DA34A881CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B261BC5 Relevance: 1.7, Strings: 1, Instructions: 466COMMON

Download Yara Rule

Strings

&K, xrefs: 00007FFB4B261C4D

Memory Dump Source

Source File: 0000000B.00000002.1491462523.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb4b260000_ffVsTPS.jbxd

Similarity

API ID:
String ID: &K
API String ID: 0-68722588
Opcode ID: ef398f97e210ff1545b76eb8c7484cb27d3c2f84c51da5e729eea963edf12c32
Instruction ID: 06242fd4af54b964d3da79fd7fcdd24e55b4703db451f7d77ffbe93b1f6b1191
Opcode Fuzzy Hash: ef398f97e210ff1545b76eb8c7484cb27d3c2f84c51da5e729eea963edf12c32
Instruction Fuzzy Hash: 41E1EFB1D0C64D8FEB85FF78C8566E9BBA1FF49311F0401BAD409E72D2DA3868518792

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B2651AB Relevance: 1.6, Strings: 1, Instructions: 375COMMON

Download Yara Rule

Strings

O_H, xrefs: 00007FFB4B2651D0

Memory Dump Source

Source File: 0000000B.00000002.1491462523.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb4b260000_ffVsTPS.jbxd

Similarity

API ID:
String ID: O_H
API String ID: 0-364725170
Opcode ID: 84be437477c8811e4a88566ae4cef2b548af279562e1a47650c36398ea93651f
Instruction ID: 1e8cd64e08d72e3cb537f3b2cf45bff225fc0cd1fa897436289788b525e58886
Opcode Fuzzy Hash: 84be437477c8811e4a88566ae4cef2b548af279562e1a47650c36398ea93651f
Instruction Fuzzy Hash: B9D12B7090CA5D8FDB95EF68C895BA8BBF1FF69300F1041AAD00DE7291DA35A985CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B260898 Relevance: 1.6, Strings: 1, Instructions: 328COMMON

Download Yara Rule

Strings

K;P, xrefs: 00007FFB4B26096F

Memory Dump Source

Source File: 0000000B.00000002.1491462523.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb4b260000_ffVsTPS.jbxd

Similarity

API ID:
String ID: K;P
API String ID: 0-4840859
Opcode ID: 1b978a2ae048a3bbd7c84f50d4915a677b07098d5bef673ce8a3c4c873d2f202
Instruction ID: 73348410786be4dc4311887ff4e6e4b3d5aba0b5f74ae29f1cae91d50eeac894
Opcode Fuzzy Hash: 1b978a2ae048a3bbd7c84f50d4915a677b07098d5bef673ce8a3c4c873d2f202
Instruction Fuzzy Hash: 98A13B71A0892D8FDB94EF6CD885BED7BB5FF58311F0041AAD14DE7252DA34A881CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B2608A8 Relevance: 1.6, Strings: 1, Instructions: 320COMMON

Download Yara Rule

Strings

K;P, xrefs: 00007FFB4B26096F

Memory Dump Source

Source File: 0000000B.00000002.1491462523.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb4b260000_ffVsTPS.jbxd

Similarity

API ID:
String ID: K;P
API String ID: 0-4840859
Opcode ID: d310bd63b961a5889124615db0507a8b61539d8393b034c6620d6008e22045f1
Instruction ID: 815259c9e85c434d084f3a1264255c61c9332a214c1aa3735dba138210dd8064
Opcode Fuzzy Hash: d310bd63b961a5889124615db0507a8b61539d8393b034c6620d6008e22045f1
Instruction Fuzzy Hash: FEA13B71A0892D8FDB94EF6CD885BED7BB5FF58311F0041AAD14DE7252DA34A881CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B2608B8 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

K;P, xrefs: 00007FFB4B26096F

Memory Dump Source

Source File: 0000000B.00000002.1491462523.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb4b260000_ffVsTPS.jbxd

Similarity

API ID:
String ID: K;P
API String ID: 0-4840859
Opcode ID: 404de534cbae445766ed7267ae969e65ee401aa6af14e2d900e3f54d19b3208f
Instruction ID: d14f7e1d1247b6481d6de7d19b0657b0165bbebea51100bbc52299196beaf471
Opcode Fuzzy Hash: 404de534cbae445766ed7267ae969e65ee401aa6af14e2d900e3f54d19b3208f
Instruction Fuzzy Hash: 9BA11B71A0892D8FDB94EF6CD885BED7BB5FF58311F0041AAD14DE7252DA34A881CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B2608C8 Relevance: 1.6, Strings: 1, Instructions: 304COMMON

Download Yara Rule

Strings

K;P, xrefs: 00007FFB4B26096F

Memory Dump Source

Source File: 0000000B.00000002.1491462523.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb4b260000_ffVsTPS.jbxd

Similarity

API ID:
String ID: K;P
API String ID: 0-4840859
Opcode ID: 5797af43543d10aefde92c04559943b49ca152656906ea9ac155c04b7811e11d
Instruction ID: 59e37cb1e72ff5fd5b83183ad44d4c9ec676c26baa2dee46a14699073da1b872
Opcode Fuzzy Hash: 5797af43543d10aefde92c04559943b49ca152656906ea9ac155c04b7811e11d
Instruction Fuzzy Hash: F1A1FA71A0892D8FDB94EF6CD885BEDBBB5FF58311F0041AAD04DE7252DA34A881CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B260908 Relevance: 1.6, Strings: 1, Instructions: 302COMMON

Download Yara Rule

Strings

K;P, xrefs: 00007FFB4B26096F

Memory Dump Source

Source File: 0000000B.00000002.1491462523.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb4b260000_ffVsTPS.jbxd

Similarity

API ID:
String ID: K;P
API String ID: 0-4840859
Opcode ID: feb7a1d5383f8c40a7432ea538ec14e4d696c25c5eb415cf65a17e925733d183
Instruction ID: 97b0abbd4aa90f7a5ac9067a3c934d4a3a63237dc2778141c02d6f888c9777d5
Opcode Fuzzy Hash: feb7a1d5383f8c40a7432ea538ec14e4d696c25c5eb415cf65a17e925733d183
Instruction Fuzzy Hash: 6FA1F971A0892D8FDB94EF6CD885BEDBBB5FF58311F0045AAD04DE7252DA34A881CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B260CF0 Relevance: .6, Instructions: 550COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1491462523.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb4b260000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b281eb99e0bf0e76fbdba32c06bac39e193384792b659de0d3c00526be6ad67c
Instruction ID: e204b485e1f11c176df545d9e40c7be3931df99871e3da729606afef80e87ea0
Opcode Fuzzy Hash: b281eb99e0bf0e76fbdba32c06bac39e193384792b659de0d3c00526be6ad67c
Instruction Fuzzy Hash: D122D57091892D8FDBA4FF28C899BA9BBB6FB98304F5041A9D00DD3255DE34AD81CF44

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B264DBB Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1491462523.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb4b260000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf44b691cd756c32c1fa32035f11d9b76dade969389faf93064cf0fc16635e7
Instruction ID: 4a9b61c764f9f3f32f9ed9b9d070d6685879401c5880940c20f0d7f44ee5f3a6
Opcode Fuzzy Hash: 0cf44b691cd756c32c1fa32035f11d9b76dade969389faf93064cf0fc16635e7
Instruction Fuzzy Hash: 4FD12CB0D0CA5D8FDB95EF68C895BA8BBF1FF69300F0041AAD04DE7291DA359985CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B2641EB Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1491462523.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb4b260000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 603e471e35338060ea7ab9efc21c4c81bb1b5dda1cf5f98e5cd7d55caf91d1d8
Instruction ID: d3ddedbec2c82f14066b095918f83fd021398d6c348e3cc73865d2b48f7eaa6c
Opcode Fuzzy Hash: 603e471e35338060ea7ab9efc21c4c81bb1b5dda1cf5f98e5cd7d55caf91d1d8
Instruction Fuzzy Hash: 41D14DB090CA5D8FDB95EF6CC895BA8BBF1FF59300F1041AAD04DE7291DA34A985CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B2645DB Relevance: .4, Instructions: 388COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1491462523.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb4b260000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d57252ef67ba3d34faef41c5ffbf88daf3af8ff6c2448321653dfda7c16c4cfe
Instruction ID: 830f342dd16018e7d4a1370bc736299ad02f3cc75abffaad2836b34ef2ed8ab7
Opcode Fuzzy Hash: d57252ef67ba3d34faef41c5ffbf88daf3af8ff6c2448321653dfda7c16c4cfe
Instruction Fuzzy Hash: 23D12B70D08A5D8FDB95EF6CC894BA8BBF1FF69300F0041AAD05DE7292DA359985CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B2649CB Relevance: .4, Instructions: 369COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1491462523.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb4b260000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 126dcaa0ef1dc711c820d08484cec578758b5ef5771182b7dc628f8aa9706fcc
Instruction ID: cd6fc4dd515f4cd247977f61058e3bd4231a56acd7af70bc9f0aed8b80dae090
Opcode Fuzzy Hash: 126dcaa0ef1dc711c820d08484cec578758b5ef5771182b7dc628f8aa9706fcc
Instruction Fuzzy Hash: 61D14BB0D08A5D8FDB95EF6CC895BA8BBF1FF59300F0041AAD04DE7291DA35A985CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B2651EB Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1491462523.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb4b260000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a30bcf72ddd7affd2e6101195cd2237809073eb571b16037c3ced95ebab736fd
Instruction ID: 9406062ca2d595bbe1df756999396f3b47e702431321efdc444f2b3c5d1c1430
Opcode Fuzzy Hash: a30bcf72ddd7affd2e6101195cd2237809073eb571b16037c3ced95ebab736fd
Instruction Fuzzy Hash: D3B12970D0CA5D8FDB95EF68C855BA8BBF1FF69310F0041AAD00DE7292DA359985CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B263A78 Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1491462523.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb4b260000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2c077044eb9beccdf89b8a78e89ece3d5e67a17058322b82a9b66d097bf6b4c
Instruction ID: 145716a867b70b580aae9204c6f4d1f52616d7c4c28eaeaadfbc696563a7d51e
Opcode Fuzzy Hash: e2c077044eb9beccdf89b8a78e89ece3d5e67a17058322b82a9b66d097bf6b4c
Instruction Fuzzy Hash: D2B16AB090CA598FEB95EF2CC8557E9BBF1FF59310F0440AAD04DE72A2DA355886CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B2632FA Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1491462523.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb4b260000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbdd32f135675c2249629ccf9fd2ae51b99921ddef3beafa853280fc546e0376
Instruction ID: 6870f7c89cd526f4b0a052f7f83a5bc9081527643a6d8de52129a10db766f8e4
Opcode Fuzzy Hash: bbdd32f135675c2249629ccf9fd2ae51b99921ddef3beafa853280fc546e0376
Instruction Fuzzy Hash: 86B1FDB0D1895D8FDB94EF6CC894BA9BBF1FF59300F5040AAD00DE3291DA35A985CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B263AD8 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1491462523.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb4b260000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c57e667ce60955d1a541fde878b3da836a7263ab2889733bc2f5463e345e3cb5
Instruction ID: e9407c875f0571f3c5cae17230722c353908c77019e0fd99388709d8645744d0
Opcode Fuzzy Hash: c57e667ce60955d1a541fde878b3da836a7263ab2889733bc2f5463e345e3cb5
Instruction Fuzzy Hash: 81A129B090CA5D8FDB95EF6CC895BA9BBF1FF59300F1041AAD00DE3292DA359985CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B263F48 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1491462523.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb4b260000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f31409e358a245ad8343ec19df41beb7df872af003da22f6a36cacdee4f27de2
Instruction ID: cb5c06510ab0883d6b2bcbe99bcb6561a75656458a55484bf4f40a61cd8e815e
Opcode Fuzzy Hash: f31409e358a245ad8343ec19df41beb7df872af003da22f6a36cacdee4f27de2
Instruction Fuzzy Hash: FB91B8B0D0891D8FDB94EF68C895BACBBF1FF68301F5041AAD04DE7251DA35A985CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B26569A Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1491462523.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb4b260000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da262d2ff9f040a33256943e7dfb3c2aefc4b1b21c7711e64a395b933ac0295e
Instruction ID: cb048aa3336943e8a8a23973f61e1cd09d668a175a003e63cd85106602fcf8eb
Opcode Fuzzy Hash: da262d2ff9f040a33256943e7dfb3c2aefc4b1b21c7711e64a395b933ac0295e
Instruction Fuzzy Hash: 98719670A18A1D8FDF94EF68C895BACBBF1FB69301F5041A9E40DE7251DB74A881CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B2609A0 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1491462523.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb4b260000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c7c7165df62c4e0f034aee2ef297dac4dab334bf75bbe66152d14ac477f1870
Instruction ID: f7574a4aed44d36a5bddc8775f93833d5e92563a2db62ecee13aa29a1c92f3be
Opcode Fuzzy Hash: 0c7c7165df62c4e0f034aee2ef297dac4dab334bf75bbe66152d14ac477f1870
Instruction Fuzzy Hash: 5071A670A08A1D8FDF94EF68C895BACBBF1FB69301F5041A9E40DE7251DB74A881CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B26204A Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1491462523.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb4b260000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94dc9c76510c82a515016fb37e31efa07bd088f6f1d4381488178170980fcfb1
Instruction ID: 4f72321d8a351774c685c363630449c3a43311f073fcf1786fc99955b6373dee
Opcode Fuzzy Hash: 94dc9c76510c82a515016fb37e31efa07bd088f6f1d4381488178170980fcfb1
Instruction Fuzzy Hash: C571D870909A1D9FDF95EF68C495AA9BBF1FF69311F5040A9E00DE7261CB35A881CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B262060 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1491462523.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb4b260000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37a7810ed9cce743883408ec5fa338b36880134a3e5203dd7f9d4706dc9e9e68
Instruction ID: 41c35e68850792f0115dbab4b746b9fe511118eaf048fcbe98377b2b51792e3d
Opcode Fuzzy Hash: 37a7810ed9cce743883408ec5fa338b36880134a3e5203dd7f9d4706dc9e9e68
Instruction Fuzzy Hash: 5E71B670A09A1D9FDF94EF6CC495AADBBF1FB69311F5040A9E00DE7261CB35A881CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B265E9E Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1491462523.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb4b260000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f77138214eeb17f6465345abeeb0f23194bb1fd38b85549fd5fe479c311a4988
Instruction ID: 472c3ad4423bc2a93586c5a865eed3fc5d2d6a7a21d34fd2b56bb7b3d20f7839
Opcode Fuzzy Hash: f77138214eeb17f6465345abeeb0f23194bb1fd38b85549fd5fe479c311a4988
Instruction Fuzzy Hash: 27418E70949A4E8FDB45EBB8C8516EDBBB5FF4A310F001179D409D7292DA39A882CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B260B0D Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1491462523.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb4b260000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d38003d83914f41b23c7beab14039cc001f0f7bbb794bc616e92c0db92c86d9e
Instruction ID: 8bda82b34e9b917f4373fbf27f55e05864deda19c12f33e04b84d8c3a16e0e59
Opcode Fuzzy Hash: d38003d83914f41b23c7beab14039cc001f0f7bbb794bc616e92c0db92c86d9e
Instruction Fuzzy Hash: 9D3148A691D58E8FE341FF7CC4926E93F61EF89220F0441BAD548D62E3DE28180387A4

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B265D81 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1491462523.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb4b260000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7804aedac7ab049f2ff779c11e88905bd4fd2821a87f9fe888c5c92e46fe171a
Instruction ID: abcd392bbf41db38e6cd69b347d2ee55617ee24492dca00d70c01cda85e8ffb1
Opcode Fuzzy Hash: 7804aedac7ab049f2ff779c11e88905bd4fd2821a87f9fe888c5c92e46fe171a
Instruction Fuzzy Hash: 0E310574C09A1E8FDB51EFA8C8896EDBBB5FB59310F40153AD40CE7292DB38A945CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B260B30 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1491462523.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb4b260000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1294b8ee5e337a17cb424e9ba91433f746ccf114f5d77144bcdc82e14aaedc2
Instruction ID: ad890ff84c8889e054d78f4ab2ed1470242da5e651da04e4f94eee2092b29231
Opcode Fuzzy Hash: e1294b8ee5e337a17cb424e9ba91433f746ccf114f5d77144bcdc82e14aaedc2
Instruction Fuzzy Hash: 233126A591D98E8EF751BF7CC4922F97F61EF89210F0041B9D449D62E2DE2818038764

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B260B38 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1491462523.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb4b260000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b11298c328e1d582f83640ee81d2ec54b248c0db23beeae0c1eb5c08f5f44a7
Instruction ID: ea2a4d0176f7b06e40bc25cfeefa6828042eb6ecf6abfcbf05f32ec599c85305
Opcode Fuzzy Hash: 1b11298c328e1d582f83640ee81d2ec54b248c0db23beeae0c1eb5c08f5f44a7
Instruction Fuzzy Hash: 312139A591D98E8FF781BF7CC4922FA7F61EF88210F4041B9D049D72D2DD2818038760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B260B40 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1491462523.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb4b260000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1cb90ab42bb068f870649ee54f336d948d0cc27c921d98fe6d18498333871b9
Instruction ID: bc1069449963653e5c6e52cd8d4e115df1c1f397a37eba892af11e530f1eeaee
Opcode Fuzzy Hash: f1cb90ab42bb068f870649ee54f336d948d0cc27c921d98fe6d18498333871b9
Instruction Fuzzy Hash: 982126A591D98E8FE781BF7CC4962F97B71EF89210F4041B9D049D72D2DE2818028764

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B260B48 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1491462523.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb4b260000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 893d8aa8fc4b0b056c8fd46bc3dc126847c432ee37f2d4786189471163f31710
Instruction ID: b01d5a9bd32d72c7f70c84e13d24661fcaccbac2be70c641efc5a6cb1cd1284b
Opcode Fuzzy Hash: 893d8aa8fc4b0b056c8fd46bc3dc126847c432ee37f2d4786189471163f31710
Instruction Fuzzy Hash: 472105A591D98E8FE791BF7CC4962F97B71EF89210F4041B9D049D62D2DE281842C761

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B260B50 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1491462523.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb4b260000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5cfe464952f73d1b993aad6578f0afdfc0776eda0b071f8406778e1e3403bbe
Instruction ID: 3d63faccb5da129f83211e7d7a5c6e4ffe00812a704f67e51699e608643450b5
Opcode Fuzzy Hash: a5cfe464952f73d1b993aad6578f0afdfc0776eda0b071f8406778e1e3403bbe
Instruction Fuzzy Hash: 4C2103A591D98E8FE791BF7CC4A52F97FB1EF89310F4041B9D049D62D2DE281842C761

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B260C32 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1491462523.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb4b260000_ffVsTPS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6593e920127ee43a99d1633da7e05c64d88b1cfada815e41d9d6a965952ba322
Instruction ID: a37c4d10d6ec909cf3f64ed90d686dab94d51ab1fe22fd66640c0df0e23fddbb
Opcode Fuzzy Hash: 6593e920127ee43a99d1633da7e05c64d88b1cfada815e41d9d6a965952ba322
Instruction Fuzzy Hash: 34D0A7A1E3881D5FE794FF7CE8D59BD77A0FF84200B40023EE14ED25A1CE2818018751

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report BmLue8t2V7.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\BmLue8t2V7.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ffVsTPS.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kj2eusyt.qx5.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nyebbyir.n1o.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_obhwozox.xnq.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oiskpibc.lbw.psm1

C:\Users\user\AppData\Local\Temp\tmpB438.tmp

C:\Users\user\AppData\Local\Temp\tmpBC08.tmp

C:\Users\user\AppData\Roaming\ffVsTPS.exe

C:\Users\user\AppData\Roaming\ffVsTPS.exe:Zone.Identifier

Static File Info

General

File Icon

Windows Analysis Report
BmLue8t2V7.exe