Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
t5SYVk0Tkt.exe

Overview

General Information

Sample name:t5SYVk0Tkt.exe
renamed because original name is a hash value
Original sample name:381e4d25d271d8fd15f8b04b180be401.exe
Analysis ID:1457059
MD5:381e4d25d271d8fd15f8b04b180be401
SHA1:efaa1eb60d999475c755bb9b6eed4ec8f507e699
SHA256:c5018a3915e8a9de41e083f7936c2d232b9a73ba41c8c07fb7b2d90d5f5d8e8e
Tags:32exetrojan
Infos:

Detection

PureLog Stealer, SystemBC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected PureLog Stealer
Yara detected SystemBC
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Send many emails (e-Mail Spam)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to resolve many domain names, but no domain seems valid
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Connects to many different domains
Connects to several IPs in different countries
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Executes massive DNS lookups (> 100)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • t5SYVk0Tkt.exe (PID: 6668 cmdline: "C:\Users\user\Desktop\t5SYVk0Tkt.exe" MD5: 381E4D25D271D8FD15F8B04B180BE401)
    • t5SYVk0Tkt.exe (PID: 3688 cmdline: "C:\Users\user\Desktop\t5SYVk0Tkt.exe" MD5: 381E4D25D271D8FD15F8B04B180BE401)
  • hnhoatl.exe (PID: 4476 cmdline: C:\ProgramData\iigeb\hnhoatl.exe MD5: 381E4D25D271D8FD15F8B04B180BE401)
    • hnhoatl.exe (PID: 7156 cmdline: "C:\ProgramData\iigeb\hnhoatl.exe" MD5: 381E4D25D271D8FD15F8B04B180BE401)
  • Immmsbclaz.exe (PID: 5780 cmdline: "C:\Users\user\AppData\Roaming\Immmsbclaz.exe" MD5: 381E4D25D271D8FD15F8B04B180BE401)
    • Immmsbclaz.exe (PID: 5296 cmdline: "C:\Users\user\AppData\Roaming\Immmsbclaz.exe" MD5: 381E4D25D271D8FD15F8B04B180BE401)
  • Immmsbclaz.exe (PID: 6400 cmdline: "C:\Users\user\AppData\Roaming\Immmsbclaz.exe" MD5: 381E4D25D271D8FD15F8B04B180BE401)
    • Immmsbclaz.exe (PID: 5516 cmdline: "C:\Users\user\AppData\Roaming\Immmsbclaz.exe" MD5: 381E4D25D271D8FD15F8B04B180BE401)
  • hnhoatl.exe (PID: 2436 cmdline: C:\ProgramData\iigeb\hnhoatl.exe MD5: 381E4D25D271D8FD15F8B04B180BE401)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
SystemBCSystemBC is a proxy malware leveraging SOCKS5. Based on screenshots used in ads on a underground marketplace, Proofpoint decided to call it SystemBC.SystemBC has been observed occasionally, but more pronounced since June 2019. First samples goes back to October 2018.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.systembc

Malware Configuration

Threatname: SystemBC

{"HOST1": "claywyaeropumps.com", "HOST2": "185.43.220.45"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.2532284029.00000000042E8000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
    0000000C.00000002.2958017864.0000000003EF4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
      00000007.00000002.2520525799.00000000034E8000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SystemBCYara detected SystemBCJoe Security
        00000000.00000002.2003536249.0000000003C78000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
          00000000.00000002.2002312096.0000000002D6E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SystemBCYara detected SystemBCJoe Security
            Click to see the 38 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            12.2.hnhoatl.exe.3f1c350.3.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
              12.2.hnhoatl.exe.400c390.8.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                6.2.Immmsbclaz.exe.3afef6c.0.raw.unpackJoeSecurity_SystemBCYara detected SystemBCJoe Security
                  7.2.Immmsbclaz.exe.43103d0.9.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                    5.2.hnhoatl.exe.3a7c370.6.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                      Click to see the 38 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: CurrentVersion Autorun Keys Modification
                      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\Immmsbclaz.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\t5SYVk0Tkt.exe, ProcessId: 6668, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Immmsbclaz
                      Sigma detected: Suspicious Outbound SMTP Connections
                      Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 104.19.239.228, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\ProgramData\iigeb\hnhoatl.exe, Initiated: true, ProcessId: 7156, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49740

                      Snort Signatures

                      No Snort rule has matched

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 00000007.00000002.2520525799.00000000034E8000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: SystemBC {"HOST1": "claywyaeropumps.com", "HOST2": "185.43.220.45"}
                      Multi AV Scanner detection for dropped file
                      Source: C:\ProgramData\iigeb\hnhoatl.exeReversingLabs: Detection: 44%
                      Source: C:\ProgramData\iphiso\hfmfgq.exeReversingLabs: Detection: 44%
                      Source: C:\ProgramData\uwhicqw\tupug.exeReversingLabs: Detection: 44%
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeReversingLabs: Detection: 44%
                      Multi AV Scanner detection for submitted file
                      Source: t5SYVk0Tkt.exeReversingLabs: Detection: 34%
                      Source: t5SYVk0Tkt.exeVirustotal: Detection: 32%Perma Link
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for dropped file
                      Source: C:\ProgramData\iigeb\hnhoatl.exeJoe Sandbox ML: detected
                      Source: C:\ProgramData\iphiso\hfmfgq.exeJoe Sandbox ML: detected
                      Source: C:\ProgramData\uwhicqw\tupug.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeJoe Sandbox ML: detected
                      Machine Learning detection for sample
                      Source: t5SYVk0Tkt.exeJoe Sandbox ML: detected
                      Source: t5SYVk0Tkt.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: t5SYVk0Tkt.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: t5SYVk0Tkt.exe, 00000000.00000002.2013029719.0000000005B40000.00000004.08000000.00040000.00000000.sdmp, t5SYVk0Tkt.exe, 00000000.00000002.2003536249.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, t5SYVk0Tkt.exe, 00000000.00000002.2003536249.0000000003B8B000.00000004.00000800.00020000.00000000.sdmp, t5SYVk0Tkt.exe, 00000000.00000002.2002312096.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, hnhoatl.exe, 00000005.00000002.2324181220.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp, hnhoatl.exe, 00000005.00000002.2319724842.0000000002B74000.00000004.00000800.00020000.00000000.sdmp, Immmsbclaz.exe, 00000006.00000002.2439318021.00000000039EB000.00000004.00000800.00020000.00000000.sdmp, Immmsbclaz.exe, 00000006.00000002.2446972226.0000000004B36000.00000004.00000800.00020000.00000000.sdmp, Immmsbclaz.exe, 00000007.00000002.2520525799.0000000003460000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: t5SYVk0Tkt.exe, 00000000.00000002.2013029719.0000000005B40000.00000004.08000000.00040000.00000000.sdmp, t5SYVk0Tkt.exe, 00000000.00000002.2003536249.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, t5SYVk0Tkt.exe, 00000000.00000002.2003536249.0000000003B8B000.00000004.00000800.00020000.00000000.sdmp, t5SYVk0Tkt.exe, 00000000.00000002.2002312096.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, hnhoatl.exe, 00000005.00000002.2324181220.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp, hnhoatl.exe, 00000005.00000002.2319724842.0000000002B74000.00000004.00000800.00020000.00000000.sdmp, Immmsbclaz.exe, 00000006.00000002.2439318021.00000000039EB000.00000004.00000800.00020000.00000000.sdmp, Immmsbclaz.exe, 00000006.00000002.2446972226.0000000004B36000.00000004.00000800.00020000.00000000.sdmp, Immmsbclaz.exe, 00000007.00000002.2520525799.0000000003460000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdbSHA256}Lq source: t5SYVk0Tkt.exe, 00000000.00000002.2003536249.0000000003A51000.00000004.00000800.00020000.00000000.sdmp, t5SYVk0Tkt.exe, 00000000.00000002.2003536249.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, t5SYVk0Tkt.exe, 00000000.00000002.2012394682.0000000005950000.00000004.08000000.00040000.00000000.sdmp, t5SYVk0Tkt.exe, 00000000.00000002.2002312096.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, hnhoatl.exe, 00000005.00000002.2324181220.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp, hnhoatl.exe, 00000005.00000002.2319724842.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, Immmsbclaz.exe, 00000006.00000002.2446972226.0000000004A10000.00000004.00000800.00020000.00000000.sdmp, Immmsbclaz.exe, 00000006.00000002.2446972226.0000000004ADC000.00000004.00000800.00020000.00000000.sdmp, Immmsbclaz.exe, 00000006.00000002.2439318021.000000000387A000.00000004.00000800.00020000.00000000.sdmp, Immmsbclaz.exe, 00000007.00000002.2520525799.0000000003266000.00000004.00000800.00020000.00000000.sdmp, hnhoatl.exe, 0000000C.00000002.2942050318.0000000002E66000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdb source: t5SYVk0Tkt.exe, 00000000.00000002.2003536249.0000000003A51000.00000004.00000800.00020000.00000000.sdmp, t5SYVk0Tkt.exe, 00000000.00000002.2003536249.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, t5SYVk0Tkt.exe, 00000000.00000002.2012394682.0000000005950000.00000004.08000000.00040000.00000000.sdmp, t5SYVk0Tkt.exe, 00000000.00000002.2002312096.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, hnhoatl.exe, 00000005.00000002.2324181220.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp, hnhoatl.exe, 00000005.00000002.2319724842.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, Immmsbclaz.exe, 00000006.00000002.2446972226.0000000004A10000.00000004.00000800.00020000.00000000.sdmp, Immmsbclaz.exe, 00000006.00000002.2446972226.0000000004ADC000.00000004.00000800.00020000.00000000.sdmp, Immmsbclaz.exe, 00000006.00000002.2439318021.000000000387A000.00000004.00000800.00020000.00000000.sdmp, Immmsbclaz.exe, 00000007.00000002.2520525799.0000000003266000.00000004.00000800.00020000.00000000.sdmp, hnhoatl.exe, 0000000C.00000002.2942050318.0000000002E66000.00000004.00000800.00020000.00000000.sdmp
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeCode function: 4x nop then jmp 059AE7F7h0_2_059AE798
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeCode function: 4x nop then jmp 059AE7F7h0_2_059AE788
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeCode function: 4x nop then jmp 059AEEE0h0_2_059AEE97
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h0_2_05A0DDA0
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeCode function: 4x nop then jmp 05B30AD9h0_2_05B30908
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeCode function: 4x nop then jmp 05B30AD9h0_2_05B308F8
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h0_2_05BD0B60
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h0_2_05BD0B59
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 4x nop then jmp 055AE7F7h5_2_055AE798
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 4x nop then jmp 055AE7F7h5_2_055AE788
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 4x nop then jmp 055AEEE0h5_2_055AEEA7
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h5_2_0560DDA0
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h5_2_05720560
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h5_2_05720568
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 4x nop then jmp 05730AD9h5_2_05730908
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 4x nop then jmp 05730AD9h5_2_057308F8
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 4x nop then jmp 0637EEE0h6_2_0637EE97
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 4x nop then jmp 0637E7F7h6_2_0637E798
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 4x nop then jmp 0637E7F7h6_2_0637E788
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h6_2_063DFC50
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h6_2_063DDDA0
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 4x nop then jmp 06500AD9h6_2_065008F8
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 4x nop then jmp 06500AD9h6_2_06500908
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 4x nop then jmp 0602EEE0h7_2_0602EE97
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 4x nop then jmp 0602E7F7h7_2_0602E788
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 4x nop then jmp 0602E7F7h7_2_0602E798
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h7_2_0608FC50
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h7_2_0608DDA0
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 4x nop then jmp 061B0AD9h7_2_061B08F8
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 4x nop then jmp 061B0AD9h7_2_061B0908
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 4x nop then jmp 05A4E7F7h12_2_05A4E788
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 4x nop then jmp 05A4E7F7h12_2_05A4E798
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 4x nop then jmp 05A4EEE0h12_2_05A4EE97
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h12_2_05AADDA0

                      Networking

                      barindex
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: claywyaeropumps.com
                      Source: Malware configuration extractorURLs: 185.43.220.45
                      Performs DNS queries to domains with low reputation
                      Source: DNS query: out.1eo.xyz
                      Source: DNS query: secure.usemobile.xyz
                      Tries to resolve many domain names, but no domain seems valid
                      Source: unknownDNS traffic detected: query: smtp.rio.odn.ne.jp replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.thesocialtablekw.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.mclinknet.it replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: secure.pryzmat-mp.com.pl replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: securesmtp.ciadocredito.com.br replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: mail.bioteklab.net replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: smtp.baleartravel.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: mail.realproperty.pk replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: securesmtp.cervillio.it replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: mail.hemmerle-it.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: securesmtp.natugeo.com.br replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: smtp.students.wits.ac.za replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: mail.fma.uk.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: smtp.holzland-jacobsen.de replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: smtp.bitechco.vn replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: securesmtp.aliaspc.fr replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: fairetacartegrise.fr replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: smtp.sdalmuttaqien.sch.id replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: secure.usemobile.xyz replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: smtp.data.com.au replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: secure.asfa.k23.tr replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: smtp.zm.g4s.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: smtp.hospital.chiba-u.jp replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: smtp.ckc.com.ar replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: secure.firesolutions.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: citytonganoxie.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: mail.domainninja.co.za replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: securesmtp.bikofix.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: securesmtp.strans-logistics.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: smtp.diaviva.it replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: securesmtp.besafe-training.co.uk replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.bobw.co replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: secure.ci.petoskey.mi.us replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: mail.claasguss.de replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: securesmtp.aas.com.sa replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: mail.shurls.co replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.redovisual.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: mail.axuccv.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: secure.hkd.it replaycode: Server failure (2)
                      Source: unknownDNS traffic detected: query: secure.pqisbo.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: leyvam.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: securesmtp.sunrisetaxpro.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: mail.netmexroom.online replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: smtp.vbtech.rs replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: mail.vitamincenter.it replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.brtph632.bnr.ca replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: securesmtp.dlgooch.plus.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: smtp.berasamba.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: secure.uk.symbol.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.ptsd.k12.or.us replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: securesmtp.yogabellies.co.uk replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.polymetsa.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: securesmtp.tuttomax.it replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: mail.students.unnes.ad.id replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: securesmtp.frykmooeei.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.ipmavirtual.com.br replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: securesmtp.clip.pt replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: securesmtp.gemail.ge replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: mail.studiozanini.it replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: mail.one.lv replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: mail.legacygreetings.com replaycode: Server failure (2)
                      Source: unknownDNS traffic detected: query: securesmtp.beinwire.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: secure.cendoj.ramajudicial.gov.co replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: securesmtp.cungsuyngam.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: mail.scoala3medias.ro replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.eyeluminati.org replaycode: Server failure (2)
                      Source: unknownDNS traffic detected: query: securesmtp.famille-spence.fr replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: mail.vision360it.co.in replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: pqisbo.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: securesmtp.studiodelsorbo.it replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.kosmoservice.co.uk replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.react.ind.br replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: mail.sskengineers.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: smtp.iamvip.co.uk replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.gaea.ocn.ne.jp replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: mail.containermarket.com.br replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.excellencetechnologies.info replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: mail.tape-host.site replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: gfdzhgf.de replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: mail.aweesomenet.net replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: alt3.aspmx.l.googlemail.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.os-sola.si replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.sms.com.br replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: smtp.mybvc.ca replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: smtp.derboukil.biz replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: secure.cervillio.it replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.studiojmdesigner.com.br replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: smtp.sakuraguard.ro replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: smtp.deop.mg.gov.br replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: securesmtp.crypteia.co.jp replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.ser3ne.online replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: securesmtp.deltawebdevelopers.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.reborn.com.au replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: secure.icai.org replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: mail.smpnsatuataptambakukir.sch replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: smtp.aghpf.org replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: mail.cungsuyngam.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: discount-card.nl replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.fhw.oka-pu.ac.jp replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: securesmtp.dupuwit.zarowpl replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.ogtycejn.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: secure.provincia.siena replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.tobikodesign.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: smtp.minecraft.pt replaycode: Server failure (2)
                      Source: unknownDNS traffic detected: query: out.digikabel.hu replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.vpbank.com.vn replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: securesmtp.warrock.rwi.pl replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.student.qut.au replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: secure.kvsoluciones.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.jaxsuns.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.zanotelli.com.br replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: secure.artgfx.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: secure.wheelermiddle.k12.hi.us replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: secure.kosmoservice.co.uk replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.adagasluasa.com.mx replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: mail.laesterwut.de replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: mail.jaec.gov.jo replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: secure.emmaus.qld.ed.au replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: dundb-immobilien.info replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.1eo.xyz replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: securesmtp.aopervasweret.co.tv replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.student.facultateademanagement.ro replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.mhs.unsoed.ac.id replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: smtp.aclband.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: mail.email.pl replaycode: Server failure (2)
                      Source: unknownDNS traffic detected: query: cbsoutdoor-com.mail.protection.outlook.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: secure.hdliquidcatering.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: securesmtp.moverway.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.milano-pizzeria-herne.de replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: smtp.scoutingsystem.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: mail.marcbrown.co.uk replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: securesmtp.fuwari.be replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: securesmtp.agriturismoparcoverde.it replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: secure.my-home-news.de replaycode: Name error (3)
                      Source: unknownNetwork traffic detected: DNS query count 341
                      Source: unknownNetwork traffic detected: IP country count 29
                      Source: global trafficTCP traffic: 192.168.2.4:49738 -> 185.43.220.45:4000
                      Source: global trafficTCP traffic: 192.168.2.4:49740 -> 104.19.239.228:587
                      Source: global trafficTCP traffic: 192.168.2.4:49741 -> 142.93.237.125:587
                      Source: global trafficTCP traffic: 192.168.2.4:49742 -> 64.233.184.26:587
                      Source: global trafficTCP traffic: 192.168.2.4:49743 -> 46.255.231.70:587
                      Source: global trafficTCP traffic: 192.168.2.4:49745 -> 120.50.131.112:587
                      Source: global trafficTCP traffic: 192.168.2.4:49749 -> 193.122.131.100:587
                      Source: global trafficTCP traffic: 192.168.2.4:49751 -> 104.18.3.81:587
                      Source: global trafficTCP traffic: 192.168.2.4:49752 -> 193.120.143.144:587
                      Source: global trafficTCP traffic: 192.168.2.4:49753 -> 3.125.131.179:587
                      Source: global trafficTCP traffic: 192.168.2.4:49754 -> 90.161.91.233:587
                      Source: global trafficTCP traffic: 192.168.2.4:49758 -> 194.152.32.10:587
                      Source: global trafficTCP traffic: 192.168.2.4:49760 -> 46.255.231.17:587
                      Source: global trafficTCP traffic: 192.168.2.4:49762 -> 213.209.1.147:587
                      Source: global trafficTCP traffic: 192.168.2.4:49763 -> 209.202.254.90:587
                      Source: global trafficTCP traffic: 192.168.2.4:49766 -> 64.91.253.60:587
                      Source: global trafficTCP traffic: 192.168.2.4:49767 -> 142.250.153.27:587
                      Source: global trafficTCP traffic: 192.168.2.4:49777 -> 84.116.6.3:587
                      Source: global trafficTCP traffic: 192.168.2.4:49778 -> 134.119.225.75:587
                      Source: global trafficTCP traffic: 192.168.2.4:49781 -> 20.23.140.143:587
                      Source: global trafficTCP traffic: 192.168.2.4:49788 -> 185.187.81.214:587
                      Source: global trafficTCP traffic: 192.168.2.4:49789 -> 64.59.128.135:587
                      Source: global trafficTCP traffic: 192.168.2.4:49790 -> 168.0.132.203:587
                      Source: global trafficTCP traffic: 192.168.2.4:49791 -> 205.139.110.221:587
                      Source: global trafficTCP traffic: 192.168.2.4:49793 -> 65.20.63.172:587
                      Source: global trafficTCP traffic: 192.168.2.4:49795 -> 213.209.1.145:587
                      Source: global trafficTCP traffic: 192.168.2.4:49796 -> 94.100.132.8:587
                      Source: global trafficTCP traffic: 192.168.2.4:49797 -> 64.136.44.44:587
                      Source: global trafficTCP traffic: 192.168.2.4:49798 -> 178.208.39.140:587
                      Source: global trafficTCP traffic: 192.168.2.4:49799 -> 177.70.110.120:587
                      Source: global trafficTCP traffic: 192.168.2.4:49800 -> 199.85.66.2:587
                      Source: global trafficTCP traffic: 192.168.2.4:49803 -> 142.251.9.27:587
                      Source: global trafficTCP traffic: 192.168.2.4:51182 -> 142.250.150.26:587
                      Source: global trafficTCP traffic: 192.168.2.4:51183 -> 209.216.88.140:587
                      Source: global trafficTCP traffic: 192.168.2.4:51184 -> 212.101.122.34:587
                      Source: global trafficTCP traffic: 192.168.2.4:51187 -> 35.71.162.15:587
                      Source: global trafficTCP traffic: 192.168.2.4:51189 -> 66.133.129.50:587
                      Source: global trafficTCP traffic: 192.168.2.4:51190 -> 194.19.134.66:587
                      Source: global trafficTCP traffic: 192.168.2.4:51191 -> 128.140.34.62:587
                      Source: global trafficTCP traffic: 192.168.2.4:51194 -> 72.52.178.23:587
                      Source: global trafficTCP traffic: 192.168.2.4:51199 -> 59.157.128.15:587
                      Source: global trafficTCP traffic: 192.168.2.4:51206 -> 13.248.169.48:587
                      Source: global trafficTCP traffic: 192.168.2.4:51209 -> 35.214.134.104:587
                      Source: global trafficTCP traffic: 192.168.2.4:51212 -> 139.134.5.153:587
                      Source: global trafficTCP traffic: 192.168.2.4:51213 -> 46.30.211.38:587
                      Source: global trafficTCP traffic: 192.168.2.4:51214 -> 2.207.150.234:587
                      Source: global trafficTCP traffic: 192.168.2.4:51215 -> 77.78.119.119:587
                      Source: global trafficTCP traffic: 192.168.2.4:51218 -> 129.80.43.150:587
                      Source: global trafficTCP traffic: 192.168.2.4:51220 -> 2.17.100.130:587
                      Source: global trafficTCP traffic: 192.168.2.4:51227 -> 52.98.179.34:587
                      Source: global trafficTCP traffic: 192.168.2.4:51234 -> 205.220.176.253:587
                      Source: global trafficTCP traffic: 192.168.2.4:51236 -> 81.236.63.162:587
                      Source: global trafficTCP traffic: 192.168.2.4:51246 -> 180.37.194.4:587
                      Source: global trafficTCP traffic: 192.168.2.4:51249 -> 90.176.151.96:587
                      Source: global trafficTCP traffic: 192.168.2.4:51256 -> 82.208.6.138:587
                      Source: global trafficTCP traffic: 192.168.2.4:51258 -> 203.134.153.82:587
                      Source: global trafficTCP traffic: 192.168.2.4:51269 -> 84.2.43.67:587
                      Source: global trafficTCP traffic: 192.168.2.4:51270 -> 3.130.204.160:587
                      Source: global trafficTCP traffic: 192.168.2.4:51273 -> 194.153.145.104:587
                      Source: global trafficTCP traffic: 192.168.2.4:51275 -> 77.75.76.191:587
                      Source: global trafficTCP traffic: 192.168.2.4:51278 -> 141.193.213.10:587
                      Source: global trafficTCP traffic: 192.168.2.4:51281 -> 77.75.78.173:587
                      Source: global trafficTCP traffic: 192.168.2.4:51284 -> 104.26.0.19:587
                      Source: global trafficTCP traffic: 192.168.2.4:51285 -> 146.75.122.114:587
                      Source: global trafficTCP traffic: 192.168.2.4:51286 -> 52.101.194.17:587
                      Source: global trafficTCP traffic: 192.168.2.4:51294 -> 3.111.210.243:587
                      Source: global trafficTCP traffic: 192.168.2.4:51296 -> 188.114.97.3:587
                      Source: global trafficTCP traffic: 192.168.2.4:51297 -> 54.38.163.43:587
                      Source: global trafficTCP traffic: 192.168.2.4:51298 -> 211.29.132.105:587
                      Source: global trafficTCP traffic: 192.168.2.4:51300 -> 41.178.51.174:587
                      Source: global trafficTCP traffic: 192.168.2.4:51303 -> 117.50.20.113:587
                      Source: global trafficTCP traffic: 192.168.2.4:51305 -> 62.149.128.202:587
                      Source: global trafficTCP traffic: 192.168.2.4:51310 -> 77.75.77.165:587
                      Source: global trafficTCP traffic: 192.168.2.4:51315 -> 151.101.193.193:587
                      Source: global trafficTCP traffic: 192.168.2.4:51317 -> 198.164.81.21:587
                      Source: global trafficTCP traffic: 192.168.2.4:51328 -> 182.248.170.98:587
                      Source: global trafficTCP traffic: 192.168.2.4:51330 -> 194.158.122.55:587
                      Source: global trafficTCP traffic: 192.168.2.4:51334 -> 186.192.83.12:587
                      Source: global trafficTCP traffic: 192.168.2.4:51340 -> 193.81.82.81:587
                      Source: global trafficTCP traffic: 192.168.2.4:51353 -> 87.230.86.47:587
                      Source: global trafficTCP traffic: 192.168.2.4:51366 -> 193.70.18.144:587
                      Source: global trafficTCP traffic: 192.168.2.4:51367 -> 35.213.210.37:587
                      Source: global trafficTCP traffic: 192.168.2.4:51372 -> 23.81.68.43:587
                      Source: global trafficTCP traffic: 192.168.2.4:51378 -> 106.153.226.2:587
                      Source: global trafficTCP traffic: 192.168.2.4:51381 -> 62.149.188.200:587
                      Source: global trafficTCP traffic: 192.168.2.4:51382 -> 195.250.128.78:587
                      Source: global trafficTCP traffic: 192.168.2.4:51386 -> 108.167.188.67:587
                      Source: global trafficTCP traffic: 192.168.2.4:51388 -> 74.125.200.26:587
                      Source: global trafficTCP traffic: 192.168.2.4:51389 -> 170.10.152.242:587
                      Source: global trafficTCP traffic: 192.168.2.4:51399 -> 132.226.58.96:587
                      Source: global trafficTCP traffic: 192.168.2.4:51405 -> 162.241.219.26:587
                      Source: global trafficTCP traffic: 192.168.2.4:51416 -> 89.39.182.172:587
                      Source: global trafficTCP traffic: 192.168.2.4:51421 -> 191.252.112.195:587
                      Source: global trafficTCP traffic: 192.168.2.4:51423 -> 90.216.128.5:587
                      Source: global trafficTCP traffic: 192.168.2.4:51424 -> 81.180.145.19:587
                      Source: global trafficTCP traffic: 192.168.2.4:51431 -> 217.160.0.220:587
                      Source: global trafficTCP traffic: 192.168.2.4:51443 -> 67.228.97.116:587
                      Source: global trafficTCP traffic: 192.168.2.4:51445 -> 217.160.0.251:587
                      Source: global trafficTCP traffic: 192.168.2.4:51447 -> 188.40.120.147:587
                      Source: global trafficTCP traffic: 192.168.2.4:51452 -> 104.16.242.118:587
                      Source: global trafficTCP traffic: 192.168.2.4:51456 -> 194.19.134.85:587
                      Source: global trafficTCP traffic: 192.168.2.4:51460 -> 66.235.200.145:587
                      Source: global trafficTCP traffic: 192.168.2.4:51470 -> 199.19.206.11:587
                      Source: global trafficTCP traffic: 192.168.2.4:51473 -> 208.97.155.221:587
                      Source: global trafficTCP traffic: 192.168.2.4:51479 -> 34.175.220.159:587
                      Source: global trafficTCP traffic: 192.168.2.4:51480 -> 201.248.80.69:587
                      Source: global trafficTCP traffic: 192.168.2.4:51484 -> 64.59.136.142:587
                      Source: global trafficTCP traffic: 192.168.2.4:51486 -> 109.168.108.106:587
                      Source: global trafficTCP traffic: 192.168.2.4:51504 -> 86.43.151.3:587
                      Source: global trafficTCP traffic: 192.168.2.4:51511 -> 188.114.96.3:587
                      Source: global trafficTCP traffic: 192.168.2.4:51529 -> 185.138.56.194:587
                      Source: global trafficTCP traffic: 192.168.2.4:51538 -> 185.53.177.50:587
                      Source: global trafficTCP traffic: 192.168.2.4:51544 -> 167.99.248.199:587
                      Source: global trafficTCP traffic: 192.168.2.4:51556 -> 213.205.32.10:587
                      Source: global trafficTCP traffic: 192.168.2.4:51579 -> 185.184.68.130:587
                      Source: global trafficTCP traffic: 192.168.2.4:51580 -> 200.58.111.55:587
                      Source: global trafficTCP traffic: 192.168.2.4:51586 -> 130.179.16.50:587
                      Source: global trafficTCP traffic: 192.168.2.4:51588 -> 60.36.166.190:587
                      Source: global trafficTCP traffic: 192.168.2.4:51595 -> 199.224.64.206:587
                      Source: global trafficTCP traffic: 192.168.2.4:51600 -> 209.67.129.55:587
                      Source: global trafficTCP traffic: 192.168.2.4:51601 -> 204.187.67.181:587
                      Source: global trafficTCP traffic: 192.168.2.4:51607 -> 64.136.52.50:587
                      Source: global trafficTCP traffic: 192.168.2.4:51640 -> 194.30.0.204:587
                      Source: global trafficTCP traffic: 192.168.2.4:51646 -> 94.177.209.28:587
                      Source: global trafficTCP traffic: 192.168.2.4:51660 -> 85.214.50.209:587
                      Source: global trafficTCP traffic: 192.168.2.4:51664 -> 74.208.226.14:587
                      Source: global trafficTCP traffic: 192.168.2.4:51687 -> 195.110.124.132:587
                      Source: global trafficTCP traffic: 192.168.2.4:51693 -> 41.216.132.146:587
                      Source: global trafficTCP traffic: 192.168.2.4:51712 -> 64.190.63.222:587
                      Source: global trafficTCP traffic: 192.168.2.4:51723 -> 45.163.29.160:587
                      Source: global trafficTCP traffic: 192.168.2.4:51728 -> 78.47.147.164:587
                      Source: global trafficTCP traffic: 192.168.2.4:51735 -> 52.101.73.19:587
                      Source: global trafficTCP traffic: 192.168.2.4:51736 -> 193.146.32.248:587
                      Source: global trafficTCP traffic: 192.168.2.4:51737 -> 40.99.150.98:587
                      Source: global trafficTCP traffic: 192.168.2.4:51740 -> 20.201.112.190:587
                      Source: global trafficTCP traffic: 192.168.2.4:51741 -> 54.208.31.49:587
                      Source: global trafficDNS traffic detected: number of DNS queries: 341
                      Source: Joe Sandbox ViewIP Address: 77.78.119.119 77.78.119.119
                      Source: Joe Sandbox ViewIP Address: 209.202.254.90 209.202.254.90
                      Source: Joe Sandbox ViewIP Address: 129.80.43.150 129.80.43.150
                      Source: global trafficTCP traffic: 192.168.2.4:49740 -> 104.19.239.228:587
                      Source: global trafficTCP traffic: 192.168.2.4:49741 -> 142.93.237.125:587
                      Source: global trafficTCP traffic: 192.168.2.4:49742 -> 64.233.184.26:587
                      Source: global trafficTCP traffic: 192.168.2.4:49743 -> 46.255.231.70:587
                      Source: global trafficTCP traffic: 192.168.2.4:49745 -> 120.50.131.112:587
                      Source: global trafficTCP traffic: 192.168.2.4:49749 -> 193.122.131.100:587
                      Source: global trafficTCP traffic: 192.168.2.4:49751 -> 104.18.3.81:587
                      Source: global trafficTCP traffic: 192.168.2.4:49752 -> 193.120.143.144:587
                      Source: global trafficTCP traffic: 192.168.2.4:49753 -> 3.125.131.179:587
                      Source: global trafficTCP traffic: 192.168.2.4:49754 -> 90.161.91.233:587
                      Source: global trafficTCP traffic: 192.168.2.4:49758 -> 194.152.32.10:587
                      Source: global trafficTCP traffic: 192.168.2.4:49760 -> 46.255.231.17:587
                      Source: global trafficTCP traffic: 192.168.2.4:49762 -> 213.209.1.147:587
                      Source: global trafficTCP traffic: 192.168.2.4:49763 -> 209.202.254.90:587
                      Source: global trafficTCP traffic: 192.168.2.4:49766 -> 64.91.253.60:587
                      Source: global trafficTCP traffic: 192.168.2.4:49767 -> 142.250.153.27:587
                      Source: global trafficTCP traffic: 192.168.2.4:49777 -> 84.116.6.3:587
                      Source: global trafficTCP traffic: 192.168.2.4:49778 -> 134.119.225.75:587
                      Source: global trafficTCP traffic: 192.168.2.4:49781 -> 20.23.140.143:587
                      Source: global trafficTCP traffic: 192.168.2.4:49788 -> 185.187.81.214:587
                      Source: global trafficTCP traffic: 192.168.2.4:49789 -> 64.59.128.135:587
                      Source: global trafficTCP traffic: 192.168.2.4:49790 -> 168.0.132.203:587
                      Source: global trafficTCP traffic: 192.168.2.4:49791 -> 205.139.110.221:587
                      Source: global trafficTCP traffic: 192.168.2.4:49793 -> 65.20.63.172:587
                      Source: global trafficTCP traffic: 192.168.2.4:49795 -> 213.209.1.145:587
                      Source: global trafficTCP traffic: 192.168.2.4:49796 -> 94.100.132.8:587
                      Source: global trafficTCP traffic: 192.168.2.4:49797 -> 64.136.44.44:587
                      Source: global trafficTCP traffic: 192.168.2.4:49798 -> 178.208.39.140:587
                      Source: global trafficTCP traffic: 192.168.2.4:49799 -> 177.70.110.120:587
                      Source: global trafficTCP traffic: 192.168.2.4:49800 -> 199.85.66.2:587
                      Source: global trafficTCP traffic: 192.168.2.4:49803 -> 142.251.9.27:587
                      Source: global trafficTCP traffic: 192.168.2.4:51182 -> 142.250.150.26:587
                      Source: global trafficTCP traffic: 192.168.2.4:51183 -> 209.216.88.140:587
                      Source: global trafficTCP traffic: 192.168.2.4:51184 -> 212.101.122.34:587
                      Source: global trafficTCP traffic: 192.168.2.4:51187 -> 35.71.162.15:587
                      Source: global trafficTCP traffic: 192.168.2.4:51189 -> 66.133.129.50:587
                      Source: global trafficTCP traffic: 192.168.2.4:51190 -> 194.19.134.66:587
                      Source: global trafficTCP traffic: 192.168.2.4:51191 -> 128.140.34.62:587
                      Source: global trafficTCP traffic: 192.168.2.4:51194 -> 72.52.178.23:587
                      Source: global trafficTCP traffic: 192.168.2.4:51199 -> 59.157.128.15:587
                      Source: global trafficTCP traffic: 192.168.2.4:51206 -> 13.248.169.48:587
                      Source: global trafficTCP traffic: 192.168.2.4:51209 -> 35.214.134.104:587
                      Source: global trafficTCP traffic: 192.168.2.4:51212 -> 139.134.5.153:587
                      Source: global trafficTCP traffic: 192.168.2.4:51213 -> 46.30.211.38:587
                      Source: global trafficTCP traffic: 192.168.2.4:51214 -> 2.207.150.234:587
                      Source: global trafficTCP traffic: 192.168.2.4:51215 -> 77.78.119.119:587
                      Source: global trafficTCP traffic: 192.168.2.4:51218 -> 129.80.43.150:587
                      Source: global trafficTCP traffic: 192.168.2.4:51220 -> 2.17.100.130:587
                      Source: global trafficTCP traffic: 192.168.2.4:51227 -> 52.98.179.34:587
                      Source: global trafficTCP traffic: 192.168.2.4:51234 -> 205.220.176.253:587
                      Source: global trafficTCP traffic: 192.168.2.4:51236 -> 81.236.63.162:587
                      Source: global trafficTCP traffic: 192.168.2.4:51246 -> 180.37.194.4:587
                      Source: global trafficTCP traffic: 192.168.2.4:51249 -> 90.176.151.96:587
                      Source: global trafficTCP traffic: 192.168.2.4:51256 -> 82.208.6.138:587
                      Source: global trafficTCP traffic: 192.168.2.4:51258 -> 203.134.153.82:587
                      Source: global trafficTCP traffic: 192.168.2.4:51269 -> 84.2.43.67:587
                      Source: global trafficTCP traffic: 192.168.2.4:51270 -> 3.130.204.160:587
                      Source: global trafficTCP traffic: 192.168.2.4:51273 -> 194.153.145.104:587
                      Source: global trafficTCP traffic: 192.168.2.4:51275 -> 77.75.76.191:587
                      Source: global trafficTCP traffic: 192.168.2.4:51278 -> 141.193.213.10:587
                      Source: global trafficTCP traffic: 192.168.2.4:51281 -> 77.75.78.173:587
                      Source: global trafficTCP traffic: 192.168.2.4:51284 -> 104.26.0.19:587
                      Source: global trafficTCP traffic: 192.168.2.4:51285 -> 146.75.122.114:587
                      Source: global trafficTCP traffic: 192.168.2.4:51286 -> 52.101.194.17:587
                      Source: global trafficTCP traffic: 192.168.2.4:51294 -> 3.111.210.243:587
                      Source: global trafficTCP traffic: 192.168.2.4:51296 -> 188.114.97.3:587
                      Source: global trafficTCP traffic: 192.168.2.4:51297 -> 54.38.163.43:587
                      Source: global trafficTCP traffic: 192.168.2.4:51298 -> 211.29.132.105:587
                      Source: global trafficTCP traffic: 192.168.2.4:51300 -> 41.178.51.174:587
                      Source: global trafficTCP traffic: 192.168.2.4:51303 -> 117.50.20.113:587
                      Source: global trafficTCP traffic: 192.168.2.4:51305 -> 62.149.128.202:587
                      Source: global trafficTCP traffic: 192.168.2.4:51310 -> 77.75.77.165:587
                      Source: global trafficTCP traffic: 192.168.2.4:51315 -> 151.101.193.193:587
                      Source: global trafficTCP traffic: 192.168.2.4:51317 -> 198.164.81.21:587
                      Source: global trafficTCP traffic: 192.168.2.4:51328 -> 182.248.170.98:587
                      Source: global trafficTCP traffic: 192.168.2.4:51330 -> 194.158.122.55:587
                      Source: global trafficTCP traffic: 192.168.2.4:51334 -> 186.192.83.12:587
                      Source: global trafficTCP traffic: 192.168.2.4:51340 -> 193.81.82.81:587
                      Source: global trafficTCP traffic: 192.168.2.4:51353 -> 87.230.86.47:587
                      Source: global trafficTCP traffic: 192.168.2.4:51366 -> 193.70.18.144:587
                      Source: global trafficTCP traffic: 192.168.2.4:51367 -> 35.213.210.37:587
                      Source: global trafficTCP traffic: 192.168.2.4:51372 -> 23.81.68.43:587
                      Source: global trafficTCP traffic: 192.168.2.4:51378 -> 106.153.226.2:587
                      Source: global trafficTCP traffic: 192.168.2.4:51381 -> 62.149.188.200:587
                      Source: global trafficTCP traffic: 192.168.2.4:51382 -> 195.250.128.78:587
                      Source: global trafficTCP traffic: 192.168.2.4:51386 -> 108.167.188.67:587
                      Source: global trafficTCP traffic: 192.168.2.4:51388 -> 74.125.200.26:587
                      Source: global trafficTCP traffic: 192.168.2.4:51389 -> 170.10.152.242:587
                      Source: global trafficTCP traffic: 192.168.2.4:51399 -> 132.226.58.96:587
                      Source: global trafficTCP traffic: 192.168.2.4:51405 -> 162.241.219.26:587
                      Source: global trafficTCP traffic: 192.168.2.4:51416 -> 89.39.182.172:587
                      Source: global trafficTCP traffic: 192.168.2.4:51421 -> 191.252.112.195:587
                      Source: global trafficTCP traffic: 192.168.2.4:51423 -> 90.216.128.5:587
                      Source: global trafficTCP traffic: 192.168.2.4:51424 -> 81.180.145.19:587
                      Source: global trafficTCP traffic: 192.168.2.4:51431 -> 217.160.0.220:587
                      Source: global trafficTCP traffic: 192.168.2.4:51443 -> 67.228.97.116:587
                      Source: global trafficTCP traffic: 192.168.2.4:51445 -> 217.160.0.251:587
                      Source: global trafficTCP traffic: 192.168.2.4:51447 -> 188.40.120.147:587
                      Source: global trafficTCP traffic: 192.168.2.4:51452 -> 104.16.242.118:587
                      Source: global trafficTCP traffic: 192.168.2.4:51456 -> 194.19.134.85:587
                      Source: global trafficTCP traffic: 192.168.2.4:51460 -> 66.235.200.145:587
                      Source: global trafficTCP traffic: 192.168.2.4:51470 -> 199.19.206.11:587
                      Source: global trafficTCP traffic: 192.168.2.4:51473 -> 208.97.155.221:587
                      Source: global trafficTCP traffic: 192.168.2.4:51479 -> 34.175.220.159:587
                      Source: global trafficTCP traffic: 192.168.2.4:51480 -> 201.248.80.69:587
                      Source: global trafficTCP traffic: 192.168.2.4:51484 -> 64.59.136.142:587
                      Source: global trafficTCP traffic: 192.168.2.4:51486 -> 109.168.108.106:587
                      Source: global trafficTCP traffic: 192.168.2.4:51504 -> 86.43.151.3:587
                      Source: global trafficTCP traffic: 192.168.2.4:51511 -> 188.114.96.3:587
                      Source: global trafficTCP traffic: 192.168.2.4:51529 -> 185.138.56.194:587
                      Source: global trafficTCP traffic: 192.168.2.4:51538 -> 185.53.177.50:587
                      Source: global trafficTCP traffic: 192.168.2.4:51544 -> 167.99.248.199:587
                      Source: global trafficTCP traffic: 192.168.2.4:51556 -> 213.205.32.10:587
                      Source: global trafficTCP traffic: 192.168.2.4:51579 -> 185.184.68.130:587
                      Source: global trafficTCP traffic: 192.168.2.4:51580 -> 200.58.111.55:587
                      Source: global trafficTCP traffic: 192.168.2.4:51586 -> 130.179.16.50:587
                      Source: global trafficTCP traffic: 192.168.2.4:51588 -> 60.36.166.190:587
                      Source: global trafficTCP traffic: 192.168.2.4:51595 -> 199.224.64.206:587
                      Source: global trafficTCP traffic: 192.168.2.4:51600 -> 209.67.129.55:587
                      Source: global trafficTCP traffic: 192.168.2.4:51601 -> 204.187.67.181:587
                      Source: global trafficTCP traffic: 192.168.2.4:51607 -> 64.136.52.50:587
                      Source: global trafficTCP traffic: 192.168.2.4:51640 -> 194.30.0.204:587
                      Source: global trafficTCP traffic: 192.168.2.4:51646 -> 94.177.209.28:587
                      Source: global trafficTCP traffic: 192.168.2.4:51660 -> 85.214.50.209:587
                      Source: global trafficTCP traffic: 192.168.2.4:51664 -> 74.208.226.14:587
                      Source: global trafficTCP traffic: 192.168.2.4:51687 -> 195.110.124.132:587
                      Source: global trafficTCP traffic: 192.168.2.4:51693 -> 41.216.132.146:587
                      Source: global trafficTCP traffic: 192.168.2.4:51712 -> 64.190.63.222:587
                      Source: global trafficTCP traffic: 192.168.2.4:51723 -> 45.163.29.160:587
                      Source: global trafficTCP traffic: 192.168.2.4:51728 -> 78.47.147.164:587
                      Source: global trafficTCP traffic: 192.168.2.4:51735 -> 52.101.73.19:587
                      Source: global trafficTCP traffic: 192.168.2.4:51736 -> 193.146.32.248:587
                      Source: global trafficTCP traffic: 192.168.2.4:51737 -> 40.99.150.98:587
                      Source: global trafficTCP traffic: 192.168.2.4:51740 -> 20.201.112.190:587
                      Source: global trafficTCP traffic: 192.168.2.4:51741 -> 54.208.31.49:587
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: hnhoatl.exe, 00000005.00000002.2324181220.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp, t5SYVk0Tkt.exe, hnhoatl.exe.4.dr, hfmfgq.exe.9.dr, tupug.exe.11.dr, Immmsbclaz.exe.0.drString found in binary or memory: v=Chttps://www.youtube.com/embed/{0} equals www.youtube.com (Youtube)
                      Source: hnhoatl.exe, 00000005.00000002.2324181220.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp, t5SYVk0Tkt.exe, hnhoatl.exe.4.dr, hfmfgq.exe.9.dr, tupug.exe.11.dr, Immmsbclaz.exe.0.drString found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
                      Source: global trafficDNS traffic detected: DNS query: claywyaeropumps.com
                      Source: global trafficDNS traffic detected: DNS query: out.student.facultateademanagement.ro
                      Source: global trafficDNS traffic detected: DNS query: earthlink.net
                      Source: global trafficDNS traffic detected: DNS query: mx.generic-isp.com
                      Source: global trafficDNS traffic detected: DNS query: ASPMX.L.GOOGLE.COM
                      Source: global trafficDNS traffic detected: DNS query: secure.kvsoluciones.com
                      Source: global trafficDNS traffic detected: DNS query: nate.com
                      Source: global trafficDNS traffic detected: DNS query: smtp.centrum.cz
                      Source: global trafficDNS traffic detected: DNS query: gm4il.com
                      Source: global trafficDNS traffic detected: DNS query: janum.name
                      Source: global trafficDNS traffic detected: DNS query: smtp.me.com
                      Source: global trafficDNS traffic detected: DNS query: telefonica.net
                      Source: global trafficDNS traffic detected: DNS query: smtp.cogeco.ca
                      Source: global trafficDNS traffic detected: DNS query: iol.ie
                      Source: global trafficDNS traffic detected: DNS query: mail.i.ua
                      Source: global trafficDNS traffic detected: DNS query: mail.dk
                      Source: global trafficDNS traffic detected: DNS query: coitt.es
                      Source: global trafficDNS traffic detected: DNS query: mail.inbox.lv
                      Source: global trafficDNS traffic detected: DNS query: securesmtp.frykmooeei.com
                      Source: global trafficDNS traffic detected: DNS query: securesmtp.lycos.it
                      Source: global trafficDNS traffic detected: DNS query: out.student.qut.au
                      Source: global trafficDNS traffic detected: DNS query: smtp.volny.cz
                      Source: global trafficDNS traffic detected: DNS query: smtp.inwind.it
                      Source: global trafficDNS traffic detected: DNS query: out.co.uk
                      Source: global trafficDNS traffic detected: DNS query: smtp.iamvip.co.uk
                      Source: global trafficDNS traffic detected: DNS query: secure.cendoj.ramajudicial.gov.co
                      Source: global trafficDNS traffic detected: DNS query: rossbacher.at
                      Source: global trafficDNS traffic detected: DNS query: out.digikabel.hu
                      Source: global trafficDNS traffic detected: DNS query: pqisbo.com
                      Source: global trafficDNS traffic detected: DNS query: alt1.aspmx.l.google.com
                      Source: global trafficDNS traffic detected: DNS query: smtp.diaviva.it
                      Source: global trafficDNS traffic detected: DNS query: smtp.aclband.com
                      Source: global trafficDNS traffic detected: DNS query: secure.rsco2.de
                      Source: global trafficDNS traffic detected: DNS query: smtp.ziggo.nl
                      Source: global trafficDNS traffic detected: DNS query: mail.bioteklab.net
                      Source: global trafficDNS traffic detected: DNS query: securesmtp.bradyanglin.com
                      Source: global trafficDNS traffic detected: DNS query: epost.de
                      Source: global trafficDNS traffic detected: DNS query: mail.netmexroom.online
                      Source: global trafficDNS traffic detected: DNS query: out.thesocialtablekw.com
                      Source: global trafficDNS traffic detected: DNS query: mail.sskengineers.com
                      Source: global trafficDNS traffic detected: DNS query: smtp.chleba.net
                      Source: global trafficDNS traffic detected: DNS query: hostmx01.logix.in
                      Source: global trafficDNS traffic detected: DNS query: mx2.ua.fm
                      Source: global trafficDNS traffic detected: DNS query: smtp.ig.com.br
                      Source: global trafficDNS traffic detected: DNS query: smtp.shaw.ca
                      Source: global trafficDNS traffic detected: DNS query: securesmtp.natugeo.com.br
                      Source: global trafficDNS traffic detected: DNS query: mail.optonline.net
                      Source: global trafficDNS traffic detected: DNS query: us-smtp-inbound-1.mimecast.com
                      Source: global trafficDNS traffic detected: DNS query: mail.axuccv.com
                      Source: global trafficDNS traffic detected: DNS query: smtp.eirene.is.dream.jp
                      Source: global trafficDNS traffic detected: DNS query: smtp.virgilio.it
                      Source: global trafficDNS traffic detected: DNS query: smtp.sdalmuttaqien.sch.id
                      Source: global trafficDNS traffic detected: DNS query: mx1.telecable.es
                      Source: global trafficDNS traffic detected: DNS query: smtp.netzero.net
                      Source: global trafficDNS traffic detected: DNS query: mx.mailprotect.be
                      Source: global trafficDNS traffic detected: DNS query: sympatico.ca
                      Source: global trafficDNS traffic detected: DNS query: out.eyeluminati.org
                      Source: global trafficDNS traffic detected: DNS query: alt2.aspmx.l.google.com
                      Source: global trafficDNS traffic detected: DNS query: alt3.aspmx.l.google.com
                      Source: global trafficDNS traffic detected: DNS query: hotmil.com
                      Source: global trafficDNS traffic detected: DNS query: docomo.ne.jp
                      Source: global trafficDNS traffic detected: DNS query: mynet.com
                      Source: global trafficDNS traffic detected: DNS query: secure.worldnet.net
                      Source: global trafficDNS traffic detected: DNS query: smtp.frontier.com
                      Source: global trafficDNS traffic detected: DNS query: mail.movistar.es
                      Source: global trafficDNS traffic detected: DNS query: smtp.email.it
                      Source: global trafficDNS traffic detected: DNS query: secure.littlebigconcepts.com
                      Source: global trafficDNS traffic detected: DNS query: mail.claasguss.de
                      Source: global trafficDNS traffic detected: DNS query: kefgames.net
                      Source: global trafficDNS traffic detected: DNS query: ae-solar.com
                      Source: global trafficDNS traffic detected: DNS query: snake-life.com
                      Source: global trafficDNS traffic detected: DNS query: mail.vision360it.co.in
                      Source: global trafficDNS traffic detected: DNS query: secure.hdliquidcatering.com
                      Source: global trafficDNS traffic detected: DNS query: smtp.hospital.chiba-u.jp
                      Source: global trafficDNS traffic detected: DNS query: out.gaea.ocn.ne.jp
                      Source: global trafficDNS traffic detected: DNS query: mail.marcbrown.co.uk
                      Source: global trafficDNS traffic detected: DNS query: mail.windosw.com
                      Source: global trafficDNS traffic detected: DNS query: out.excellencetechnologies.info
                      Source: global trafficDNS traffic detected: DNS query: bigpond.net.au
                      Source: global trafficDNS traffic detected: DNS query: piccoloamico.it
                      Source: global trafficDNS traffic detected: DNS query: smtp.kabelbw.de
                      Source: global trafficDNS traffic detected: DNS query: tiscali.cz
                      Source: global trafficDNS traffic detected: DNS query: mail.gci.net
                      Source: global trafficDNS traffic detected: DNS query: wellsfargo.com
                      Source: global trafficDNS traffic detected: DNS query: securesmtp.ciadocredito.com.br
                      Source: global trafficDNS traffic detected: DNS query: securesmtp.sunrisetaxpro.com
                      Source: global trafficDNS traffic detected: DNS query: out.1eo.xyz
                      Source: global trafficDNS traffic detected: DNS query: mail.binus.ac.id
                      Source: global trafficDNS traffic detected: DNS query: out.mclinknet.it
                      Source: global trafficDNS traffic detected: DNS query: smtp.berasamba.com
                      Source: global trafficDNS traffic detected: DNS query: i.softbank.jp
                      Source: global trafficDNS traffic detected: DNS query: mail.miyado-machine.com
                      Source: global trafficDNS traffic detected: DNS query: out.lmt-process.dk
                      Source: global trafficDNS traffic detected: DNS query: smtp.iprimus.com.au
                      Source: global trafficDNS traffic detected: DNS query: mxb-0057e501.gslb.pphosted.com
                      Source: global trafficDNS traffic detected: DNS query: telia.com
                      Source: global trafficDNS traffic detected: DNS query: earth.ocn.ne.jp
                      Source: global trafficDNS traffic detected: DNS query: securesmtp.studiodelsorbo.it
                      Source: global trafficDNS traffic detected: DNS query: out.kosmoservice.co.uk
                      Source: global trafficDNS traffic detected: DNS query: smtp-in.iol.cz
                      Source: t5SYVk0Tkt.exe, 00000000.00000002.2002312096.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, hnhoatl.exe, 00000005.00000002.2319724842.0000000002791000.00000004.00000800.00020000.00000000.sdmp, Immmsbclaz.exe, 00000006.00000002.2439318021.00000000039EB000.00000004.00000800.00020000.00000000.sdmp, Immmsbclaz.exe, 00000007.00000002.2520525799.0000000003460000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: t5SYVk0Tkt.exe, 00000000.00000002.2003536249.0000000003A51000.00000004.00000800.00020000.00000000.sdmp, t5SYVk0Tkt.exe, 00000000.00000002.2003536249.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, t5SYVk0Tkt.exe, 00000000.00000002.2012394682.0000000005950000.00000004.08000000.00040000.00000000.sdmp, t5SYVk0Tkt.exe, 00000000.00000002.2002312096.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, hnhoatl.exe, 00000005.00000002.2324181220.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp, hnhoatl.exe, 00000005.00000002.2319724842.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, Immmsbclaz.exe, 00000006.00000002.2446972226.0000000004A10000.00000004.00000800.00020000.00000000.sdmp, Immmsbclaz.exe, 00000006.00000002.2446972226.0000000004ADC000.00000004.00000800.00020000.00000000.sdmp, Immmsbclaz.exe, 00000006.00000002.2439318021.000000000387A000.00000004.00000800.00020000.00000000.sdmp, Immmsbclaz.exe, 00000007.00000002.2520525799.0000000003266000.00000004.00000800.00020000.00000000.sdmp, hnhoatl.exe, 0000000C.00000002.2942050318.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
                      Source: t5SYVk0Tkt.exe, 00000000.00000002.2003536249.0000000003A51000.00000004.00000800.00020000.00000000.sdmp, t5SYVk0Tkt.exe, 00000000.00000002.2003536249.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, t5SYVk0Tkt.exe, 00000000.00000002.2012394682.0000000005950000.00000004.08000000.00040000.00000000.sdmp, t5SYVk0Tkt.exe, 00000000.00000002.2002312096.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, hnhoatl.exe, 00000005.00000002.2324181220.0000000003BD4000.00000004.00000800.00020000.00000000.sdmp, hnhoatl.exe, 00000005.00000002.2324181220.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp, Immmsbclaz.exe, 00000006.00000002.2446972226.0000000004A10000.00000004.00000800.00020000.00000000.sdmp, Immmsbclaz.exe, 00000006.00000002.2446972226.0000000004ADC000.00000004.00000800.00020000.00000000.sdmp, Immmsbclaz.exe, 00000006.00000002.2439318021.000000000387A000.00000004.00000800.00020000.00000000.sdmp, Immmsbclaz.exe, 00000007.00000002.2532284029.0000000004512000.00000004.00000800.00020000.00000000.sdmp, Immmsbclaz.exe, 00000007.00000002.2520525799.0000000003266000.00000004.00000800.00020000.00000000.sdmp, hnhoatl.exe, 0000000C.00000002.2942050318.0000000002E66000.00000004.00000800.00020000.00000000.sdmp, hnhoatl.exe, 0000000C.00000002.2958017864.000000000411E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
                      Source: t5SYVk0Tkt.exe, 00000000.00000002.2003536249.0000000003A51000.00000004.00000800.00020000.00000000.sdmp, t5SYVk0Tkt.exe, 00000000.00000002.2003536249.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, t5SYVk0Tkt.exe, 00000000.00000002.2012394682.0000000005950000.00000004.08000000.00040000.00000000.sdmp, t5SYVk0Tkt.exe, 00000000.00000002.2002312096.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, hnhoatl.exe, 00000005.00000002.2324181220.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp, hnhoatl.exe, 00000005.00000002.2319724842.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, Immmsbclaz.exe, 00000006.00000002.2446972226.0000000004A10000.00000004.00000800.00020000.00000000.sdmp, Immmsbclaz.exe, 00000006.00000002.2446972226.0000000004ADC000.00000004.00000800.00020000.00000000.sdmp, Immmsbclaz.exe, 00000006.00000002.2439318021.000000000387A000.00000004.00000800.00020000.00000000.sdmp, Immmsbclaz.exe, 00000007.00000002.2520525799.0000000003266000.00000004.00000800.00020000.00000000.sdmp, hnhoatl.exe, 0000000C.00000002.2942050318.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
                      Source: hnhoatl.exe, 00000005.00000002.2324181220.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp, t5SYVk0Tkt.exe, hnhoatl.exe.4.dr, hfmfgq.exe.9.dr, tupug.exe.11.dr, Immmsbclaz.exe.0.drString found in binary or memory: https://player.vimeo.com/video/
                      Source: t5SYVk0Tkt.exe, 00000000.00000002.2003536249.0000000003A51000.00000004.00000800.00020000.00000000.sdmp, t5SYVk0Tkt.exe, 00000000.00000002.2003536249.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, t5SYVk0Tkt.exe, 00000000.00000002.2012394682.0000000005950000.00000004.08000000.00040000.00000000.sdmp, t5SYVk0Tkt.exe, 00000000.00000002.2002312096.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, hnhoatl.exe, 00000005.00000002.2324181220.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp, hnhoatl.exe, 00000005.00000002.2319724842.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, Immmsbclaz.exe, 00000006.00000002.2446972226.0000000004A10000.00000004.00000800.00020000.00000000.sdmp, Immmsbclaz.exe, 00000006.00000002.2446972226.0000000004ADC000.00000004.00000800.00020000.00000000.sdmp, Immmsbclaz.exe, 00000006.00000002.2439318021.000000000387A000.00000004.00000800.00020000.00000000.sdmp, Immmsbclaz.exe, 00000007.00000002.2520525799.0000000003266000.00000004.00000800.00020000.00000000.sdmp, hnhoatl.exe, 0000000C.00000002.2942050318.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                      Source: t5SYVk0Tkt.exe, 00000000.00000002.2003536249.0000000003A51000.00000004.00000800.00020000.00000000.sdmp, t5SYVk0Tkt.exe, 00000000.00000002.2003536249.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, t5SYVk0Tkt.exe, 00000000.00000002.2012394682.0000000005950000.00000004.08000000.00040000.00000000.sdmp, t5SYVk0Tkt.exe, 00000000.00000002.2002312096.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, t5SYVk0Tkt.exe, 00000000.00000002.2002312096.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, hnhoatl.exe, 00000005.00000002.2324181220.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp, hnhoatl.exe, 00000005.00000002.2319724842.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, hnhoatl.exe, 00000005.00000002.2319724842.0000000002AEB000.00000004.00000800.00020000.00000000.sdmp, Immmsbclaz.exe, 00000006.00000002.2446972226.0000000004A10000.00000004.00000800.00020000.00000000.sdmp, Immmsbclaz.exe, 00000006.00000002.2446972226.0000000004ADC000.00000004.00000800.00020000.00000000.sdmp, Immmsbclaz.exe, 00000006.00000002.2439318021.00000000039EB000.00000004.00000800.00020000.00000000.sdmp, Immmsbclaz.exe, 00000006.00000002.2439318021.000000000387A000.00000004.00000800.00020000.00000000.sdmp, Immmsbclaz.exe, 00000007.00000002.2520525799.00000000033D7000.00000004.00000800.00020000.00000000.sdmp, Immmsbclaz.exe, 00000007.00000002.2520525799.0000000003266000.00000004.00000800.00020000.00000000.sdmp, hnhoatl.exe, 0000000C.00000002.2942050318.0000000002FD7000.00000004.00000800.00020000.00000000.sdmp, hnhoatl.exe, 0000000C.00000002.2942050318.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                      Source: t5SYVk0Tkt.exe, 00000000.00000002.2003536249.0000000003A51000.00000004.00000800.00020000.00000000.sdmp, t5SYVk0Tkt.exe, 00000000.00000002.2003536249.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, t5SYVk0Tkt.exe, 00000000.00000002.2012394682.0000000005950000.00000004.08000000.00040000.00000000.sdmp, hnhoatl.exe, 00000005.00000002.2324181220.0000000003B1C000.00000004.00000800.00020000.00000000.sdmp, hnhoatl.exe, 00000005.00000002.2324181220.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp, Immmsbclaz.exe, 00000006.00000002.2446972226.0000000004A10000.00000004.00000800.00020000.00000000.sdmp, Immmsbclaz.exe, 00000006.00000002.2446972226.0000000004ADC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354
                      Source: hnhoatl.exe, 00000005.00000002.2324181220.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp, t5SYVk0Tkt.exe, hnhoatl.exe.4.dr, hfmfgq.exe.9.dr, tupug.exe.11.dr, Immmsbclaz.exe.0.drString found in binary or memory: https://www.youtube.com/embed/

                      Spam, unwanted Advertisements and Ransom Demands

                      barindex
                      Send many emails (e-Mail Spam)
                      Source: SMTPNetwork traffic detected: Mail traffic on many different IPs 58

                      System Summary

                      barindex
                      .NET source code contains very large array initializations
                      Source: t5SYVk0Tkt.exe, -.csLarge array initialization: _0012: array initializer size 2124
                      Source: Immmsbclaz.exe.0.dr, -.csLarge array initialization: _0012: array initializer size 2124
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeFile created: C:\Windows\Tasks\Test Task17.jobJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeCode function: 0_2_058EF7780_2_058EF778
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeCode function: 0_2_058EC0B00_2_058EC0B0
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeCode function: 0_2_058E00400_2_058E0040
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeCode function: 0_2_058E80500_2_058E8050
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeCode function: 0_2_058E056F0_2_058E056F
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeCode function: 0_2_058E00060_2_058E0006
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeCode function: 0_2_058E80400_2_058E8040
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeCode function: 0_2_058EC3E70_2_058EC3E7
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeCode function: 0_2_058E23610_2_058E2361
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeCode function: 0_2_058ED2C80_2_058ED2C8
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeCode function: 0_2_058E8A680_2_058E8A68
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeCode function: 0_2_058E8A780_2_058E8A78
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeCode function: 0_2_059ABBD00_2_059ABBD0
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeCode function: 0_2_05A000400_2_05A00040
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeCode function: 0_2_05A0F5180_2_05A0F518
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeCode function: 0_2_05A000060_2_05A00006
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeCode function: 0_2_05A000400_2_05A00040
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeCode function: 0_2_05B347800_2_05B34780
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeCode function: 0_2_05B347480_2_05B34748
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeCode function: 0_2_05B37EF80_2_05B37EF8
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeCode function: 0_2_05B37EEB0_2_05B37EEB
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeCode function: 0_2_05BD1BD80_2_05BD1BD8
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeCode function: 0_2_05BD1BC90_2_05BD1BC9
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeCode function: 0_2_05C5F1C00_2_05C5F1C0
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeCode function: 0_2_05C400400_2_05C40040
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeCode function: 0_2_05C400060_2_05C40006
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeCode function: 0_2_05C5D2580_2_05C5D258
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 5_2_054EF7785_2_054EF778
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 5_2_054E00405_2_054E0040
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 5_2_054E80505_2_054E8050
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 5_2_054EC0B05_2_054EC0B0
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 5_2_054E057A5_2_054E057A
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 5_2_054E05805_2_054E0580
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 5_2_054E80405_2_054E8040
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 5_2_054E00065_2_054E0006
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 5_2_054E23615_2_054E2361
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 5_2_054EC3E75_2_054EC3E7
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 5_2_054E8A685_2_054E8A68
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 5_2_054E8A785_2_054E8A78
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 5_2_054ED2C85_2_054ED2C8
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 5_2_055ABCB85_2_055ABCB8
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 5_2_0560F5185_2_0560F518
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 5_2_056000405_2_05600040
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 5_2_056000405_2_05600040
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 5_2_056000065_2_05600006
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 5_2_057215F05_2_057215F0
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 5_2_057215E05_2_057215E0
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 5_2_057385545_2_05738554
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 5_2_057347635_2_05734763
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 5_2_057347805_2_05734780
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 5_2_057376285_2_05737628
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 5_2_057376185_2_05737618
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 5_2_0585F1C05_2_0585F1C0
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 5_2_0585DD685_2_0585DD68
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 5_2_058400075_2_05840007
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 5_2_058400405_2_05840040
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 5_2_0585D2585_2_0585D258
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 6_2_061600486_2_06160048
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 6_2_062BF7666_2_062BF766
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 6_2_062B00406_2_062B0040
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 6_2_062B80506_2_062B8050
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 6_2_062BC0B06_2_062BC0B0
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 6_2_062B057D6_2_062B057D
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 6_2_062B05806_2_062B0580
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 6_2_062B8A686_2_062B8A68
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 6_2_062B8A786_2_062B8A78
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 6_2_062BD2C86_2_062BD2C8
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 6_2_062B23616_2_062B2361
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 6_2_062BC3E76_2_062BC3E7
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 6_2_062B00066_2_062B0006
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 6_2_062B80406_2_062B8040
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 6_2_0637BCB86_2_0637BCB8
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 6_2_063D003F6_2_063D003F
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 6_2_063D00406_2_063D0040
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 6_2_063DF5186_2_063DF518
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 6_2_063D00406_2_063D0040
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 6_2_065046F26_2_065046F2
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 6_2_065047636_2_06504763
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 6_2_06506F986_2_06506F98
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 6_2_065047806_2_06504780
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 6_2_06506FA86_2_06506FA8
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 6_2_06560AD86_2_06560AD8
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 6_2_06560AE86_2_06560AE8
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 6_2_0662DD686_2_0662DD68
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 6_2_0662F1C06_2_0662F1C0
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 6_2_0662D2586_2_0662D258
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 6_2_066100406_2_06610040
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 6_2_0661003F6_2_0661003F
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 6_2_061600026_2_06160002
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 7_2_05F6F7787_2_05F6F778
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 7_2_05F6C0B07_2_05F6C0B0
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 7_2_05F680507_2_05F68050
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 7_2_05F600407_2_05F60040
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 7_2_05F605807_2_05F60580
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 7_2_05F6056F7_2_05F6056F
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 7_2_05F680407_2_05F68040
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 7_2_05F600077_2_05F60007
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 7_2_05F6C3E77_2_05F6C3E7
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 7_2_05F623617_2_05F62361
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 7_2_05F6D2C87_2_05F6D2C8
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 7_2_05F68A787_2_05F68A78
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 7_2_05F68A687_2_05F68A68
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 7_2_0602BCB87_2_0602BCB8
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 7_2_0608001F7_2_0608001F
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 7_2_060800407_2_06080040
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 7_2_0608F5187_2_0608F518
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 7_2_060800407_2_06080040
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 7_2_061B47637_2_061B4763
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 7_2_061B6F987_2_061B6F98
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 7_2_061B47807_2_061B4780
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 7_2_061B6FA87_2_061B6FA8
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 7_2_06210AE87_2_06210AE8
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 7_2_06210AD87_2_06210AD8
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 7_2_062DDD687_2_062DDD68
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 7_2_062DF1C07_2_062DF1C0
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 7_2_062DD2587_2_062DD258
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 7_2_062C00067_2_062C0006
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 7_2_062C00407_2_062C0040
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 12_2_0598F77812_2_0598F778
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 12_2_0598C0B012_2_0598C0B0
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 12_2_0598805012_2_05988050
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 12_2_0598004012_2_05980040
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 12_2_0598058012_2_05980580
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 12_2_0598056F12_2_0598056F
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 12_2_0598000612_2_05980006
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 12_2_0598804012_2_05988040
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 12_2_0598C3E712_2_0598C3E7
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 12_2_0598236112_2_05982361
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 12_2_0598D2C812_2_0598D2C8
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 12_2_05988A7812_2_05988A78
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 12_2_05988A6812_2_05988A68
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 12_2_05A4BBD012_2_05A4BBD0
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 12_2_05AA004012_2_05AA0040
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 12_2_05AAF51812_2_05AAF518
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 12_2_05AA000712_2_05AA0007
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 12_2_05AA004012_2_05AA0040
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 12_2_05CFF1C012_2_05CFF1C0
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 12_2_05CFDD6812_2_05CFDD68
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 12_2_05CE004012_2_05CE0040
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 12_2_05CE000612_2_05CE0006
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 12_2_05CFD25812_2_05CFD258
                      Source: t5SYVk0Tkt.exe, 00000000.00000002.2014234526.0000000007AE0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameXlxkojhbno.dll" vs t5SYVk0Tkt.exe
                      Source: t5SYVk0Tkt.exe, 00000000.00000002.2003536249.0000000003A51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs t5SYVk0Tkt.exe
                      Source: t5SYVk0Tkt.exe, 00000000.00000002.2001344094.0000000000EAE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs t5SYVk0Tkt.exe
                      Source: t5SYVk0Tkt.exe, 00000000.00000002.2013029719.0000000005B40000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs t5SYVk0Tkt.exe
                      Source: t5SYVk0Tkt.exe, 00000000.00000002.2003536249.0000000003ACD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs t5SYVk0Tkt.exe
                      Source: t5SYVk0Tkt.exe, 00000000.00000002.2003536249.0000000003ACD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs t5SYVk0Tkt.exe
                      Source: t5SYVk0Tkt.exe, 00000000.00000002.2003536249.0000000003B8B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs t5SYVk0Tkt.exe
                      Source: t5SYVk0Tkt.exe, 00000000.00000002.2003536249.0000000003B8B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXlxkojhbno.dll" vs t5SYVk0Tkt.exe
                      Source: t5SYVk0Tkt.exe, 00000000.00000002.2012394682.0000000005950000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs t5SYVk0Tkt.exe
                      Source: t5SYVk0Tkt.exe, 00000000.00000002.2002312096.0000000002A51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs t5SYVk0Tkt.exe
                      Source: t5SYVk0Tkt.exe, 00000000.00000002.2002312096.0000000002A51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs t5SYVk0Tkt.exe
                      Source: t5SYVk0Tkt.exe, 00000000.00000002.2002312096.0000000002C61000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs t5SYVk0Tkt.exe
                      Source: t5SYVk0Tkt.exeBinary or memory string: OriginalFilenameNATcontroler.exe: vs t5SYVk0Tkt.exe
                      Source: t5SYVk0Tkt.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: t5SYVk0Tkt.exe, -.csCryptographic APIs: 'TransformFinalBlock'
                      Source: t5SYVk0Tkt.exe, -.csCryptographic APIs: 'TransformFinalBlock'
                      Source: Immmsbclaz.exe.0.dr, -.csCryptographic APIs: 'TransformFinalBlock'
                      Source: Immmsbclaz.exe.0.dr, -.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.t5SYVk0Tkt.exe.5b40000.15.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
                      Source: 0.2.t5SYVk0Tkt.exe.5b40000.15.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
                      Source: 0.2.t5SYVk0Tkt.exe.5b40000.15.raw.unpack, Task.csTask registration methods: 'RegisterChanges', 'CreateTask'
                      Source: 0.2.t5SYVk0Tkt.exe.5b40000.15.raw.unpack, TaskService.csTask registration methods: 'CreateFromToken'
                      Source: 0.2.t5SYVk0Tkt.exe.3b3b3f0.10.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
                      Source: 0.2.t5SYVk0Tkt.exe.3b3b3f0.10.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
                      Source: 0.2.t5SYVk0Tkt.exe.5b40000.15.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                      Source: 0.2.t5SYVk0Tkt.exe.3b3b3f0.10.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
                      Source: 0.2.t5SYVk0Tkt.exe.3b3b3f0.10.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
                      Source: 0.2.t5SYVk0Tkt.exe.5b40000.15.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.t5SYVk0Tkt.exe.3b3b3f0.10.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                      Source: 0.2.t5SYVk0Tkt.exe.5b40000.15.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                      Source: 0.2.t5SYVk0Tkt.exe.3b3b3f0.10.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.t5SYVk0Tkt.exe.5b40000.15.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
                      Source: 0.2.t5SYVk0Tkt.exe.5b40000.15.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
                      Source: 0.2.t5SYVk0Tkt.exe.5b40000.15.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                      Source: 0.2.t5SYVk0Tkt.exe.3b3b3f0.10.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                      Source: 0.2.t5SYVk0Tkt.exe.3b3b3f0.10.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                      Source: classification engineClassification label: mal100.spre.troj.evad.winEXE@13/12@380/100
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeCode function: 4_2_0040166B CreateToolhelp32Snapshot,4_2_0040166B
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeFile created: C:\Users\user\AppData\Roaming\Immmsbclaz.exeJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeMutant created: NULL
                      Source: C:\ProgramData\iigeb\hnhoatl.exeMutant created: \Sessions\1\BaseNamedObjects\Test Task17
                      Source: t5SYVk0Tkt.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: t5SYVk0Tkt.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: t5SYVk0Tkt.exeReversingLabs: Detection: 34%
                      Source: t5SYVk0Tkt.exeVirustotal: Detection: 32%
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeFile read: C:\Users\user\Desktop\t5SYVk0Tkt.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\t5SYVk0Tkt.exe "C:\Users\user\Desktop\t5SYVk0Tkt.exe"
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeProcess created: C:\Users\user\Desktop\t5SYVk0Tkt.exe "C:\Users\user\Desktop\t5SYVk0Tkt.exe"
                      Source: unknownProcess created: C:\ProgramData\iigeb\hnhoatl.exe C:\ProgramData\iigeb\hnhoatl.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Immmsbclaz.exe "C:\Users\user\AppData\Roaming\Immmsbclaz.exe"
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Immmsbclaz.exe "C:\Users\user\AppData\Roaming\Immmsbclaz.exe"
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess created: C:\ProgramData\iigeb\hnhoatl.exe "C:\ProgramData\iigeb\hnhoatl.exe"
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess created: C:\Users\user\AppData\Roaming\Immmsbclaz.exe "C:\Users\user\AppData\Roaming\Immmsbclaz.exe"
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess created: C:\Users\user\AppData\Roaming\Immmsbclaz.exe "C:\Users\user\AppData\Roaming\Immmsbclaz.exe"
                      Source: unknownProcess created: C:\ProgramData\iigeb\hnhoatl.exe C:\ProgramData\iigeb\hnhoatl.exe
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeProcess created: C:\Users\user\Desktop\t5SYVk0Tkt.exe "C:\Users\user\Desktop\t5SYVk0Tkt.exe"Jump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess created: C:\ProgramData\iigeb\hnhoatl.exe "C:\ProgramData\iigeb\hnhoatl.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess created: C:\Users\user\AppData\Roaming\Immmsbclaz.exe "C:\Users\user\AppData\Roaming\Immmsbclaz.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess created: C:\Users\user\AppData\Roaming\Immmsbclaz.exe "C:\Users\user\AppData\Roaming\Immmsbclaz.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeSection loaded: mstask.dllJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeSection loaded: mstask.dllJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeSection loaded: mstask.dllJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeSection loaded: mstask.dllJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeSection loaded: version.dllJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeSection loaded: mstask.dllJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeSection loaded: wsock32.dllJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeSection loaded: mstask.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeSection loaded: mstask.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeSection loaded: mstask.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeSection loaded: mstask.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeSection loaded: mstask.dll
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeSection loaded: mstask.dll
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeSection loaded: mstask.dll
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeSection loaded: ntmarta.dll
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeSection loaded: mstask.dll
                      Source: C:\ProgramData\iigeb\hnhoatl.exeSection loaded: mscoree.dll
                      Source: C:\ProgramData\iigeb\hnhoatl.exeSection loaded: kernel.appcore.dll
                      Source: C:\ProgramData\iigeb\hnhoatl.exeSection loaded: version.dll
                      Source: C:\ProgramData\iigeb\hnhoatl.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\ProgramData\iigeb\hnhoatl.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\ProgramData\iigeb\hnhoatl.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\ProgramData\iigeb\hnhoatl.exeSection loaded: wldp.dll
                      Source: C:\ProgramData\iigeb\hnhoatl.exeSection loaded: amsi.dll
                      Source: C:\ProgramData\iigeb\hnhoatl.exeSection loaded: userenv.dll
                      Source: C:\ProgramData\iigeb\hnhoatl.exeSection loaded: profapi.dll
                      Source: C:\ProgramData\iigeb\hnhoatl.exeSection loaded: msasn1.dll
                      Source: C:\ProgramData\iigeb\hnhoatl.exeSection loaded: gpapi.dll
                      Source: C:\ProgramData\iigeb\hnhoatl.exeSection loaded: cryptsp.dll
                      Source: C:\ProgramData\iigeb\hnhoatl.exeSection loaded: rsaenh.dll
                      Source: C:\ProgramData\iigeb\hnhoatl.exeSection loaded: cryptbase.dll
                      Source: C:\ProgramData\iigeb\hnhoatl.exeSection loaded: windows.storage.dll
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: t5SYVk0Tkt.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: t5SYVk0Tkt.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                      Source: t5SYVk0Tkt.exeStatic file information: File size 2991104 > 1048576
                      Source: t5SYVk0Tkt.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x2d9a00
                      Source: t5SYVk0Tkt.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: t5SYVk0Tkt.exe, 00000000.00000002.2013029719.0000000005B40000.00000004.08000000.00040000.00000000.sdmp, t5SYVk0Tkt.exe, 00000000.00000002.2003536249.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, t5SYVk0Tkt.exe, 00000000.00000002.2003536249.0000000003B8B000.00000004.00000800.00020000.00000000.sdmp, t5SYVk0Tkt.exe, 00000000.00000002.2002312096.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, hnhoatl.exe, 00000005.00000002.2324181220.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp, hnhoatl.exe, 00000005.00000002.2319724842.0000000002B74000.00000004.00000800.00020000.00000000.sdmp, Immmsbclaz.exe, 00000006.00000002.2439318021.00000000039EB000.00000004.00000800.00020000.00000000.sdmp, Immmsbclaz.exe, 00000006.00000002.2446972226.0000000004B36000.00000004.00000800.00020000.00000000.sdmp, Immmsbclaz.exe, 00000007.00000002.2520525799.0000000003460000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: t5SYVk0Tkt.exe, 00000000.00000002.2013029719.0000000005B40000.00000004.08000000.00040000.00000000.sdmp, t5SYVk0Tkt.exe, 00000000.00000002.2003536249.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, t5SYVk0Tkt.exe, 00000000.00000002.2003536249.0000000003B8B000.00000004.00000800.00020000.00000000.sdmp, t5SYVk0Tkt.exe, 00000000.00000002.2002312096.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, hnhoatl.exe, 00000005.00000002.2324181220.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp, hnhoatl.exe, 00000005.00000002.2319724842.0000000002B74000.00000004.00000800.00020000.00000000.sdmp, Immmsbclaz.exe, 00000006.00000002.2439318021.00000000039EB000.00000004.00000800.00020000.00000000.sdmp, Immmsbclaz.exe, 00000006.00000002.2446972226.0000000004B36000.00000004.00000800.00020000.00000000.sdmp, Immmsbclaz.exe, 00000007.00000002.2520525799.0000000003460000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdbSHA256}Lq source: t5SYVk0Tkt.exe, 00000000.00000002.2003536249.0000000003A51000.00000004.00000800.00020000.00000000.sdmp, t5SYVk0Tkt.exe, 00000000.00000002.2003536249.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, t5SYVk0Tkt.exe, 00000000.00000002.2012394682.0000000005950000.00000004.08000000.00040000.00000000.sdmp, t5SYVk0Tkt.exe, 00000000.00000002.2002312096.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, hnhoatl.exe, 00000005.00000002.2324181220.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp, hnhoatl.exe, 00000005.00000002.2319724842.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, Immmsbclaz.exe, 00000006.00000002.2446972226.0000000004A10000.00000004.00000800.00020000.00000000.sdmp, Immmsbclaz.exe, 00000006.00000002.2446972226.0000000004ADC000.00000004.00000800.00020000.00000000.sdmp, Immmsbclaz.exe, 00000006.00000002.2439318021.000000000387A000.00000004.00000800.00020000.00000000.sdmp, Immmsbclaz.exe, 00000007.00000002.2520525799.0000000003266000.00000004.00000800.00020000.00000000.sdmp, hnhoatl.exe, 0000000C.00000002.2942050318.0000000002E66000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdb source: t5SYVk0Tkt.exe, 00000000.00000002.2003536249.0000000003A51000.00000004.00000800.00020000.00000000.sdmp, t5SYVk0Tkt.exe, 00000000.00000002.2003536249.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, t5SYVk0Tkt.exe, 00000000.00000002.2012394682.0000000005950000.00000004.08000000.00040000.00000000.sdmp, t5SYVk0Tkt.exe, 00000000.00000002.2002312096.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, hnhoatl.exe, 00000005.00000002.2324181220.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp, hnhoatl.exe, 00000005.00000002.2319724842.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, Immmsbclaz.exe, 00000006.00000002.2446972226.0000000004A10000.00000004.00000800.00020000.00000000.sdmp, Immmsbclaz.exe, 00000006.00000002.2446972226.0000000004ADC000.00000004.00000800.00020000.00000000.sdmp, Immmsbclaz.exe, 00000006.00000002.2439318021.000000000387A000.00000004.00000800.00020000.00000000.sdmp, Immmsbclaz.exe, 00000007.00000002.2520525799.0000000003266000.00000004.00000800.00020000.00000000.sdmp, hnhoatl.exe, 0000000C.00000002.2942050318.0000000002E66000.00000004.00000800.00020000.00000000.sdmp

                      Data Obfuscation

                      barindex
                      .NET source code contains potential unpacker
                      Source: t5SYVk0Tkt.exe, -.cs.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
                      Source: Immmsbclaz.exe.0.dr, -.cs.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
                      Source: 0.2.t5SYVk0Tkt.exe.3acd5b0.5.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
                      Source: 0.2.t5SYVk0Tkt.exe.3acd5b0.5.raw.unpack, ListDecorator.cs.Net Code: Read
                      Source: 0.2.t5SYVk0Tkt.exe.3acd5b0.5.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
                      Source: 0.2.t5SYVk0Tkt.exe.3acd5b0.5.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateInstance
                      Source: 0.2.t5SYVk0Tkt.exe.3acd5b0.5.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateIfNull
                      Source: 0.2.t5SYVk0Tkt.exe.5b40000.15.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                      Source: 0.2.t5SYVk0Tkt.exe.5b40000.15.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                      Source: 0.2.t5SYVk0Tkt.exe.5b40000.15.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
                      Source: 0.2.t5SYVk0Tkt.exe.3b3b3f0.10.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                      Source: 0.2.t5SYVk0Tkt.exe.3b3b3f0.10.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                      Source: 0.2.t5SYVk0Tkt.exe.3b3b3f0.10.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
                      Source: 0.2.t5SYVk0Tkt.exe.3a7d590.6.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
                      Source: 0.2.t5SYVk0Tkt.exe.3a7d590.6.raw.unpack, ListDecorator.cs.Net Code: Read
                      Source: 0.2.t5SYVk0Tkt.exe.3a7d590.6.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
                      Source: 0.2.t5SYVk0Tkt.exe.3a7d590.6.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateInstance
                      Source: 0.2.t5SYVk0Tkt.exe.3a7d590.6.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateIfNull
                      Yara detected Costura Assembly Loader
                      Source: Yara matchFile source: 12.2.hnhoatl.exe.3f1c350.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.hnhoatl.exe.400c390.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.Immmsbclaz.exe.43103d0.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.hnhoatl.exe.3a7c370.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.hnhoatl.exe.3ef4330.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.t5SYVk0Tkt.exe.3cca008.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.hnhoatl.exe.3f1c350.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.Immmsbclaz.exe.43103d0.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.t5SYVk0Tkt.exe.3d42048.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.Immmsbclaz.exe.42e83b0.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.Immmsbclaz.exe.43603f0.13.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.hnhoatl.exe.3ef4330.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.hnhoatl.exe.3f6c370.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.Immmsbclaz.exe.331268c.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.Immmsbclaz.exe.4400410.14.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.Immmsbclaz.exe.3926938.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.hnhoatl.exe.3a04330.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.hnhoatl.exe.2f12588.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.Immmsbclaz.exe.42e83b0.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.Immmsbclaz.exe.49203d0.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.Immmsbclaz.exe.49203d0.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.hnhoatl.exe.2f12588.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.hnhoatl.exe.3a04330.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.Immmsbclaz.exe.48f83b0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.hnhoatl.exe.3a2c350.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.Immmsbclaz.exe.48f83b0.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.Immmsbclaz.exe.331268c.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.Immmsbclaz.exe.49703f0.13.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.hnhoatl.exe.3b1c390.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.Immmsbclaz.exe.3926938.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.Immmsbclaz.exe.4a10410.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.t5SYVk0Tkt.exe.58f0000.13.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.hnhoatl.exe.3a2c350.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000007.00000002.2532284029.00000000042E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2958017864.0000000003EF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2003536249.0000000003C78000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.2446972226.0000000004A10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2324181220.0000000003B1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2012169866.00000000058F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2532284029.0000000004400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2319724842.000000000297A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2532284029.0000000004310000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.2446972226.00000000048A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2958017864.000000000400C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2958017864.0000000003F1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2532284029.0000000004360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2958017864.0000000003F6C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2942050318.0000000002E66000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2319724842.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.2439318021.000000000387A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2324181220.00000000037A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2520525799.0000000003266000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2002312096.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: t5SYVk0Tkt.exe PID: 6668, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: hnhoatl.exe PID: 4476, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Immmsbclaz.exe PID: 5780, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Immmsbclaz.exe PID: 6400, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: hnhoatl.exe PID: 2436, type: MEMORYSTR
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeCode function: 0_2_058E3B1F push ebp; retf 0_2_058E3B22
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeCode function: 0_2_058E3B66 push cs; retf 0_2_058E3B69
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeCode function: 0_2_059A9C24 push es; iretd 0_2_059A9C27
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeCode function: 0_2_059A8670 push 8B6C862Ah; iretd 0_2_059A8675
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeCode function: 4_2_0040526D pushad ; ret 4_2_004052C5
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeCode function: 4_2_00405118 pushad ; ret 4_2_004052C5
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 5_2_054E3B66 push cs; retf 5_2_054E3B69
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 5_2_054E3B1F push ebp; retf 5_2_054E3B22
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 5_2_055A8670 push 8B6CC62Ah; iretd 5_2_055A8675
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 6_2_062B5F61 push es; ret 6_2_062B5F6C
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 6_2_062B3B1F push ebp; retf 6_2_062B3B22
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 6_2_062B3B66 push cs; retf 6_2_062B3B69
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 6_2_062BB830 push es; ret 6_2_062BB8E0
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 6_2_06378670 push 8B6BE92Ah; iretd 6_2_06378675
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 6_2_06370814 push 8BF88B6Bh; retf 6_2_0637081D
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 6_2_0637085D push 8BF08B6Bh; retf 6_2_0637087F
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 6_2_0650B54C push es; retf 6_2_0650B558
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 6_2_065035F9 push es; ret 6_2_065035FC
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 6_2_0650AA69 push es; ret 6_2_0650AA6C
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 6_2_0650AA29 push es; iretd 6_2_0650AA60
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 6_2_0650AB01 push es; retf 6_2_0650AB04
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 6_2_0650938F push es; ret 6_2_065093B4
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 6_2_065093BA push es; retf 6_2_065093C4
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 7_2_05F63B66 push cs; retf 7_2_05F63B69
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 7_2_05F63B1F push ebp; retf 7_2_05F63B22
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 7_2_06028670 push 8B6C1E2Ah; iretd 7_2_06028675
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 7_2_06027FDD push ss; retf 7_2_06027FE2
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 7_2_061BB54C push es; retf 7_2_061BB558
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeCode function: 7_2_061B93BA push es; retf 7_2_061B93C4
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 12_2_05983B1F push ebp; retf 12_2_05983B22
                      Source: C:\ProgramData\iigeb\hnhoatl.exeCode function: 12_2_05983B66 push cs; retf 12_2_05983B69
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeFile created: C:\ProgramData\uwhicqw\tupug.exeJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeFile created: C:\ProgramData\iphiso\hfmfgq.exeJump to dropped file
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeFile created: C:\ProgramData\iigeb\hnhoatl.exeJump to dropped file
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeFile created: C:\Users\user\AppData\Roaming\Immmsbclaz.exeJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeFile created: C:\ProgramData\uwhicqw\tupug.exeJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeFile created: C:\ProgramData\iphiso\hfmfgq.exeJump to dropped file
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeFile created: C:\ProgramData\iigeb\hnhoatl.exeJump to dropped file
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeFile created: C:\Windows\Tasks\Test Task17.jobJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ImmmsbclazJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ImmmsbclazJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AntiVM3
                      Source: Yara matchFile source: Process Memory Space: t5SYVk0Tkt.exe PID: 6668, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: hnhoatl.exe PID: 4476, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Immmsbclaz.exe PID: 5780, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Immmsbclaz.exe PID: 6400, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: hnhoatl.exe PID: 2436, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                      Source: t5SYVk0Tkt.exe, 00000000.00000002.2002312096.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, hnhoatl.exe, 00000005.00000002.2319724842.000000000297A000.00000004.00000800.00020000.00000000.sdmp, Immmsbclaz.exe, 00000006.00000002.2439318021.000000000387A000.00000004.00000800.00020000.00000000.sdmp, Immmsbclaz.exe, 00000007.00000002.2520525799.0000000003266000.00000004.00000800.00020000.00000000.sdmp, hnhoatl.exe, 0000000C.00000002.2942050318.0000000002E66000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL0SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE
                      Tries to detect virtualization through RDTSC time measurements
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeRDTSC instruction interceptor: First address: 402E5A second address: 402E5A instructions: 0x00000000 rdtsc 0x00000002 push ebp 0x00000003 mov ebp, esp 0x00000005 push ebx 0x00000006 push ecx 0x00000007 push edx 0x00000008 push edi 0x00000009 push esi 0x0000000a imul eax, eax, 001E7319h 0x00000010 add eax, 3CFB5543h 0x00000015 rcr eax, 10h 0x00000018 add eax, esi 0x0000001a imul eax, edi 0x0000001d xor edx, edx 0x0000001f mul dword ptr [ebp+08h] 0x00000022 mov eax, edx 0x00000024 pop esi 0x00000025 pop edi 0x00000026 pop edx 0x00000027 pop ecx 0x00000028 pop ebx 0x00000029 leave 0x0000002a retn 0004h 0x0000002d lea eax, dword ptr [eax+00000300h] 0x00000033 push eax 0x00000034 push 00405C2Fh 0x00000039 call 00007FF660EE088Ch 0x0000003e push ebp 0x0000003f mov ebp, esp 0x00000041 push ebx 0x00000042 push edi 0x00000043 push esi 0x00000044 mov edi, dword ptr [ebp+08h] 0x00000047 push 000000FFh 0x0000004c call 00007FF660EDF049h 0x00000051 rdtsc
                      Source: C:\ProgramData\iigeb\hnhoatl.exeRDTSC instruction interceptor: First address: 402E5A second address: 402E5A instructions: 0x00000000 rdtsc 0x00000002 push ebp 0x00000003 mov ebp, esp 0x00000005 push ebx 0x00000006 push ecx 0x00000007 push edx 0x00000008 push edi 0x00000009 push esi 0x0000000a imul eax, eax, 001E7319h 0x00000010 add eax, 3CFB5543h 0x00000015 rcr eax, 10h 0x00000018 add eax, esi 0x0000001a imul eax, edi 0x0000001d xor edx, edx 0x0000001f mul dword ptr [ebp+08h] 0x00000022 mov eax, edx 0x00000024 pop esi 0x00000025 pop edi 0x00000026 pop edx 0x00000027 pop ecx 0x00000028 pop ebx 0x00000029 leave 0x0000002a retn 0004h 0x0000002d lea eax, dword ptr [eax+00000300h] 0x00000033 push eax 0x00000034 push 00405C2Fh 0x00000039 call 00007FF6607DB88Ch 0x0000003e push ebp 0x0000003f mov ebp, esp 0x00000041 push ebx 0x00000042 push edi 0x00000043 push esi 0x00000044 mov edi, dword ptr [ebp+08h] 0x00000047 push 000000FFh 0x0000004c call 00007FF6607DA049h 0x00000051 rdtsc
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeRDTSC instruction interceptor: First address: 402E5A second address: 402E5A instructions: 0x00000000 rdtsc 0x00000002 push ebp 0x00000003 mov ebp, esp 0x00000005 push ebx 0x00000006 push ecx 0x00000007 push edx 0x00000008 push edi 0x00000009 push esi 0x0000000a imul eax, eax, 001E7319h 0x00000010 add eax, 3CFB5543h 0x00000015 rcr eax, 10h 0x00000018 add eax, esi 0x0000001a imul eax, edi 0x0000001d xor edx, edx 0x0000001f mul dword ptr [ebp+08h] 0x00000022 mov eax, edx 0x00000024 pop esi 0x00000025 pop edi 0x00000026 pop edx 0x00000027 pop ecx 0x00000028 pop ebx 0x00000029 leave 0x0000002a retn 0004h 0x0000002d lea eax, dword ptr [eax+00000300h] 0x00000033 push eax 0x00000034 push 00405C2Fh 0x00000039 call 00007FF660EE088Ch 0x0000003e push ebp 0x0000003f mov ebp, esp 0x00000041 push ebx 0x00000042 push edi 0x00000043 push esi 0x00000044 mov edi, dword ptr [ebp+08h] 0x00000047 push 000000FFh 0x0000004c call 00007FF660EDF049h 0x00000051 rdtsc
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeRDTSC instruction interceptor: First address: 402E5A second address: 402E5A instructions: 0x00000000 rdtsc 0x00000002 push ebp 0x00000003 mov ebp, esp 0x00000005 push ebx 0x00000006 push ecx 0x00000007 push edx 0x00000008 push edi 0x00000009 push esi 0x0000000a imul eax, eax, 001E7319h 0x00000010 add eax, 3CFB5543h 0x00000015 rcr eax, 10h 0x00000018 add eax, esi 0x0000001a imul eax, edi 0x0000001d xor edx, edx 0x0000001f mul dword ptr [ebp+08h] 0x00000022 mov eax, edx 0x00000024 pop esi 0x00000025 pop edi 0x00000026 pop edx 0x00000027 pop ecx 0x00000028 pop ebx 0x00000029 leave 0x0000002a retn 0004h 0x0000002d lea eax, dword ptr [eax+00000300h] 0x00000033 push eax 0x00000034 push 00405C2Fh 0x00000039 call 00007FF6607DB88Ch 0x0000003e push ebp 0x0000003f mov ebp, esp 0x00000041 push ebx 0x00000042 push edi 0x00000043 push esi 0x00000044 mov edi, dword ptr [ebp+08h] 0x00000047 push 000000FFh 0x0000004c call 00007FF6607DA049h 0x00000051 rdtsc
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeMemory allocated: 2A50000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeMemory allocated: 2A50000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeMemory allocated: 4A50000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeMemory allocated: 5760000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeMemory allocated: 6760000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeMemory allocated: 6890000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeMemory allocated: 7890000 memory reserve | memory write watchJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeMemory allocated: CD0000 memory reserve | memory write watchJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeMemory allocated: 2790000 memory reserve | memory write watchJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeMemory allocated: 2590000 memory reserve | memory write watchJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeMemory allocated: 5360000 memory reserve | memory write watchJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeMemory allocated: 6360000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeMemory allocated: 1850000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeMemory allocated: 3690000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeMemory allocated: 34E0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeMemory allocated: 6130000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeMemory allocated: 7130000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeMemory allocated: 7260000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeMemory allocated: 8260000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeMemory allocated: 16E0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeMemory allocated: 3080000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeMemory allocated: 5080000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeMemory allocated: 5DE0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeMemory allocated: 6DE0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeMemory allocated: 6F10000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeMemory allocated: 7F10000 memory reserve | memory write watchJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeMemory allocated: 10E0000 memory reserve | memory write watch
                      Source: C:\ProgramData\iigeb\hnhoatl.exeMemory allocated: 2C80000 memory reserve | memory write watch
                      Source: C:\ProgramData\iigeb\hnhoatl.exeMemory allocated: 2B10000 memory reserve | memory write watch
                      Source: C:\ProgramData\iigeb\hnhoatl.exeMemory allocated: 5800000 memory reserve | memory write watch
                      Source: C:\ProgramData\iigeb\hnhoatl.exeMemory allocated: 6800000 memory reserve | memory write watch
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeCode function: 4_2_00402E5A rdtsc 4_2_00402E5A
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exe TID: 6704Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exe TID: 3868Thread sleep time: -60000s >= -30000sJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exe TID: 3068Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exe TID: 5688Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exe TID: 4020Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exe TID: 5904Thread sleep time: -60000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exe TID: 4428Thread sleep time: -60000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exe TID: 4924Thread sleep time: -60000s >= -30000s
                      Source: C:\ProgramData\iigeb\hnhoatl.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeThread delayed: delay time: 60000Jump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeThread delayed: delay time: 60000Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeThread delayed: delay time: 60000Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeThread delayed: delay time: 60000
                      Source: hnhoatl.exe, 0000000C.00000002.2942050318.0000000002E66000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SerialNumber0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
                      Source: hnhoatl.exe, 0000000C.00000002.2942050318.0000000002E66000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: model0Microsoft|VMWare|Virtual
                      Source: hnhoatl.exe, 00000008.00000002.2936427354.0000000000EEA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeCode function: 4_2_00402E5A rdtsc 4_2_00402E5A
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeCode function: 4_2_00402E87 LdrLoadDll,4_2_00402E87
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeCode function: 4_2_00402E87 mov eax, dword ptr fs:[00000030h]4_2_00402E87
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeCode function: 4_2_00401000 EntryPoint,CreateThread,SetUnhandledExceptionFilter,GetModuleFileNameW,EnumWindows,GetEnvironmentVariableW,CreateDirectoryW,CopyFileW,CopyFileW,Sleep,CreateMutexW,ExitProcess,4_2_00401000
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeMemory written: C:\Users\user\Desktop\t5SYVk0Tkt.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeMemory written: C:\ProgramData\iigeb\hnhoatl.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeMemory written: C:\Users\user\AppData\Roaming\Immmsbclaz.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeMemory written: C:\Users\user\AppData\Roaming\Immmsbclaz.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeProcess created: C:\Users\user\Desktop\t5SYVk0Tkt.exe "C:\Users\user\Desktop\t5SYVk0Tkt.exe"Jump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeProcess created: C:\ProgramData\iigeb\hnhoatl.exe "C:\ProgramData\iigeb\hnhoatl.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess created: C:\Users\user\AppData\Roaming\Immmsbclaz.exe "C:\Users\user\AppData\Roaming\Immmsbclaz.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeProcess created: C:\Users\user\AppData\Roaming\Immmsbclaz.exe "C:\Users\user\AppData\Roaming\Immmsbclaz.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeQueries volume information: C:\Users\user\Desktop\t5SYVk0Tkt.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeQueries volume information: C:\ProgramData\iigeb\hnhoatl.exe VolumeInformationJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeQueries volume information: C:\Users\user\AppData\Roaming\Immmsbclaz.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeQueries volume information: C:\Users\user\AppData\Roaming\Immmsbclaz.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Immmsbclaz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\ProgramData\iigeb\hnhoatl.exeQueries volume information: C:\ProgramData\iigeb\hnhoatl.exe VolumeInformation
                      Source: C:\ProgramData\iigeb\hnhoatl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\ProgramData\iigeb\hnhoatl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeCode function: 4_2_00401806 CoInitialize,GetUserNameW,GetSystemTime,4_2_00401806
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeCode function: 4_2_00401806 CoInitialize,GetUserNameW,GetSystemTime,4_2_00401806
                      Source: C:\Users\user\Desktop\t5SYVk0Tkt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: 0.2.t5SYVk0Tkt.exe.7ae0000.16.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.t5SYVk0Tkt.exe.7ae0000.16.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2014234526.0000000007AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Yara detected SystemBC
                      Source: Yara matchFile source: 6.2.Immmsbclaz.exe.3afef6c.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.Immmsbclaz.exe.34eacc0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.hnhoatl.exe.2a4669c.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.hnhoatl.exe.2a39324.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.Immmsbclaz.exe.34e0ae8.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.t5SYVk0Tkt.exe.2d7c3b8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.t5SYVk0Tkt.exe.2d721e0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.Immmsbclaz.exe.3af4d94.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000007.00000002.2520525799.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2002312096.0000000002D6E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.2439318021.0000000003AFC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.2439318021.0000000003AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2002312096.0000000002D7A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2319724842.0000000002A35000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2520525799.00000000034DD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2319724842.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: t5SYVk0Tkt.exe PID: 6668, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: hnhoatl.exe PID: 4476, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Immmsbclaz.exe PID: 5780, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Immmsbclaz.exe PID: 6400, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: 0.2.t5SYVk0Tkt.exe.7ae0000.16.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.t5SYVk0Tkt.exe.7ae0000.16.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2014234526.0000000007AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Yara detected SystemBC
                      Source: Yara matchFile source: 6.2.Immmsbclaz.exe.3afef6c.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.Immmsbclaz.exe.34eacc0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.hnhoatl.exe.2a4669c.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.hnhoatl.exe.2a39324.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.Immmsbclaz.exe.34e0ae8.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.t5SYVk0Tkt.exe.2d7c3b8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.t5SYVk0Tkt.exe.2d721e0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.Immmsbclaz.exe.3af4d94.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000007.00000002.2520525799.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2002312096.0000000002D6E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.2439318021.0000000003AFC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.2439318021.0000000003AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2002312096.0000000002D7A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2319724842.0000000002A35000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2520525799.00000000034DD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2319724842.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: t5SYVk0Tkt.exe PID: 6668, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: hnhoatl.exe PID: 4476, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Immmsbclaz.exe PID: 5780, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Immmsbclaz.exe PID: 6400, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                      Scheduled Task/Job                      		11
                      Scheduled Task/Job                      		111
                      Process Injection                      		11
                      Masquerading                      		OS Credential Dumping1
                      System Time Discovery                      		Remote Services11
                      Archive Collected Data                      		1
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/Job1
                      Registry Run Keys / Startup Folder                      		11
                      Scheduled Task/Job                      		1
                      Disable or Modify Tools                      		LSASS Memory311
                      Security Software Discovery                      		Remote Desktop ProtocolData from Removable Media1
                      Non-Standard Port                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAt1
                      DLL Side-Loading                      		1
                      Registry Run Keys / Startup Folder                      		31
                      Virtualization/Sandbox Evasion                      		Security Account Manager31
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin SharesData from Network Shared Drive1
                      Non-Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                      DLL Side-Loading                      		111
                      Process Injection                      		NTDS1
                      Process Discovery                      		Distributed Component Object ModelInput Capture111
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Deobfuscate/Decode Files or Information                      		LSA Secrets1
                      Account Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                      Obfuscated Files or Information                      		Cached Domain Credentials1
                      System Owner/User Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      Software Packing                      		DCSync113
                      System Information Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      DLL Side-Loading                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1457059 Sample: t5SYVk0Tkt.exe Startdate: 14/06/2024 Architecture: WINDOWS Score: 100 45 secure.usemobile.xyz 2->45 47 out.1eo.xyz 2->47 49 370 other IPs or domains 2->49 57 Found malware configuration 2->57 59 Multi AV Scanner detection for dropped file 2->59 61 Multi AV Scanner detection for submitted file 2->61 65 12 other signatures 2->65 7 t5SYVk0Tkt.exe 1 5 2->7         started        11 Immmsbclaz.exe 3 2->11         started        13 hnhoatl.exe 3 2->13         started        15 2 other processes 2->15 signatures3 63 Performs DNS queries to domains with low reputation 47->63 process4 file5 39 C:\Users\user\AppData\...\Immmsbclaz.exe, PE32 7->39 dropped 41 C:\Users\...\Immmsbclaz.exe:Zone.Identifier, ASCII 7->41 dropped 43 C:\Users\user\AppData\...\t5SYVk0Tkt.exe.log, ASCII 7->43 dropped 67 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->67 69 Tries to detect virtualization through RDTSC time measurements 7->69 71 Injects a PE file into a foreign processes 7->71 17 t5SYVk0Tkt.exe 4 7->17         started        73 Multi AV Scanner detection for dropped file 11->73 75 Machine Learning detection for dropped file 11->75 20 Immmsbclaz.exe 3 11->20         started        22 hnhoatl.exe 13->22         started        25 Immmsbclaz.exe 15->25         started        signatures6 process7 dnsIp8 27 C:\ProgramData\iigeb\hnhoatl.exe, PE32 17->27 dropped 29 C:\...\hnhoatl.exe:Zone.Identifier, ASCII 17->29 dropped 31 C:\ProgramData\iphiso\hfmfgq.exe, PE32 20->31 dropped 33 C:\ProgramData\...\hfmfgq.exe:Zone.Identifier, ASCII 20->33 dropped 51 185.43.220.45, 4000, 49738, 49739 WIBO-ASLT Lithuania 22->51 53 janum.name 93.191.156.194, 465, 49746 ZITCOMDK Denmark 22->53 55 99 other IPs or domains 22->55 35 C:\ProgramData\uwhicqw\tupug.exe, PE32 25->35 dropped 37 C:\ProgramData\...\tupug.exe:Zone.Identifier, ASCII 25->37 dropped file9

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.