Edit tour

Windows Analysis Report
HBL ASNLRU-20241001 & 20241002.exe

Overview

General Information

Sample name:	HBL ASNLRU-20241001 & 20241002.exe
Analysis ID:	1629255
MD5:	fe222287c00487a369814ceb43c0ca5c
SHA1:	4f0b63d3170884342a2dd14f4417df0704de81ff
SHA256:	fc49789a6bf991fbb9b3abfc8bcb3f648faea56874f0ecfcf66587c1ca746133
Tags:	exeuser-cocaman
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected Snake Keylogger

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

HBL ASNLRU-20241001 & 20241002.exe (PID: 2108 cmdline: "C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe" MD5: FE222287C00487A369814CEB43C0CA5C)

powershell.exe (PID: 6680 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5996 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LVTDbQS.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 5944 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 6544 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LVTDbQS" /XML "C:\Users\user\AppData\Local\Temp\tmp2B05.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

HBL ASNLRU-20241001 & 20241002.exe (PID: 7152 cmdline: "C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe" MD5: FE222287C00487A369814CEB43C0CA5C)

WerFault.exe (PID: 6432 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7152 -s 1516 MD5: C31336C1EFC2CCB44B4326EA793040F2)

LVTDbQS.exe (PID: 2072 cmdline: C:\Users\user\AppData\Roaming\LVTDbQS.exe MD5: FE222287C00487A369814CEB43C0CA5C)

schtasks.exe (PID: 6204 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LVTDbQS" /XML "C:\Users\user\AppData\Local\Temp\tmp3882.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

LVTDbQS.exe (PID: 2928 cmdline: "C:\Users\user\AppData\Roaming\LVTDbQS.exe" MD5: FE222287C00487A369814CEB43C0CA5C)

LVTDbQS.exe (PID: 6592 cmdline: "C:\Users\user\AppData\Roaming\LVTDbQS.exe" MD5: FE222287C00487A369814CEB43C0CA5C)

LVTDbQS.exe (PID: 5860 cmdline: "C:\Users\user\AppData\Roaming\LVTDbQS.exe" MD5: FE222287C00487A369814CEB43C0CA5C)

LVTDbQS.exe (PID: 2452 cmdline: "C:\Users\user\AppData\Roaming\LVTDbQS.exe" MD5: FE222287C00487A369814CEB43C0CA5C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot5227573794:AAECZBnQSxLs0aOVsV2wnclC6-WKnxPpi_k/sendMessage?chat_id=5217421430", "Token": "5227573794:AAECZBnQSxLs0aOVsV2wnclC6-WKnxPpi_k", "Chat_id": "5217421430", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000011.00000002.3330703617.000000000351B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000009.00000002.2384350555.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.2384350555.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000009.00000002.2384350555.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14885:$a1: get_encryptedPassword 0x14b71:$a2: get_encryptedUsername 0x14691:$a3: get_timePasswordChanged 0x1478c:$a4: get_passwordField 0x1489b:$a5: set_encryptedPassword 0x15eeb:$a7: get_logins 0x15e4e:$a10: KeyLoggerEventArgs 0x15ab9:$a11: KeyLoggerEventArgsEventHandler
00000009.00000002.2384350555.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x198d8:$x1: $%SMTPDV$ 0x182bc:$x2: $#TheHashHere%& 0x19880:$x3: %FTPDV$ 0x1825c:$x4: $%TelegramDv$ 0x15ab9:$x5: KeyLoggerEventArgs 0x15e4e:$x5: KeyLoggerEventArgs 0x198a4:$m2: Clipboard Logs ID 0x19ae2:$m2: Screenshot Logs ID 0x19bf2:$m2: keystroke Logs ID 0x19ecc:$m3: SnakePW 0x19aba:$m4: \SnakeKeylogger\
0000000A.00000002.2162268144.000000000401B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.2162268144.000000000401B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000A.00000002.2162268144.000000000401B000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14c45:$a1: get_encryptedPassword 0x35665:$a1: get_encryptedPassword 0x55e85:$a1: get_encryptedPassword 0x14f31:$a2: get_encryptedUsername 0x35951:$a2: get_encryptedUsername 0x56171:$a2: get_encryptedUsername 0x14a51:$a3: get_timePasswordChanged 0x35471:$a3: get_timePasswordChanged 0x55c91:$a3: get_timePasswordChanged 0x14b4c:$a4: get_passwordField 0x3556c:$a4: get_passwordField 0x55d8c:$a4: get_passwordField 0x14c5b:$a5: set_encryptedPassword 0x3567b:$a5: set_encryptedPassword 0x55e9b:$a5: set_encryptedPassword 0x162ab:$a7: get_logins 0x36ccb:$a7: get_logins 0x574eb:$a7: get_logins 0x1620e:$a10: KeyLoggerEventArgs 0x36c2e:$a10: KeyLoggerEventArgs 0x5744e:$a10: KeyLoggerEventArgs
0000000A.00000002.2162268144.000000000401B000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19c98:$x1: $%SMTPDV$ 0x3a6b8:$x1: $%SMTPDV$ 0x5aed8:$x1: $%SMTPDV$ 0x1867c:$x2: $#TheHashHere%& 0x3909c:$x2: $#TheHashHere%& 0x598bc:$x2: $#TheHashHere%& 0x19c40:$x3: %FTPDV$ 0x3a660:$x3: %FTPDV$ 0x5ae80:$x3: %FTPDV$ 0x1861c:$x4: $%TelegramDv$ 0x3903c:$x4: $%TelegramDv$ 0x5985c:$x4: $%TelegramDv$ 0x15e79:$x5: KeyLoggerEventArgs 0x1620e:$x5: KeyLoggerEventArgs 0x36899:$x5: KeyLoggerEventArgs 0x36c2e:$x5: KeyLoggerEventArgs 0x570b9:$x5: KeyLoggerEventArgs 0x5744e:$x5: KeyLoggerEventArgs 0x19c64:$m2: Clipboard Logs ID 0x19ea2:$m2: Screenshot Logs ID 0x19fb2:$m2: keystroke Logs ID
00000009.00000002.2386416479.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000011.00000002.3330703617.0000000003351000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.2127647331.0000000003B4A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2127647331.0000000003B4A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.2127647331.0000000003B4A000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14cad:$a1: get_encryptedPassword 0x356cd:$a1: get_encryptedPassword 0x55eed:$a1: get_encryptedPassword 0x14f99:$a2: get_encryptedUsername 0x359b9:$a2: get_encryptedUsername 0x561d9:$a2: get_encryptedUsername 0x14ab9:$a3: get_timePasswordChanged 0x354d9:$a3: get_timePasswordChanged 0x55cf9:$a3: get_timePasswordChanged 0x14bb4:$a4: get_passwordField 0x355d4:$a4: get_passwordField 0x55df4:$a4: get_passwordField 0x14cc3:$a5: set_encryptedPassword 0x356e3:$a5: set_encryptedPassword 0x55f03:$a5: set_encryptedPassword 0x16313:$a7: get_logins 0x36d33:$a7: get_logins 0x57553:$a7: get_logins 0x16276:$a10: KeyLoggerEventArgs 0x36c96:$a10: KeyLoggerEventArgs 0x574b6:$a10: KeyLoggerEventArgs
00000000.00000002.2127647331.0000000003B4A000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19d00:$x1: $%SMTPDV$ 0x3a720:$x1: $%SMTPDV$ 0x5af40:$x1: $%SMTPDV$ 0x186e4:$x2: $#TheHashHere%& 0x39104:$x2: $#TheHashHere%& 0x59924:$x2: $#TheHashHere%& 0x19ca8:$x3: %FTPDV$ 0x3a6c8:$x3: %FTPDV$ 0x5aee8:$x3: %FTPDV$ 0x18684:$x4: $%TelegramDv$ 0x390a4:$x4: $%TelegramDv$ 0x598c4:$x4: $%TelegramDv$ 0x15ee1:$x5: KeyLoggerEventArgs 0x16276:$x5: KeyLoggerEventArgs 0x36901:$x5: KeyLoggerEventArgs 0x36c96:$x5: KeyLoggerEventArgs 0x57121:$x5: KeyLoggerEventArgs 0x574b6:$x5: KeyLoggerEventArgs 0x19ccc:$m2: Clipboard Logs ID 0x19f0a:$m2: Screenshot Logs ID 0x1a01a:$m2: keystroke Logs ID
Process Memory Space: HBL ASNLRU-20241001 & 20241002.exe PID: 2108	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: HBL ASNLRU-20241001 & 20241002.exe PID: 2108	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: HBL ASNLRU-20241001 & 20241002.exe PID: 2108	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: HBL ASNLRU-20241001 & 20241002.exe PID: 2108	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x82790:$a1: get_encryptedPassword 0x82a72:$a2: get_encryptedUsername 0x825a6:$a3: get_timePasswordChanged 0x826a1:$a4: get_passwordField 0x827a6:$a5: set_encryptedPassword 0x84c7a:$a7: get_logins 0x84bdd:$a10: KeyLoggerEventArgs 0x84848:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: HBL ASNLRU-20241001 & 20241002.exe PID: 2108	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x84848:$x5: KeyLoggerEventArgs 0x84bdd:$x5: KeyLoggerEventArgs 0x854e4:$x5: KeyLoggerEventArgs 0x85845:$x5: KeyLoggerEventArgs 0x86e08:$m2: Clipboard Logs ID 0x86f0e:$m2: Screenshot Logs ID 0x86f64:$m2: keystroke Logs ID 0x87099:$m3: SnakePW 0x86efa:$m4: \SnakeKeylogger\
Process Memory Space: HBL ASNLRU-20241001 & 20241002.exe PID: 7152	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: HBL ASNLRU-20241001 & 20241002.exe PID: 7152	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: HBL ASNLRU-20241001 & 20241002.exe PID: 7152	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1ecda:$a1: get_encryptedPassword 0x1efbc:$a2: get_encryptedUsername 0x1eaf0:$a3: get_timePasswordChanged 0x1ebeb:$a4: get_passwordField 0x1ecf0:$a5: set_encryptedPassword 0x211c4:$a7: get_logins 0x21127:$a10: KeyLoggerEventArgs 0x20d92:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: HBL ASNLRU-20241001 & 20241002.exe PID: 7152	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x20d92:$x5: KeyLoggerEventArgs 0x21127:$x5: KeyLoggerEventArgs 0x21a2e:$x5: KeyLoggerEventArgs 0x21d8f:$x5: KeyLoggerEventArgs 0x23352:$m2: Clipboard Logs ID 0x23458:$m2: Screenshot Logs ID 0x234ae:$m2: keystroke Logs ID 0x235e3:$m3: SnakePW 0x23444:$m4: \SnakeKeylogger\
Process Memory Space: LVTDbQS.exe PID: 2072	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: LVTDbQS.exe PID: 2072	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: LVTDbQS.exe PID: 2072	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: LVTDbQS.exe PID: 2072	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x569f2:$a1: get_encryptedPassword 0x56cd4:$a2: get_encryptedUsername 0x56808:$a3: get_timePasswordChanged 0x56903:$a4: get_passwordField 0x56a08:$a5: set_encryptedPassword 0x58edc:$a7: get_logins 0x58e3f:$a10: KeyLoggerEventArgs 0x58aaa:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: LVTDbQS.exe PID: 2072	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x58aaa:$x5: KeyLoggerEventArgs 0x58e3f:$x5: KeyLoggerEventArgs 0x59746:$x5: KeyLoggerEventArgs 0x59aa7:$x5: KeyLoggerEventArgs 0x5b06a:$m2: Clipboard Logs ID 0x5b170:$m2: Screenshot Logs ID 0x5b1c6:$m2: keystroke Logs ID 0x5b2fb:$m3: SnakePW 0x5b15c:$m4: \SnakeKeylogger\
Process Memory Space: LVTDbQS.exe PID: 2452	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: LVTDbQS.exe PID: 2452	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Click to see the 26 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.HBL ASNLRU-20241001 & 20241002.exe.3b6ac48.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.HBL ASNLRU-20241001 & 20241002.exe.3b6ac48.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.HBL ASNLRU-20241001 & 20241002.exe.3b4a228.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.HBL ASNLRU-20241001 & 20241002.exe.3b6ac48.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12c85:$a1: get_encryptedPassword 0x12f71:$a2: get_encryptedUsername 0x12a91:$a3: get_timePasswordChanged 0x12b8c:$a4: get_passwordField 0x12c9b:$a5: set_encryptedPassword 0x142eb:$a7: get_logins 0x1424e:$a10: KeyLoggerEventArgs 0x13eb9:$a11: KeyLoggerEventArgsEventHandler
0.2.HBL ASNLRU-20241001 & 20241002.exe.3b4a228.2.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.HBL ASNLRU-20241001 & 20241002.exe.3b6ac48.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a68e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x198c0:$a3: \Google\Chrome\User Data\Default\Login Data 0x19cf3:$a4: \Orbitum\User Data\Default\Login Data 0x1ad32:$a5: \Kometa\User Data\Default\Login Data
0.2.HBL ASNLRU-20241001 & 20241002.exe.3b4a228.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12c85:$a1: get_encryptedPassword 0x12f71:$a2: get_encryptedUsername 0x12a91:$a3: get_timePasswordChanged 0x12b8c:$a4: get_passwordField 0x12c9b:$a5: set_encryptedPassword 0x142eb:$a7: get_logins 0x1424e:$a10: KeyLoggerEventArgs 0x13eb9:$a11: KeyLoggerEventArgsEventHandler
0.2.HBL ASNLRU-20241001 & 20241002.exe.3b6ac48.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13869:$s1: UnHook 0x13870:$s2: SetHook 0x13878:$s3: CallNextHook 0x13885:$s4: _hook
0.2.HBL ASNLRU-20241001 & 20241002.exe.3b6ac48.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17cd8:$x1: $%SMTPDV$ 0x166bc:$x2: $#TheHashHere%& 0x17c80:$x3: %FTPDV$ 0x1665c:$x4: $%TelegramDv$ 0x13eb9:$x5: KeyLoggerEventArgs 0x1424e:$x5: KeyLoggerEventArgs 0x17ca4:$m2: Clipboard Logs ID 0x17ee2:$m2: Screenshot Logs ID 0x17ff2:$m2: keystroke Logs ID 0x182cc:$m3: SnakePW 0x17eba:$m4: \SnakeKeylogger\
0.2.HBL ASNLRU-20241001 & 20241002.exe.3b4a228.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a68e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x198c0:$a3: \Google\Chrome\User Data\Default\Login Data 0x19cf3:$a4: \Orbitum\User Data\Default\Login Data 0x1ad32:$a5: \Kometa\User Data\Default\Login Data
0.2.HBL ASNLRU-20241001 & 20241002.exe.3b4a228.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13869:$s1: UnHook 0x13870:$s2: SetHook 0x13878:$s3: CallNextHook 0x13885:$s4: _hook
0.2.HBL ASNLRU-20241001 & 20241002.exe.3b4a228.2.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17cd8:$x1: $%SMTPDV$ 0x166bc:$x2: $#TheHashHere%& 0x17c80:$x3: %FTPDV$ 0x1665c:$x4: $%TelegramDv$ 0x13eb9:$x5: KeyLoggerEventArgs 0x1424e:$x5: KeyLoggerEventArgs 0x17ca4:$m2: Clipboard Logs ID 0x17ee2:$m2: Screenshot Logs ID 0x17ff2:$m2: keystroke Logs ID 0x182cc:$m3: SnakePW 0x17eba:$m4: \SnakeKeylogger\
9.2.HBL ASNLRU-20241001 & 20241002.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.HBL ASNLRU-20241001 & 20241002.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
9.2.HBL ASNLRU-20241001 & 20241002.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a85:$a1: get_encryptedPassword 0x14d71:$a2: get_encryptedUsername 0x14891:$a3: get_timePasswordChanged 0x1498c:$a4: get_passwordField 0x14a9b:$a5: set_encryptedPassword 0x160eb:$a7: get_logins 0x1604e:$a10: KeyLoggerEventArgs 0x15cb9:$a11: KeyLoggerEventArgsEventHandler
10.2.LVTDbQS.exe.401b1c0.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.HBL ASNLRU-20241001 & 20241002.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c48e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b6c0:$a3: \Google\Chrome\User Data\Default\Login Data 0x1baf3:$a4: \Orbitum\User Data\Default\Login Data 0x1cb32:$a5: \Kometa\User Data\Default\Login Data
10.2.LVTDbQS.exe.401b1c0.4.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
9.2.HBL ASNLRU-20241001 & 20241002.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15669:$s1: UnHook 0x15670:$s2: SetHook 0x15678:$s3: CallNextHook 0x15685:$s4: _hook
9.2.HBL ASNLRU-20241001 & 20241002.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19ad8:$x1: $%SMTPDV$ 0x184bc:$x2: $#TheHashHere%& 0x19a80:$x3: %FTPDV$ 0x1845c:$x4: $%TelegramDv$ 0x15cb9:$x5: KeyLoggerEventArgs 0x1604e:$x5: KeyLoggerEventArgs 0x19aa4:$m2: Clipboard Logs ID 0x19ce2:$m2: Screenshot Logs ID 0x19df2:$m2: keystroke Logs ID 0x1a0cc:$m3: SnakePW 0x19cba:$m4: \SnakeKeylogger\
10.2.LVTDbQS.exe.403bbe0.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.LVTDbQS.exe.401b1c0.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12c85:$a1: get_encryptedPassword 0x12f71:$a2: get_encryptedUsername 0x12a91:$a3: get_timePasswordChanged 0x12b8c:$a4: get_passwordField 0x12c9b:$a5: set_encryptedPassword 0x142eb:$a7: get_logins 0x1424e:$a10: KeyLoggerEventArgs 0x13eb9:$a11: KeyLoggerEventArgsEventHandler
10.2.LVTDbQS.exe.403bbe0.2.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
10.2.LVTDbQS.exe.403bbe0.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.LVTDbQS.exe.401b1c0.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a68e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x198c0:$a3: \Google\Chrome\User Data\Default\Login Data 0x19cf3:$a4: \Orbitum\User Data\Default\Login Data 0x1ad32:$a5: \Kometa\User Data\Default\Login Data
10.2.LVTDbQS.exe.403bbe0.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a85:$a1: get_encryptedPassword 0x352a5:$a1: get_encryptedPassword 0x14d71:$a2: get_encryptedUsername 0x35591:$a2: get_encryptedUsername 0x14891:$a3: get_timePasswordChanged 0x350b1:$a3: get_timePasswordChanged 0x1498c:$a4: get_passwordField 0x351ac:$a4: get_passwordField 0x14a9b:$a5: set_encryptedPassword 0x352bb:$a5: set_encryptedPassword 0x160eb:$a7: get_logins 0x3690b:$a7: get_logins 0x1604e:$a10: KeyLoggerEventArgs 0x3686e:$a10: KeyLoggerEventArgs 0x15cb9:$a11: KeyLoggerEventArgsEventHandler 0x364d9:$a11: KeyLoggerEventArgsEventHandler
10.2.LVTDbQS.exe.403bbe0.2.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
10.2.LVTDbQS.exe.401b1c0.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13869:$s1: UnHook 0x13870:$s2: SetHook 0x13878:$s3: CallNextHook 0x13885:$s4: _hook
10.2.LVTDbQS.exe.403bbe0.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12c85:$a1: get_encryptedPassword 0x12f71:$a2: get_encryptedUsername 0x12a91:$a3: get_timePasswordChanged 0x12b8c:$a4: get_passwordField 0x12c9b:$a5: set_encryptedPassword 0x142eb:$a7: get_logins 0x1424e:$a10: KeyLoggerEventArgs 0x13eb9:$a11: KeyLoggerEventArgsEventHandler
10.2.LVTDbQS.exe.401b1c0.4.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17cd8:$x1: $%SMTPDV$ 0x166bc:$x2: $#TheHashHere%& 0x17c80:$x3: %FTPDV$ 0x1665c:$x4: $%TelegramDv$ 0x13eb9:$x5: KeyLoggerEventArgs 0x1424e:$x5: KeyLoggerEventArgs 0x17ca4:$m2: Clipboard Logs ID 0x17ee2:$m2: Screenshot Logs ID 0x17ff2:$m2: keystroke Logs ID 0x182cc:$m3: SnakePW 0x17eba:$m4: \SnakeKeylogger\
10.2.LVTDbQS.exe.403bbe0.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a68e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x198c0:$a3: \Google\Chrome\User Data\Default\Login Data 0x19cf3:$a4: \Orbitum\User Data\Default\Login Data 0x1ad32:$a5: \Kometa\User Data\Default\Login Data
10.2.LVTDbQS.exe.403bbe0.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13869:$s1: UnHook 0x13870:$s2: SetHook 0x13878:$s3: CallNextHook 0x13885:$s4: _hook
10.2.LVTDbQS.exe.403bbe0.2.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17cd8:$x1: $%SMTPDV$ 0x166bc:$x2: $#TheHashHere%& 0x17c80:$x3: %FTPDV$ 0x1665c:$x4: $%TelegramDv$ 0x13eb9:$x5: KeyLoggerEventArgs 0x1424e:$x5: KeyLoggerEventArgs 0x17ca4:$m2: Clipboard Logs ID 0x17ee2:$m2: Screenshot Logs ID 0x17ff2:$m2: keystroke Logs ID 0x182cc:$m3: SnakePW 0x17eba:$m4: \SnakeKeylogger\
10.2.LVTDbQS.exe.403bbe0.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c48e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ccae:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b6c0:$a3: \Google\Chrome\User Data\Default\Login Data 0x3bee0:$a3: \Google\Chrome\User Data\Default\Login Data 0x1baf3:$a4: \Orbitum\User Data\Default\Login Data 0x3c313:$a4: \Orbitum\User Data\Default\Login Data 0x1cb32:$a5: \Kometa\User Data\Default\Login Data 0x3d352:$a5: \Kometa\User Data\Default\Login Data
10.2.LVTDbQS.exe.403bbe0.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15669:$s1: UnHook 0x35e89:$s1: UnHook 0x15670:$s2: SetHook 0x35e90:$s2: SetHook 0x15678:$s3: CallNextHook 0x35e98:$s3: CallNextHook 0x15685:$s4: _hook 0x35ea5:$s4: _hook
10.2.LVTDbQS.exe.403bbe0.2.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19ad8:$x1: $%SMTPDV$ 0x3a2f8:$x1: $%SMTPDV$ 0x184bc:$x2: $#TheHashHere%& 0x38cdc:$x2: $#TheHashHere%& 0x19a80:$x3: %FTPDV$ 0x3a2a0:$x3: %FTPDV$ 0x1845c:$x4: $%TelegramDv$ 0x38c7c:$x4: $%TelegramDv$ 0x15cb9:$x5: KeyLoggerEventArgs 0x1604e:$x5: KeyLoggerEventArgs 0x364d9:$x5: KeyLoggerEventArgs 0x3686e:$x5: KeyLoggerEventArgs 0x19aa4:$m2: Clipboard Logs ID 0x19ce2:$m2: Screenshot Logs ID 0x19df2:$m2: keystroke Logs ID 0x3a2c4:$m2: Clipboard Logs ID 0x3a502:$m2: Screenshot Logs ID 0x3a612:$m2: keystroke Logs ID 0x1a0cc:$m3: SnakePW 0x3a8ec:$m3: SnakePW 0x19cba:$m4: \SnakeKeylogger\
10.2.LVTDbQS.exe.401b1c0.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.LVTDbQS.exe.401b1c0.4.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
10.2.LVTDbQS.exe.401b1c0.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a85:$a1: get_encryptedPassword 0x354a5:$a1: get_encryptedPassword 0x55cc5:$a1: get_encryptedPassword 0x14d71:$a2: get_encryptedUsername 0x35791:$a2: get_encryptedUsername 0x55fb1:$a2: get_encryptedUsername 0x14891:$a3: get_timePasswordChanged 0x352b1:$a3: get_timePasswordChanged 0x55ad1:$a3: get_timePasswordChanged 0x1498c:$a4: get_passwordField 0x353ac:$a4: get_passwordField 0x55bcc:$a4: get_passwordField 0x14a9b:$a5: set_encryptedPassword 0x354bb:$a5: set_encryptedPassword 0x55cdb:$a5: set_encryptedPassword 0x160eb:$a7: get_logins 0x36b0b:$a7: get_logins 0x5732b:$a7: get_logins 0x1604e:$a10: KeyLoggerEventArgs 0x36a6e:$a10: KeyLoggerEventArgs 0x5728e:$a10: KeyLoggerEventArgs
10.2.LVTDbQS.exe.401b1c0.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c48e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ceae:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x5d6ce:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b6c0:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c0e0:$a3: \Google\Chrome\User Data\Default\Login Data 0x5c900:$a3: \Google\Chrome\User Data\Default\Login Data 0x1baf3:$a4: \Orbitum\User Data\Default\Login Data 0x3c513:$a4: \Orbitum\User Data\Default\Login Data 0x5cd33:$a4: \Orbitum\User Data\Default\Login Data 0x1cb32:$a5: \Kometa\User Data\Default\Login Data 0x3d552:$a5: \Kometa\User Data\Default\Login Data 0x5dd72:$a5: \Kometa\User Data\Default\Login Data
10.2.LVTDbQS.exe.401b1c0.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15669:$s1: UnHook 0x36089:$s1: UnHook 0x568a9:$s1: UnHook 0x15670:$s2: SetHook 0x36090:$s2: SetHook 0x568b0:$s2: SetHook 0x15678:$s3: CallNextHook 0x36098:$s3: CallNextHook 0x568b8:$s3: CallNextHook 0x15685:$s4: _hook 0x360a5:$s4: _hook 0x568c5:$s4: _hook
10.2.LVTDbQS.exe.401b1c0.4.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19ad8:$x1: $%SMTPDV$ 0x3a4f8:$x1: $%SMTPDV$ 0x5ad18:$x1: $%SMTPDV$ 0x184bc:$x2: $#TheHashHere%& 0x38edc:$x2: $#TheHashHere%& 0x596fc:$x2: $#TheHashHere%& 0x19a80:$x3: %FTPDV$ 0x3a4a0:$x3: %FTPDV$ 0x5acc0:$x3: %FTPDV$ 0x1845c:$x4: $%TelegramDv$ 0x38e7c:$x4: $%TelegramDv$ 0x5969c:$x4: $%TelegramDv$ 0x15cb9:$x5: KeyLoggerEventArgs 0x1604e:$x5: KeyLoggerEventArgs 0x366d9:$x5: KeyLoggerEventArgs 0x36a6e:$x5: KeyLoggerEventArgs 0x56ef9:$x5: KeyLoggerEventArgs 0x5728e:$x5: KeyLoggerEventArgs 0x19aa4:$m2: Clipboard Logs ID 0x19ce2:$m2: Screenshot Logs ID 0x19df2:$m2: keystroke Logs ID
0.2.HBL ASNLRU-20241001 & 20241002.exe.3b6ac48.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.HBL ASNLRU-20241001 & 20241002.exe.3b6ac48.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.HBL ASNLRU-20241001 & 20241002.exe.3b6ac48.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a85:$a1: get_encryptedPassword 0x352a5:$a1: get_encryptedPassword 0x14d71:$a2: get_encryptedUsername 0x35591:$a2: get_encryptedUsername 0x14891:$a3: get_timePasswordChanged 0x350b1:$a3: get_timePasswordChanged 0x1498c:$a4: get_passwordField 0x351ac:$a4: get_passwordField 0x14a9b:$a5: set_encryptedPassword 0x352bb:$a5: set_encryptedPassword 0x160eb:$a7: get_logins 0x3690b:$a7: get_logins 0x1604e:$a10: KeyLoggerEventArgs 0x3686e:$a10: KeyLoggerEventArgs 0x15cb9:$a11: KeyLoggerEventArgsEventHandler 0x364d9:$a11: KeyLoggerEventArgsEventHandler
0.2.HBL ASNLRU-20241001 & 20241002.exe.3b6ac48.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15669:$s1: UnHook 0x35e89:$s1: UnHook 0x15670:$s2: SetHook 0x35e90:$s2: SetHook 0x15678:$s3: CallNextHook 0x35e98:$s3: CallNextHook 0x15685:$s4: _hook 0x35ea5:$s4: _hook
0.2.HBL ASNLRU-20241001 & 20241002.exe.3b6ac48.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19ad8:$x1: $%SMTPDV$ 0x3a2f8:$x1: $%SMTPDV$ 0x184bc:$x2: $#TheHashHere%& 0x38cdc:$x2: $#TheHashHere%& 0x19a80:$x3: %FTPDV$ 0x3a2a0:$x3: %FTPDV$ 0x1845c:$x4: $%TelegramDv$ 0x38c7c:$x4: $%TelegramDv$ 0x15cb9:$x5: KeyLoggerEventArgs 0x1604e:$x5: KeyLoggerEventArgs 0x364d9:$x5: KeyLoggerEventArgs 0x3686e:$x5: KeyLoggerEventArgs 0x19aa4:$m2: Clipboard Logs ID 0x19ce2:$m2: Screenshot Logs ID 0x19df2:$m2: keystroke Logs ID 0x3a2c4:$m2: Clipboard Logs ID 0x3a502:$m2: Screenshot Logs ID 0x3a612:$m2: keystroke Logs ID 0x1a0cc:$m3: SnakePW 0x3a8ec:$m3: SnakePW 0x19cba:$m4: \SnakeKeylogger\
0.2.HBL ASNLRU-20241001 & 20241002.exe.3b4a228.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.HBL ASNLRU-20241001 & 20241002.exe.3b4a228.2.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.HBL ASNLRU-20241001 & 20241002.exe.3b4a228.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a85:$a1: get_encryptedPassword 0x354a5:$a1: get_encryptedPassword 0x55cc5:$a1: get_encryptedPassword 0x14d71:$a2: get_encryptedUsername 0x35791:$a2: get_encryptedUsername 0x55fb1:$a2: get_encryptedUsername 0x14891:$a3: get_timePasswordChanged 0x352b1:$a3: get_timePasswordChanged 0x55ad1:$a3: get_timePasswordChanged 0x1498c:$a4: get_passwordField 0x353ac:$a4: get_passwordField 0x55bcc:$a4: get_passwordField 0x14a9b:$a5: set_encryptedPassword 0x354bb:$a5: set_encryptedPassword 0x55cdb:$a5: set_encryptedPassword 0x160eb:$a7: get_logins 0x36b0b:$a7: get_logins 0x5732b:$a7: get_logins 0x1604e:$a10: KeyLoggerEventArgs 0x36a6e:$a10: KeyLoggerEventArgs 0x5728e:$a10: KeyLoggerEventArgs
0.2.HBL ASNLRU-20241001 & 20241002.exe.3b4a228.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15669:$s1: UnHook 0x36089:$s1: UnHook 0x568a9:$s1: UnHook 0x15670:$s2: SetHook 0x36090:$s2: SetHook 0x568b0:$s2: SetHook 0x15678:$s3: CallNextHook 0x36098:$s3: CallNextHook 0x568b8:$s3: CallNextHook 0x15685:$s4: _hook 0x360a5:$s4: _hook 0x568c5:$s4: _hook
0.2.HBL ASNLRU-20241001 & 20241002.exe.3b4a228.2.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19ad8:$x1: $%SMTPDV$ 0x3a4f8:$x1: $%SMTPDV$ 0x5ad18:$x1: $%SMTPDV$ 0x184bc:$x2: $#TheHashHere%& 0x38edc:$x2: $#TheHashHere%& 0x596fc:$x2: $#TheHashHere%& 0x19a80:$x3: %FTPDV$ 0x3a4a0:$x3: %FTPDV$ 0x5acc0:$x3: %FTPDV$ 0x1845c:$x4: $%TelegramDv$ 0x38e7c:$x4: $%TelegramDv$ 0x5969c:$x4: $%TelegramDv$ 0x15cb9:$x5: KeyLoggerEventArgs 0x1604e:$x5: KeyLoggerEventArgs 0x366d9:$x5: KeyLoggerEventArgs 0x36a6e:$x5: KeyLoggerEventArgs 0x56ef9:$x5: KeyLoggerEventArgs 0x5728e:$x5: KeyLoggerEventArgs 0x19aa4:$m2: Clipboard Logs ID 0x19ce2:$m2: Screenshot Logs ID 0x19df2:$m2: keystroke Logs ID
Click to see the 47 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe", ParentImage: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe, ParentProcessId: 2108, ParentProcessName: HBL ASNLRU-20241001 & 20241002.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe", ProcessId: 6680, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LVTDbQS" /XML "C:\Users\user\AppData\Local\Temp\tmp3882.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LVTDbQS" /XML "C:\Users\user\AppData\Local\Temp\tmp3882.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\LVTDbQS.exe, ParentImage: C:\Users\user\AppData\Roaming\LVTDbQS.exe, ParentProcessId: 2072, ParentProcessName: LVTDbQS.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LVTDbQS" /XML "C:\Users\user\AppData\Local\Temp\tmp3882.tmp", ProcessId: 6204, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LVTDbQS" /XML "C:\Users\user\AppData\Local\Temp\tmp2B05.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LVTDbQS" /XML "C:\Users\user\AppData\Local\Temp\tmp2B05.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe", ParentImage: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe, ParentProcessId: 2108, ParentProcessName: HBL ASNLRU-20241001 & 20241002.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LVTDbQS" /XML "C:\Users\user\AppData\Local\Temp\tmp2B05.tmp", ProcessId: 6544, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe", ParentImage: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe, ParentProcessId: 2108, ParentProcessName: HBL ASNLRU-20241001 & 20241002.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe", ProcessId: 6680, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LVTDbQS" /XML "C:\Users\user\AppData\Local\Temp\tmp2B05.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LVTDbQS" /XML "C:\Users\user\AppData\Local\Temp\tmp2B05.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe", ParentImage: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe, ParentProcessId: 2108, ParentProcessName: HBL ASNLRU-20241001 & 20241002.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LVTDbQS" /XML "C:\Users\user\AppData\Local\Temp\tmp2B05.tmp", ProcessId: 6544, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-04T15:30:26.077502+0100	2803305	3	Unknown Traffic	192.168.2.5	49725	104.21.32.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-04T15:30:23.038370+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49710	158.101.44.242	80	TCP
2025-03-04T15:30:25.475840+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49710	158.101.44.242	80	TCP
2025-03-04T15:30:27.710217+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49731	158.101.44.242	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: HBL ASNLRU-20241001 & 20241002.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe

Avira: detection malicious, Label: TR/AD.SnakeStealer.yttup

Found malware configuration

Source: 00000011.00000002.3330703617.0000000003351000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot5227573794:AAECZBnQSxLs0aOVsV2wnclC6-WKnxPpi_k/sendMessage?chat_id=5217421430", "Token": "5227573794:AAECZBnQSxLs0aOVsV2wnclC6-WKnxPpi_k", "Chat_id": "5217421430", "Version": "5.1"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe

ReversingLabs: Detection: 55%

Multi AV Scanner detection for submitted file

Source: HBL ASNLRU-20241001 & 20241002.exe	Virustotal: Detection: 54%			Perma Link
Source: HBL ASNLRU-20241001 & 20241002.exe	ReversingLabs: Detection: 55%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3b4a228.2.raw.unpack	String decryptor:
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3b4a228.2.raw.unpack	String decryptor: 5227573794:AAECZBnQSxLs0aOVsV2wnclC6-WKnxPpi_k
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3b4a228.2.raw.unpack	String decryptor: 5217421430
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3b4a228.2.raw.unpack	String decryptor:
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3b4a228.2.raw.unpack	String decryptor: 5227573794:AAECZBnQSxLs0aOVsV2wnclC6-WKnxPpi_k
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3b4a228.2.raw.unpack	String decryptor: 5217421430
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3b4a228.2.raw.unpack	String decryptor:
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3b4a228.2.raw.unpack	String decryptor: 5227573794:AAECZBnQSxLs0aOVsV2wnclC6-WKnxPpi_k
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3b4a228.2.raw.unpack	String decryptor: 5217421430

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: HBL ASNLRU-20241001 & 20241002.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49719 version: TLS 1.0

Source: HBL ASNLRU-20241001 & 20241002.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.PDB source: HBL ASNLRU-20241001 & 20241002.exe, 00000009.00000002.2384595537.0000000000B37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdbG source: HBL ASNLRU-20241001 & 20241002.exe, 00000009.00000002.2384866535.0000000000E26000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: HBL ASNLRU-20241001 & 20241002.exe, 00000009.00000002.2384866535.0000000000E26000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: VFCPoz.pdbvt source: HBL ASNLRU-20241001 & 20241002.exe, 00000009.00000002.2384595537.0000000000B37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbe source: HBL ASNLRU-20241001 & 20241002.exe, 00000009.00000002.2385584369.0000000000ED7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER1B94.tmp.dmp.20.dr
Source:	Binary string: System.ni.pdbRSDS source: WER1B94.tmp.dmp.20.dr
Source:	Binary string: n.pdb source: HBL ASNLRU-20241001 & 20241002.exe, 00000009.00000002.2384595537.0000000000B37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: symbols\exe\VFCPoz.pdb source: HBL ASNLRU-20241001 & 20241002.exe, 00000009.00000002.2384595537.0000000000B37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb* source: WER1B94.tmp.dmp.20.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER1B94.tmp.dmp.20.dr
Source:	Binary string: \??\C:\Windows\exe\VFCPoz.pdbX source: HBL ASNLRU-20241001 & 20241002.exe, 00000009.00000002.2385584369.0000000000ED7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nC:\Users\user\Desktop\VFCPoz.pdb source: HBL ASNLRU-20241001 & 20241002.exe, 00000009.00000002.2384595537.0000000000B37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER1B94.tmp.dmp.20.dr
Source:	Binary string: VFCPoz.pdbVFCPoz.pdbpdbPoz.pdb source: HBL ASNLRU-20241001 & 20241002.exe, 00000009.00000002.2384595537.0000000000B37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\VFCPoz.pdbg source: HBL ASNLRU-20241001 & 20241002.exe, 00000009.00000002.2384866535.0000000000E26000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WER1B94.tmp.dmp.20.dr
Source:	Binary string: System.Xml.pdbd source: WER1B94.tmp.dmp.20.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbn source: HBL ASNLRU-20241001 & 20241002.exe, 00000009.00000002.2385584369.0000000000ED7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER1B94.tmp.dmp.20.dr
Source:	Binary string: ##.pdb source: HBL ASNLRU-20241001 & 20241002.exe, 00000009.00000002.2384595537.0000000000B37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: WER1B94.tmp.dmp.20.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER1B94.tmp.dmp.20.dr
Source:	Binary string: System.Core.ni.pdb source: WER1B94.tmp.dmp.20.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER1B94.tmp.dmp.20.dr
Source:	Binary string: \??\C:\Windows\exe\VFCPoz.pdb source: HBL ASNLRU-20241001 & 20241002.exe, 00000009.00000002.2385584369.0000000000ED7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\VFCPoz.pdbpdbPoz.pdb source: HBL ASNLRU-20241001 & 20241002.exe, 00000009.00000002.2384866535.0000000000E26000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER1B94.tmp.dmp.20.dr
Source:	Binary string: mscorlib.pdb source: WER1B94.tmp.dmp.20.dr
Source:	Binary string: mscorlib.ni.pdb source: WER1B94.tmp.dmp.20.dr
Source:	Binary string: n,C:\Windows\VFCPoz.pdb source: HBL ASNLRU-20241001 & 20241002.exe, 00000009.00000002.2384595537.0000000000B37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: HBL ASNLRU-20241001 & 20241002.exe, 00000009.00000002.2384866535.0000000000E26000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER1B94.tmp.dmp.20.dr
Source:	Binary string: VFCPoz.pdb source: HBL ASNLRU-20241001 & 20241002.exe, LVTDbQS.exe.0.dr
Source:	Binary string: \??\C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.PDB source: HBL ASNLRU-20241001 & 20241002.exe, 00000009.00000002.2384866535.0000000000E26000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER1B94.tmp.dmp.20.dr
Source:	Binary string: VFCPoz.pdbSHA256 source: HBL ASNLRU-20241001 & 20241002.exe, LVTDbQS.exe.0.dr
Source:	Binary string: mscorlib.pdbH source: HBL ASNLRU-20241001 & 20241002.exe, 00000009.00000002.2385584369.0000000000ED7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER1B94.tmp.dmp.20.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER1B94.tmp.dmp.20.dr
Source:	Binary string: \??\C:\Windows\symbols\exe\VFCPoz.pdb\|) source: HBL ASNLRU-20241001 & 20241002.exe, 00000009.00000002.2384866535.0000000000E26000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\VFCPoz.pdbO source: HBL ASNLRU-20241001 & 20241002.exe, 00000009.00000002.2384866535.0000000000E26000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 4x nop then jmp 030DF1F6h	17_2_030DF007
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 4x nop then jmp 030DFB80h	17_2_030DF007
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	17_2_030DE528
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	17_2_030DEB5B
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	17_2_030DED3C
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 4x nop then jmp 05DEC8F1h	17_2_05DEC648
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 4x nop then jmp 05DEC041h	17_2_05DEBD98
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 4x nop then jmp 05DE1011h	17_2_05DE0D60
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 4x nop then jmp 05DEF009h	17_2_05DEED60
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 4x nop then jmp 05DEB791h	17_2_05DEB4E8
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 4x nop then jmp 05DEE759h	17_2_05DEE4B0
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 4x nop then jmp 05DE0751h	17_2_05DE04A0
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 4x nop then jmp 05DEDEA9h	17_2_05DEDC00
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 4x nop then jmp 05DEDA51h	17_2_05DED7A8
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 4x nop then jmp 05DED1A1h	17_2_05DECEF8
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 4x nop then jmp 05DEF8B9h	17_2_05DEF610
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 4x nop then jmp 05DE1A38h	17_2_05DE1620
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 4x nop then jmp 05DE1471h	17_2_05DE11C0
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 4x nop then jmp 05DEC499h	17_2_05DEC1F0
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 4x nop then jmp 05DEF461h	17_2_05DEF1B8
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 4x nop then jmp 05DEBBE9h	17_2_05DEB940
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 4x nop then jmp 05DE1A38h	17_2_05DE1966
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 4x nop then jmp 05DEEBB1h	17_2_05DEE908
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 4x nop then jmp 05DE0BB1h	17_2_05DE0900
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 4x nop then jmp 05DEE301h	17_2_05DEE058
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 4x nop then jmp 05DE02F1h	17_2_05DE0040
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 4x nop then jmp 05DED5F9h	17_2_05DED350
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 4x nop then jmp 05DECD49h	17_2_05DECAA0
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 4x nop then jmp 05DEFD11h	17_2_05DEFA68
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 4x nop then jmp 06FC8945h	17_2_06FC8608
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	17_2_06FC36CE
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 4x nop then jmp 06FC6171h	17_2_06FC5EC8
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 4x nop then jmp 06FC5D19h	17_2_06FC5A70
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 4x nop then jmp 06FC58C1h	17_2_06FC5618
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 4x nop then jmp 06FC6E79h	17_2_06FC6BD0
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	17_2_06FC33B8
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	17_2_06FC33AE
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 4x nop then jmp 06FC6A21h	17_2_06FC6778
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 4x nop then jmp 06FC65C9h	17_2_06FC6320
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 4x nop then jmp 06FC0B99h	17_2_06FC08F0
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 4x nop then jmp 06FC7751h	17_2_06FC74A8
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 4x nop then jmp 06FC0741h	17_2_06FC0498
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 4x nop then jmp 06FC72FAh	17_2_06FC7050
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 4x nop then jmp 06FC02E9h	17_2_06FC0040
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 4x nop then jmp 06FC8459h	17_2_06FC81B0
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 4x nop then jmp 06FC5441h	17_2_06FC5198
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 4x nop then jmp 06FC8001h	17_2_06FC7D58
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 4x nop then jmp 06FC0FF1h	17_2_06FC0D48
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 4x nop then jmp 06FC7BA9h	17_2_06FC7900

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.32.1 104.21.32.1
Source: Joe Sandbox View	IP Address: 104.21.32.1 104.21.32.1
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49731 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49710 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49725 -> 104.21.32.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49719 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: HBL ASNLRU-20241001 & 20241002.exe, 00000009.00000002.2386416479.0000000002A87000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.00000000034C3000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.00000000034D1000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.0000000003414000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.00000000034A7000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.000000000350D000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.00000000034FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: HBL ASNLRU-20241001 & 20241002.exe, 00000009.00000002.2386416479.0000000002A87000.00000004.00000800.00020000.00000000.sdmp, HBL ASNLRU-20241001 & 20241002.exe, 00000009.00000002.2386416479.0000000002A6B000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.00000000034DF000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.00000000034C3000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.00000000034D1000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.0000000003414000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.0000000003409000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.00000000034A7000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.000000000350D000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.00000000034FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: HBL ASNLRU-20241001 & 20241002.exe, 00000009.00000002.2386416479.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.0000000003351000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: HBL ASNLRU-20241001 & 20241002.exe, 00000000.00000002.2127647331.0000000003B4A000.00000004.00000800.00020000.00000000.sdmp, HBL ASNLRU-20241001 & 20241002.exe, 00000009.00000002.2384350555.0000000000402000.00000040.00000400.00020000.00000000.sdmp, LVTDbQS.exe, 0000000A.00000002.2162268144.000000000401B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: LVTDbQS.exe, 00000011.00000002.3330703617.0000000003457000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org8
Source: LVTDbQS.exe, 00000011.00000002.3330703617.00000000034C3000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.00000000034D1000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.000000000342D000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.00000000034A7000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.000000000350D000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.00000000034FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: HBL ASNLRU-20241001 & 20241002.exe, 00000000.00000002.2126176784.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, HBL ASNLRU-20241001 & 20241002.exe, 00000009.00000002.2386416479.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 0000000A.00000002.2159198594.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.0000000003351000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.20.dr	String found in binary or memory: http://upx.sf.net
Source: LVTDbQS.exe, 00000011.00000002.3330703617.00000000034C3000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.00000000034D1000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.0000000003414000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.0000000003457000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.00000000034A7000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.000000000350D000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.00000000034FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: HBL ASNLRU-20241001 & 20241002.exe, 00000000.00000002.2127647331.0000000003B4A000.00000004.00000800.00020000.00000000.sdmp, HBL ASNLRU-20241001 & 20241002.exe, 00000009.00000002.2384350555.0000000000402000.00000040.00000400.00020000.00000000.sdmp, LVTDbQS.exe, 0000000A.00000002.2162268144.000000000401B000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.0000000003414000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: LVTDbQS.exe, 00000011.00000002.3330703617.00000000034FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: LVTDbQS.exe, 00000011.00000002.3330703617.00000000034C3000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.00000000034D1000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.0000000003457000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.00000000034A7000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.000000000350D000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.00000000034FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$

Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3b6ac48.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3b6ac48.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3b4a228.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3b6ac48.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3b6ac48.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3b4a228.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3b4a228.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3b4a228.2.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 9.2.HBL ASNLRU-20241001 & 20241002.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.HBL ASNLRU-20241001 & 20241002.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.HBL ASNLRU-20241001 & 20241002.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.HBL ASNLRU-20241001 & 20241002.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 10.2.LVTDbQS.exe.401b1c0.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.LVTDbQS.exe.401b1c0.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.LVTDbQS.exe.403bbe0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.LVTDbQS.exe.401b1c0.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.LVTDbQS.exe.403bbe0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.LVTDbQS.exe.401b1c0.4.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 10.2.LVTDbQS.exe.403bbe0.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.LVTDbQS.exe.403bbe0.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.LVTDbQS.exe.403bbe0.2.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 10.2.LVTDbQS.exe.403bbe0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.LVTDbQS.exe.403bbe0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.LVTDbQS.exe.403bbe0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 10.2.LVTDbQS.exe.401b1c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.LVTDbQS.exe.401b1c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.LVTDbQS.exe.401b1c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.LVTDbQS.exe.401b1c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3b6ac48.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3b6ac48.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3b6ac48.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3b4a228.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3b4a228.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3b4a228.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000009.00000002.2384350555.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000009.00000002.2384350555.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0000000A.00000002.2162268144.000000000401B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000A.00000002.2162268144.000000000401B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.2127647331.0000000003B4A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2127647331.0000000003B4A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: HBL ASNLRU-20241001 & 20241002.exe PID: 2108, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: HBL ASNLRU-20241001 & 20241002.exe PID: 2108, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: HBL ASNLRU-20241001 & 20241002.exe PID: 7152, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: HBL ASNLRU-20241001 & 20241002.exe PID: 7152, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: LVTDbQS.exe PID: 2072, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: LVTDbQS.exe PID: 2072, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Code function: 0_2_00D5DE84	0_2_00D5DE84
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Code function: 0_2_04FB0040	0_2_04FB0040
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Code function: 0_2_04FB001E	0_2_04FB001E
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Code function: 0_2_04FB9D0F	0_2_04FB9D0F
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Code function: 0_2_05C9F2E5	0_2_05C9F2E5
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Code function: 0_2_05C9C5D0	0_2_05C9C5D0
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Code function: 0_2_070EC708	0_2_070EC708
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Code function: 0_2_070EE218	0_2_070EE218
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Code function: 0_2_070ECF78	0_2_070ECF78
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Code function: 0_2_070ECB40	0_2_070ECB40
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Code function: 0_2_070EEBC8	0_2_070EEBC8
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Code function: 9_2_027E3580	9_2_027E3580
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 10_2_0156DE84	10_2_0156DE84
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 10_2_0726F2E5	10_2_0726F2E5
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 10_2_0726C5D0	10_2_0726C5D0
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 10_2_073AF448	10_2_073AF448
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 10_2_073A0040	10_2_073A0040
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 10_2_073EE398	10_2_073EE398
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 10_2_073EED48	10_2_073EED48
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 10_2_073ECCC0	10_2_073ECCC0
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 10_2_073EC888	10_2_073EC888
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 10_2_073ED0F8	10_2_073ED0F8
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_030DB328	17_2_030DB328
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_030D6108	17_2_030D6108
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_030DC190	17_2_030DC190
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_030DF007	17_2_030DF007
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_030D6730	17_2_030D6730
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_030DC753	17_2_030DC753
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_030DC470	17_2_030DC470
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_030DBBD3	17_2_030DBBD3
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_030DCA33	17_2_030DCA33
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_030D4AD9	17_2_030D4AD9
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_030D9858	17_2_030D9858
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_030DBEB0	17_2_030DBEB0
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_030DE517	17_2_030DE517
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_030DE528	17_2_030DE528
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_030D3573	17_2_030D3573
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_030DB4F3	17_2_030DB4F3
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_05DE7D90	17_2_05DE7D90
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_05DE8460	17_2_05DE8460
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_05DEC648	17_2_05DEC648
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_05DE3870	17_2_05DE3870
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_05DEBD98	17_2_05DEBD98
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_05DEBD88	17_2_05DEBD88
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_05DEED5D	17_2_05DEED5D
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_05DE0D51	17_2_05DE0D51
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_05DE0D60	17_2_05DE0D60
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_05DEED60	17_2_05DEED60
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_05DEB4E8	17_2_05DEB4E8
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_05DEB4E5	17_2_05DEB4E5
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_05DE0490	17_2_05DE0490
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_05DEE4B0	17_2_05DEE4B0
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_05DE04A0	17_2_05DE04A0
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_05DEE4A0	17_2_05DEE4A0
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_05DEDC00	17_2_05DEDC00
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_05DED798	17_2_05DED798
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_05DED7A8	17_2_05DED7A8
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_05DECEF8	17_2_05DECEF8
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_05DECEF5	17_2_05DECEF5
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_05DEF610	17_2_05DEF610
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_05DEF600	17_2_05DEF600
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_05DEC638	17_2_05DEC638
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_05DE11C0	17_2_05DE11C0
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_05DEC1F0	17_2_05DEC1F0
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_05DEC1E0	17_2_05DEC1E0
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_05DEF1B8	17_2_05DEF1B8
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_05DEF1B5	17_2_05DEF1B5
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_05DE11B1	17_2_05DE11B1
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_05DEB940	17_2_05DEB940
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_05DEE908	17_2_05DEE908
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_05DEE905	17_2_05DEE905
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_05DE0900	17_2_05DE0900
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_05DEB930	17_2_05DEB930
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_05DE08F0	17_2_05DE08F0
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_05DEE058	17_2_05DEE058
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_05DEE049	17_2_05DEE049
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_05DE0040	17_2_05DE0040
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_05DE3860	17_2_05DE3860
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_05DE0007	17_2_05DE0007
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_05DE73D8	17_2_05DE73D8
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_05DEDBF1	17_2_05DEDBF1
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_05DE73E8	17_2_05DE73E8
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_05DED350	17_2_05DED350
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_05DED34D	17_2_05DED34D
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_05DECA9D	17_2_05DECA9D
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_05DECAA0	17_2_05DECAA0
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_05DEFA59	17_2_05DEFA59
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_05DEFA68	17_2_05DEFA68
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_06FCB6E8	17_2_06FCB6E8
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_06FCD670	17_2_06FCD670
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_06FCAA58	17_2_06FCAA58
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_06FC8608	17_2_06FC8608
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_06FCC388	17_2_06FCC388
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_06FCB0A0	17_2_06FCB0A0
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_06FC8C51	17_2_06FC8C51
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_06FCD028	17_2_06FCD028
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_06FCA408	17_2_06FCA408
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_06FCC9D8	17_2_06FCC9D8
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_06FC11A0	17_2_06FC11A0
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_06FCBD38	17_2_06FCBD38
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_06FCB6D9	17_2_06FCB6D9
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_06FC5EC8	17_2_06FC5EC8
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_06FC5EC5	17_2_06FC5EC5
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_06FC5A70	17_2_06FC5A70
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_06FC5A60	17_2_06FC5A60
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_06FCD661	17_2_06FCD661
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_06FCAA52	17_2_06FCAA52
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_06FC5618	17_2_06FC5618
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_06FC5611	17_2_06FC5611
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_06FC8602	17_2_06FC8602
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_06FCA3F8	17_2_06FCA3F8
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_06FC6BD0	17_2_06FC6BD0
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_06FC6BC9	17_2_06FC6BC9
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_06FC33B8	17_2_06FC33B8
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_06FC33AE	17_2_06FC33AE
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_06FC6778	17_2_06FC6778
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_06FCC378	17_2_06FCC378
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_06FC6775	17_2_06FC6775
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_06FC3730	17_2_06FC3730
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_06FC6320	17_2_06FC6320
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_06FC631D	17_2_06FC631D
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_06FC08F0	17_2_06FC08F0
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_06FC78F0	17_2_06FC78F0
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_06FC08ED	17_2_06FC08ED
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_06FC74A8	17_2_06FC74A8
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_06FC74A5	17_2_06FC74A5
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_06FC0498	17_2_06FC0498
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_06FC0495	17_2_06FC0495
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_06FCB08F	17_2_06FCB08F
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_06FC7050	17_2_06FC7050
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_06FC7049	17_2_06FC7049
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_06FC0040	17_2_06FC0040
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_06FC003D	17_2_06FC003D
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_06FC4430	17_2_06FC4430
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_06FC2818	17_2_06FC2818
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_06FCD018	17_2_06FCD018
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_06FC2807	17_2_06FC2807
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_06FCC9C8	17_2_06FCC9C8
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_06FC81B0	17_2_06FC81B0
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_06FC81AD	17_2_06FC81AD
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_06FC5198	17_2_06FC5198
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_06FC1191	17_2_06FC1191
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_06FC518A	17_2_06FC518A
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_06FC7D58	17_2_06FC7D58
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_06FC7D51	17_2_06FC7D51
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_06FC0D48	17_2_06FC0D48
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_06FC0D39	17_2_06FC0D39
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_06FCBD28	17_2_06FCBD28
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_06FC7900	17_2_06FC7900

Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7152 -s 1516

Source: HBL ASNLRU-20241001 & 20241002.exe, 00000000.00000002.2126176784.0000000002B0B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs HBL ASNLRU-20241001 & 20241002.exe
Source: HBL ASNLRU-20241001 & 20241002.exe, 00000000.00000002.2126176784.0000000002B65000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs HBL ASNLRU-20241001 & 20241002.exe
Source: HBL ASNLRU-20241001 & 20241002.exe, 00000000.00000002.2130047878.0000000005C70000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs HBL ASNLRU-20241001 & 20241002.exe
Source: HBL ASNLRU-20241001 & 20241002.exe, 00000000.00000002.2125102392.0000000000D6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs HBL ASNLRU-20241001 & 20241002.exe
Source: HBL ASNLRU-20241001 & 20241002.exe, 00000000.00000000.2074355200.0000000000710000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameVFCPoz.exeZ vs HBL ASNLRU-20241001 & 20241002.exe
Source: HBL ASNLRU-20241001 & 20241002.exe, 00000000.00000002.2131279564.00000000078A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs HBL ASNLRU-20241001 & 20241002.exe
Source: HBL ASNLRU-20241001 & 20241002.exe, 00000000.00000002.2127647331.0000000003B4A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs HBL ASNLRU-20241001 & 20241002.exe
Source: HBL ASNLRU-20241001 & 20241002.exe, 00000000.00000002.2127647331.0000000003B4A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs HBL ASNLRU-20241001 & 20241002.exe
Source: HBL ASNLRU-20241001 & 20241002.exe, 00000000.00000002.2130678181.0000000006F74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameVFCPoz.exeZ vs HBL ASNLRU-20241001 & 20241002.exe
Source: HBL ASNLRU-20241001 & 20241002.exe, 00000009.00000002.2384350555.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs HBL ASNLRU-20241001 & 20241002.exe
Source: HBL ASNLRU-20241001 & 20241002.exe	Binary or memory string: OriginalFilenameVFCPoz.exeZ vs HBL ASNLRU-20241001 & 20241002.exe

Source: HBL ASNLRU-20241001 & 20241002.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3b6ac48.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3b6ac48.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3b4a228.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3b6ac48.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3b6ac48.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3b4a228.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3b4a228.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3b4a228.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 9.2.HBL ASNLRU-20241001 & 20241002.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.HBL ASNLRU-20241001 & 20241002.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.HBL ASNLRU-20241001 & 20241002.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.HBL ASNLRU-20241001 & 20241002.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 10.2.LVTDbQS.exe.401b1c0.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.LVTDbQS.exe.401b1c0.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.LVTDbQS.exe.403bbe0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.LVTDbQS.exe.401b1c0.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.LVTDbQS.exe.403bbe0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.LVTDbQS.exe.401b1c0.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 10.2.LVTDbQS.exe.403bbe0.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.LVTDbQS.exe.403bbe0.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.LVTDbQS.exe.403bbe0.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 10.2.LVTDbQS.exe.403bbe0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.LVTDbQS.exe.403bbe0.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.LVTDbQS.exe.403bbe0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 10.2.LVTDbQS.exe.401b1c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.LVTDbQS.exe.401b1c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.LVTDbQS.exe.401b1c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.LVTDbQS.exe.401b1c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3b6ac48.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3b6ac48.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3b6ac48.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3b4a228.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3b4a228.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3b4a228.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000009.00000002.2384350555.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000009.00000002.2384350555.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0000000A.00000002.2162268144.000000000401B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000A.00000002.2162268144.000000000401B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.2127647331.0000000003B4A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2127647331.0000000003B4A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: HBL ASNLRU-20241001 & 20241002.exe PID: 2108, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: HBL ASNLRU-20241001 & 20241002.exe PID: 2108, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: HBL ASNLRU-20241001 & 20241002.exe PID: 7152, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: HBL ASNLRU-20241001 & 20241002.exe PID: 7152, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: LVTDbQS.exe PID: 2072, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: LVTDbQS.exe PID: 2072, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: HBL ASNLRU-20241001 & 20241002.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: LVTDbQS.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3b4a228.2.raw.unpack, -----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3b4a228.2.raw.unpack, -----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3b4a228.2.raw.unpack, -KU.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3b4a228.2.raw.unpack, -KU.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3b6ac48.1.raw.unpack, -----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3b6ac48.1.raw.unpack, -----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3b6ac48.1.raw.unpack, -KU.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3b6ac48.1.raw.unpack, -KU.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 10.2.LVTDbQS.exe.401b1c0.4.raw.unpack, -----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 10.2.LVTDbQS.exe.401b1c0.4.raw.unpack, -----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 10.2.LVTDbQS.exe.401b1c0.4.raw.unpack, -KU.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 10.2.LVTDbQS.exe.401b1c0.4.raw.unpack, -KU.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3c69818.3.raw.unpack, T3kL2wtxkWZ0vZyejt.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3c69818.3.raw.unpack, T3kL2wtxkWZ0vZyejt.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3c69818.3.raw.unpack, yuDbQScDbRjCJQYnuc.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3c69818.3.raw.unpack, yuDbQScDbRjCJQYnuc.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3c69818.3.raw.unpack, yuDbQScDbRjCJQYnuc.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.78a0000.5.raw.unpack, T3kL2wtxkWZ0vZyejt.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.78a0000.5.raw.unpack, T3kL2wtxkWZ0vZyejt.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.78a0000.5.raw.unpack, yuDbQScDbRjCJQYnuc.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.78a0000.5.raw.unpack, yuDbQScDbRjCJQYnuc.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.78a0000.5.raw.unpack, yuDbQScDbRjCJQYnuc.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@26/18@2/2

Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe

File created: C:\Users\user\AppData\Roaming\LVTDbQS.exe

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7152
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6196:120:WilError_03
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:432:120:WilError_03
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Mutant created: \Sessions\1\BaseNamedObjects\AjjVSj
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5236:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6188:120:WilError_03

Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe

File created: C:\Users\user\AppData\Local\Temp\tmp2B05.tmp

Jump to behavior

Source: HBL ASNLRU-20241001 & 20241002.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: HBL ASNLRU-20241001 & 20241002.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: LVTDbQS.exe, 00000011.00000002.3330703617.0000000003589000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.00000000035A7000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.0000000003598000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.00000000035CE000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.00000000035DB000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3333603075.00000000043DC000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: HBL ASNLRU-20241001 & 20241002.exe	Virustotal: Detection: 54%
Source: HBL ASNLRU-20241001 & 20241002.exe	ReversingLabs: Detection: 55%

Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe

File read: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe "C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe"
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LVTDbQS.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LVTDbQS" /XML "C:\Users\user\AppData\Local\Temp\tmp2B05.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process created: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe "C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\LVTDbQS.exe C:\Users\user\AppData\Roaming\LVTDbQS.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LVTDbQS" /XML "C:\Users\user\AppData\Local\Temp\tmp3882.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process created: C:\Users\user\AppData\Roaming\LVTDbQS.exe "C:\Users\user\AppData\Roaming\LVTDbQS.exe"
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process created: C:\Users\user\AppData\Roaming\LVTDbQS.exe "C:\Users\user\AppData\Roaming\LVTDbQS.exe"
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process created: C:\Users\user\AppData\Roaming\LVTDbQS.exe "C:\Users\user\AppData\Roaming\LVTDbQS.exe"
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process created: C:\Users\user\AppData\Roaming\LVTDbQS.exe "C:\Users\user\AppData\Roaming\LVTDbQS.exe"
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7152 -s 1516
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LVTDbQS.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LVTDbQS" /XML "C:\Users\user\AppData\Local\Temp\tmp2B05.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process created: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe "C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LVTDbQS" /XML "C:\Users\user\AppData\Local\Temp\tmp3882.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process created: C:\Users\user\AppData\Roaming\LVTDbQS.exe "C:\Users\user\AppData\Roaming\LVTDbQS.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process created: C:\Users\user\AppData\Roaming\LVTDbQS.exe "C:\Users\user\AppData\Roaming\LVTDbQS.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process created: C:\Users\user\AppData\Roaming\LVTDbQS.exe "C:\Users\user\AppData\Roaming\LVTDbQS.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process created: C:\Users\user\AppData\Roaming\LVTDbQS.exe "C:\Users\user\AppData\Roaming\LVTDbQS.exe"	Jump to behavior

Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Section loaded: dpapi.dll

Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: HBL ASNLRU-20241001 & 20241002.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: HBL ASNLRU-20241001 & 20241002.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: HBL ASNLRU-20241001 & 20241002.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.PDB source: HBL ASNLRU-20241001 & 20241002.exe, 00000009.00000002.2384595537.0000000000B37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdbG source: HBL ASNLRU-20241001 & 20241002.exe, 00000009.00000002.2384866535.0000000000E26000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: HBL ASNLRU-20241001 & 20241002.exe, 00000009.00000002.2384866535.0000000000E26000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: VFCPoz.pdbvt source: HBL ASNLRU-20241001 & 20241002.exe, 00000009.00000002.2384595537.0000000000B37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbe source: HBL ASNLRU-20241001 & 20241002.exe, 00000009.00000002.2385584369.0000000000ED7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER1B94.tmp.dmp.20.dr
Source:	Binary string: System.ni.pdbRSDS source: WER1B94.tmp.dmp.20.dr
Source:	Binary string: n.pdb source: HBL ASNLRU-20241001 & 20241002.exe, 00000009.00000002.2384595537.0000000000B37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: symbols\exe\VFCPoz.pdb source: HBL ASNLRU-20241001 & 20241002.exe, 00000009.00000002.2384595537.0000000000B37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb* source: WER1B94.tmp.dmp.20.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER1B94.tmp.dmp.20.dr
Source:	Binary string: \??\C:\Windows\exe\VFCPoz.pdbX source: HBL ASNLRU-20241001 & 20241002.exe, 00000009.00000002.2385584369.0000000000ED7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nC:\Users\user\Desktop\VFCPoz.pdb source: HBL ASNLRU-20241001 & 20241002.exe, 00000009.00000002.2384595537.0000000000B37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER1B94.tmp.dmp.20.dr
Source:	Binary string: VFCPoz.pdbVFCPoz.pdbpdbPoz.pdb source: HBL ASNLRU-20241001 & 20241002.exe, 00000009.00000002.2384595537.0000000000B37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\VFCPoz.pdbg source: HBL ASNLRU-20241001 & 20241002.exe, 00000009.00000002.2384866535.0000000000E26000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WER1B94.tmp.dmp.20.dr
Source:	Binary string: System.Xml.pdbd source: WER1B94.tmp.dmp.20.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbn source: HBL ASNLRU-20241001 & 20241002.exe, 00000009.00000002.2385584369.0000000000ED7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER1B94.tmp.dmp.20.dr
Source:	Binary string: ##.pdb source: HBL ASNLRU-20241001 & 20241002.exe, 00000009.00000002.2384595537.0000000000B37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: WER1B94.tmp.dmp.20.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER1B94.tmp.dmp.20.dr
Source:	Binary string: System.Core.ni.pdb source: WER1B94.tmp.dmp.20.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER1B94.tmp.dmp.20.dr
Source:	Binary string: \??\C:\Windows\exe\VFCPoz.pdb source: HBL ASNLRU-20241001 & 20241002.exe, 00000009.00000002.2385584369.0000000000ED7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\VFCPoz.pdbpdbPoz.pdb source: HBL ASNLRU-20241001 & 20241002.exe, 00000009.00000002.2384866535.0000000000E26000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER1B94.tmp.dmp.20.dr
Source:	Binary string: mscorlib.pdb source: WER1B94.tmp.dmp.20.dr
Source:	Binary string: mscorlib.ni.pdb source: WER1B94.tmp.dmp.20.dr
Source:	Binary string: n,C:\Windows\VFCPoz.pdb source: HBL ASNLRU-20241001 & 20241002.exe, 00000009.00000002.2384595537.0000000000B37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: HBL ASNLRU-20241001 & 20241002.exe, 00000009.00000002.2384866535.0000000000E26000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER1B94.tmp.dmp.20.dr
Source:	Binary string: VFCPoz.pdb source: HBL ASNLRU-20241001 & 20241002.exe, LVTDbQS.exe.0.dr
Source:	Binary string: \??\C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.PDB source: HBL ASNLRU-20241001 & 20241002.exe, 00000009.00000002.2384866535.0000000000E26000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER1B94.tmp.dmp.20.dr
Source:	Binary string: VFCPoz.pdbSHA256 source: HBL ASNLRU-20241001 & 20241002.exe, LVTDbQS.exe.0.dr
Source:	Binary string: mscorlib.pdbH source: HBL ASNLRU-20241001 & 20241002.exe, 00000009.00000002.2385584369.0000000000ED7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER1B94.tmp.dmp.20.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER1B94.tmp.dmp.20.dr
Source:	Binary string: \??\C:\Windows\symbols\exe\VFCPoz.pdb\|) source: HBL ASNLRU-20241001 & 20241002.exe, 00000009.00000002.2384866535.0000000000E26000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\VFCPoz.pdbO source: HBL ASNLRU-20241001 & 20241002.exe, 00000009.00000002.2384866535.0000000000E26000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.5c70000.4.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3c69818.3.raw.unpack, yuDbQScDbRjCJQYnuc.cs	.Net Code: WtIrA4w4fe System.Reflection.Assembly.Load(byte[])
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.78a0000.5.raw.unpack, yuDbQScDbRjCJQYnuc.cs	.Net Code: WtIrA4w4fe System.Reflection.Assembly.Load(byte[])
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.2ce70b8.0.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 10.2.LVTDbQS.exe.31b6f88.0.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])

Source: HBL ASNLRU-20241001 & 20241002.exe

Static PE information: 0xF1FC883E [Tue Aug 26 02:36:46 2098 UTC]

Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Code function: 0_2_05C99981 push eax; ret	0_2_05C9998D
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Code function: 0_2_05C988F2 push eax; ret	0_2_05C98919
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Code function: 0_2_070E2B53 pushad ; retf	0_2_070E2BC2
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 10_2_07269981 push eax; ret	10_2_0726998D
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 10_2_072688F2 push eax; ret	10_2_07268919
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_05DE2E78 push esp; iretd	17_2_05DE2E79
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Code function: 17_2_05DE2990 push esp; retf	17_2_05DE2AC9

Source: HBL ASNLRU-20241001 & 20241002.exe	Static PE information: section name: .text entropy: 7.740647583879336
Source: LVTDbQS.exe.0.dr	Static PE information: section name: .text entropy: 7.740647583879336

Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3c69818.3.raw.unpack, yuDbQScDbRjCJQYnuc.cs	High entropy of concatenated method names: 'ry8BYRvZMF', 'Yl2BSi6OEL', 'sprBkWFg1b', 'j2IBgqxKZJ', 'KnQB0loqRZ', 'wUaBP89U7D', 'jMXBLbSyLF', 'GrfBc3pTHp', 'jLXBG6wc0v', 'QJhBa9Ee6K'
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3c69818.3.raw.unpack, vE0IEcruDq3wXZnC2X.cs	High entropy of concatenated method names: 'aR8nL3kL2w', 'nkWncZ0vZy', 'JE5naUkenm', 'qWMnykUA2a', 'Q93nRCd91j', 'sKunZaJjcS', 'EyHOPIsf9MbYWX08X3', 'dJyE7QwraKOG6uNJDE', 'SXJnncFtCW', 'BlHnBM5BIZ'
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3c69818.3.raw.unpack, ameT1oktGht49Dt08B.cs	High entropy of concatenated method names: 'Dispose', 'MlbnDp7BeR', 'MWi4FELiwn', 'tWdPDxsxq6', 'PQbn7retGJ', 'kCjnzrSrcU', 'ProcessDialogKey', 'jbl4mVBaco', 'uh14nM4utW', 'phO44yphjG'
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3c69818.3.raw.unpack, muSaIlinQ7r8PLnqKv.cs	High entropy of concatenated method names: 'gaxxtpMkCs', 'iFdxVuyg5r', 'wYNxWvv8Cd', 'MacxFnh6RW', 'gxRxfLjfWt', 'iMExu3kDhj', 'RH2xpN6UcG', 'mvmxUJaBJ9', 'Fg9x3xUkNx', 'qg0xexnDbY'
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3c69818.3.raw.unpack, MosUsk4oQJlqsfElSr.cs	High entropy of concatenated method names: 'r6cAm0mD1', 'NegM6cQg8', 'F6cO1kUEo', 'q315lKxxr', 'wewVyje4i', 'XSp1LTB61', 'E9Fxiv59R6Oyew1S0e', 'E96M54Rf6v9SKLAMGs', 'oqlJInD8A', 'NCWKXDdb9'
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3c69818.3.raw.unpack, pXJrU8djAundI8DujW.cs	High entropy of concatenated method names: 'QmqR31CfTh', 'IFrRjVdqDn', 'l5LRd1pAh4', 'B7bRlNJNZJ', 'HUeRFB76w1', 'ymARweIZe2', 'lZnRfShN3P', 'qoBRuMiFUO', 'A62RC7OHiH', 'OM5RppVqLD'
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3c69818.3.raw.unpack, QZyofvgBRdwpgTcuBT.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'QrE4DqNnZ2', 'r1p47OW6CF', 'BN44zJkbfN', 'E5FBmWHZJ4', 'OrsBnOi1pB', 'mjEB4mvxOV', 'V6cBBVNoFb', 'zuchrKBFsLdKDTPEXFM'
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3c69818.3.raw.unpack, ulsL2yQ06MCOuqVDvW.cs	High entropy of concatenated method names: 'ToString', 'AjaZe9tCTC', 'omuZFOeHvt', 'BjVZwvuHoA', 'aMKZfwe07i', 'CHWZudVrsL', 'yNrZC8iwDs', 'o2RZpd1MFr', 'p38ZUPyIbU', 'CXsZX4bZ0G'
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3c69818.3.raw.unpack, mphjGr7u06isIqnUFR.cs	High entropy of concatenated method names: 'EmoKgGUQwr', 'J8GK0XZyeJ', 'lejKP4L2Kj', 'xwIKLKdXiH', 'yQKKhSmwTQ', 'EtoKckgVhf', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3c69818.3.raw.unpack, T3kL2wtxkWZ0vZyejt.cs	High entropy of concatenated method names: 'k9bkdwuALf', 'VZgklicmFt', 'QdjkQOWjJJ', 'ElIk8AEEwT', 'oIMk21vg29', 'rPUk6lZVrP', 'mXnkomMk6s', 'NNokNyviK1', 'LJkkD9bP8Z', 'wqZk7Tileq'
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3c69818.3.raw.unpack, v1jhKuWaJjcSAqQVNQ.cs	High entropy of concatenated method names: 'PqpPY5ncUZ', 'TnuPkkfXQ5', 'Al8P0KuxbS', 'trgPLxYrU7', 'wajPckf7GN', 'TK902RFYcc', 'JVl06ll2dR', 'miM0oeoKgV', 'uv60Nc1x5W', 'EoP0D0yJqk'
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3c69818.3.raw.unpack, ihsB5WpHhhSpMwA9AL.cs	High entropy of concatenated method names: 'zdjLSTLV6p', 'PmpLgrs4Ie', 'hduLPcd7cg', 'I7sP77ixKf', 'y4yPzG2y2j', 'SBrLm5DeWK', 'V7gLnblZH5', 'eiHL4S0Ucu', 'YJnLBhH9Zp', 'KEXLr1M7PD'
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3c69818.3.raw.unpack, I1Q1mBXaMDtFZ7gWRu.cs	High entropy of concatenated method names: 'xZWLbTA8j4', 'cSTLT0KWbP', 'vhMLAlwldq', 'JnJLMVb6Pn', 'GKpLIitqvE', 'x0kLOO7VZC', 'farL5dfOCk', 'qn7Lt1GGvC', 'U63LV6t7so', 'wd5L1FKcdk'
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3c69818.3.raw.unpack, pXMM5jnrrmuQXxXLFOK.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'nmcEhZAfpm', 'boCEKokPfZ', 'l6bEqOnVvm', 'I34EEPN5L6', 'PycEsdidBr', 'UEQE9XoDjj', 'Q5BEHJd1QD'
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3c69818.3.raw.unpack, LA2ae11OiLpx3d93Cd.cs	High entropy of concatenated method names: 'CxI0Is8Acm', 'VCk05KGZA3', 'PHkgwswF3H', 'BUSgfcYnYx', 'Gk5guQCuGc', 'BAbgC2IeZ1', 'V8tgpfoLQa', 'RHbgUmsub9', 'y40gXAtqte', 'QuHg3kNTUl'
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3c69818.3.raw.unpack, SVBacoDsh1M4utWZhO.cs	High entropy of concatenated method names: 'l5BhWxkPDk', 'VIuhFKbkvb', 'seFhwvIWFq', 'vpahfHBMif', 'RykhufbqOi', 'vVkhCZhivX', 'lNDhp3lASM', 'PTLhUDRFfM', 'W46hXrc0wK', 'ulgh3VMZte'
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3c69818.3.raw.unpack, XdjC4uVE5UkenmvWMk.cs	High entropy of concatenated method names: 'xIJgMWJuIF', 'gnfgOajXYB', 'fD9gtRkWsh', 'OmSgV5pmZq', 'PQvgRXY1Q3', 'zVfgZB7wr6', 'ShWgvZ7cVb', 'WHdgJlvf7A', 'OkpghRyudV', 'U56gKnJmWO'
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3c69818.3.raw.unpack, S7BlF3nnYQJqffP3AEo.cs	High entropy of concatenated method names: 'mvQK7F1YFv', 'mYvKzuviaP', 'c9gqmLn6a0', 'leNqn4AmnJ', 'tSIq4RG7QS', 'dVJqBoZFVd', 'a81qr0s0Lm', 'i4hqYSYE4g', 'PjWqSMAO44', 'I9Fqk7bYGK'
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3c69818.3.raw.unpack, TJk6Ea8KtNp4oC73Xr.cs	High entropy of concatenated method names: 'hUwvaqUwYv', 'MxWvyKbeRf', 'ToString', 'OE6vSKBSyT', 'YpmvkWkm2V', 'gh1vgksFY2', 'nVkv0n9hWf', 'SL8vPdH4SN', 's5KvLxcAgA', 'HaXvcsvQjM'
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3c69818.3.raw.unpack, WjdjrT69v1lGu7JNqe.cs	High entropy of concatenated method names: 'QgSvN8DyiQ', 'F3Ev7Ucmlu', 'VylJmdq0oZ', 'CTxJnbQFlc', 'CLNveKn7XO', 'iYevjOTZQ1', 'Q5XviCirW2', 'm44vdfrsow', 'DbDvliC30K', 'tNtvQHvs2G'
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3c69818.3.raw.unpack, IQadBZzP7RyEQfDt8U.cs	High entropy of concatenated method names: 'jbPKO9EmRO', 'MKBKtf4Yo4', 'fT7KViLOJn', 'o7mKWavWaE', 'jLkKF25uhE', 'FEFKfUKIbU', 'aG7KudEsU0', 'bn0KHGpjIn', 'qiBKbv5iHF', 'veOKTOytw0'
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3c69818.3.raw.unpack, BT9FlhoUwUlbp7BeRj.cs	High entropy of concatenated method names: 'LRWhRh7jN8', 'zbJhvVFG0t', 'J9dhhAmjvF', 'tkIhq7hkV8', 'MN6hsYghXs', 'sYfhHToMKq', 'Dispose', 'DsIJSdMNs0', 'mfRJkNpv9I', 'bL1JghJ1uo'
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3c69818.3.raw.unpack, vBSwlsnmCu85rtDst6u.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'dgTKegKgbf', 'DOhKjeh1HY', 'wRfKiyaZGg', 'skfKdBpyBS', 'EUnKlZawKq', 'E8GKQLNu6Z', 'tsCK8GqIDi'
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3c69818.3.raw.unpack, paBtPIFSurx0jpBxcK.cs	High entropy of concatenated method names: 'ilUpMmVMb8cBWkR6eI2', 'W081bMVu4FmKVF2HJC7', 'wXBPJMhJUX', 'wrdPhiiXpI', 'amLPKFsCnF', 'AHbiHTV7UNfQXky7EQO', 'ShUqF1VCCI3Yot5wte5'
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.78a0000.5.raw.unpack, yuDbQScDbRjCJQYnuc.cs	High entropy of concatenated method names: 'ry8BYRvZMF', 'Yl2BSi6OEL', 'sprBkWFg1b', 'j2IBgqxKZJ', 'KnQB0loqRZ', 'wUaBP89U7D', 'jMXBLbSyLF', 'GrfBc3pTHp', 'jLXBG6wc0v', 'QJhBa9Ee6K'
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.78a0000.5.raw.unpack, vE0IEcruDq3wXZnC2X.cs	High entropy of concatenated method names: 'aR8nL3kL2w', 'nkWncZ0vZy', 'JE5naUkenm', 'qWMnykUA2a', 'Q93nRCd91j', 'sKunZaJjcS', 'EyHOPIsf9MbYWX08X3', 'dJyE7QwraKOG6uNJDE', 'SXJnncFtCW', 'BlHnBM5BIZ'
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.78a0000.5.raw.unpack, ameT1oktGht49Dt08B.cs	High entropy of concatenated method names: 'Dispose', 'MlbnDp7BeR', 'MWi4FELiwn', 'tWdPDxsxq6', 'PQbn7retGJ', 'kCjnzrSrcU', 'ProcessDialogKey', 'jbl4mVBaco', 'uh14nM4utW', 'phO44yphjG'
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.78a0000.5.raw.unpack, muSaIlinQ7r8PLnqKv.cs	High entropy of concatenated method names: 'gaxxtpMkCs', 'iFdxVuyg5r', 'wYNxWvv8Cd', 'MacxFnh6RW', 'gxRxfLjfWt', 'iMExu3kDhj', 'RH2xpN6UcG', 'mvmxUJaBJ9', 'Fg9x3xUkNx', 'qg0xexnDbY'
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.78a0000.5.raw.unpack, MosUsk4oQJlqsfElSr.cs	High entropy of concatenated method names: 'r6cAm0mD1', 'NegM6cQg8', 'F6cO1kUEo', 'q315lKxxr', 'wewVyje4i', 'XSp1LTB61', 'E9Fxiv59R6Oyew1S0e', 'E96M54Rf6v9SKLAMGs', 'oqlJInD8A', 'NCWKXDdb9'
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.78a0000.5.raw.unpack, pXJrU8djAundI8DujW.cs	High entropy of concatenated method names: 'QmqR31CfTh', 'IFrRjVdqDn', 'l5LRd1pAh4', 'B7bRlNJNZJ', 'HUeRFB76w1', 'ymARweIZe2', 'lZnRfShN3P', 'qoBRuMiFUO', 'A62RC7OHiH', 'OM5RppVqLD'
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.78a0000.5.raw.unpack, QZyofvgBRdwpgTcuBT.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'QrE4DqNnZ2', 'r1p47OW6CF', 'BN44zJkbfN', 'E5FBmWHZJ4', 'OrsBnOi1pB', 'mjEB4mvxOV', 'V6cBBVNoFb', 'zuchrKBFsLdKDTPEXFM'
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.78a0000.5.raw.unpack, ulsL2yQ06MCOuqVDvW.cs	High entropy of concatenated method names: 'ToString', 'AjaZe9tCTC', 'omuZFOeHvt', 'BjVZwvuHoA', 'aMKZfwe07i', 'CHWZudVrsL', 'yNrZC8iwDs', 'o2RZpd1MFr', 'p38ZUPyIbU', 'CXsZX4bZ0G'
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.78a0000.5.raw.unpack, mphjGr7u06isIqnUFR.cs	High entropy of concatenated method names: 'EmoKgGUQwr', 'J8GK0XZyeJ', 'lejKP4L2Kj', 'xwIKLKdXiH', 'yQKKhSmwTQ', 'EtoKckgVhf', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.78a0000.5.raw.unpack, T3kL2wtxkWZ0vZyejt.cs	High entropy of concatenated method names: 'k9bkdwuALf', 'VZgklicmFt', 'QdjkQOWjJJ', 'ElIk8AEEwT', 'oIMk21vg29', 'rPUk6lZVrP', 'mXnkomMk6s', 'NNokNyviK1', 'LJkkD9bP8Z', 'wqZk7Tileq'
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.78a0000.5.raw.unpack, v1jhKuWaJjcSAqQVNQ.cs	High entropy of concatenated method names: 'PqpPY5ncUZ', 'TnuPkkfXQ5', 'Al8P0KuxbS', 'trgPLxYrU7', 'wajPckf7GN', 'TK902RFYcc', 'JVl06ll2dR', 'miM0oeoKgV', 'uv60Nc1x5W', 'EoP0D0yJqk'
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.78a0000.5.raw.unpack, ihsB5WpHhhSpMwA9AL.cs	High entropy of concatenated method names: 'zdjLSTLV6p', 'PmpLgrs4Ie', 'hduLPcd7cg', 'I7sP77ixKf', 'y4yPzG2y2j', 'SBrLm5DeWK', 'V7gLnblZH5', 'eiHL4S0Ucu', 'YJnLBhH9Zp', 'KEXLr1M7PD'
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.78a0000.5.raw.unpack, I1Q1mBXaMDtFZ7gWRu.cs	High entropy of concatenated method names: 'xZWLbTA8j4', 'cSTLT0KWbP', 'vhMLAlwldq', 'JnJLMVb6Pn', 'GKpLIitqvE', 'x0kLOO7VZC', 'farL5dfOCk', 'qn7Lt1GGvC', 'U63LV6t7so', 'wd5L1FKcdk'
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.78a0000.5.raw.unpack, pXMM5jnrrmuQXxXLFOK.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'nmcEhZAfpm', 'boCEKokPfZ', 'l6bEqOnVvm', 'I34EEPN5L6', 'PycEsdidBr', 'UEQE9XoDjj', 'Q5BEHJd1QD'
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.78a0000.5.raw.unpack, LA2ae11OiLpx3d93Cd.cs	High entropy of concatenated method names: 'CxI0Is8Acm', 'VCk05KGZA3', 'PHkgwswF3H', 'BUSgfcYnYx', 'Gk5guQCuGc', 'BAbgC2IeZ1', 'V8tgpfoLQa', 'RHbgUmsub9', 'y40gXAtqte', 'QuHg3kNTUl'
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.78a0000.5.raw.unpack, SVBacoDsh1M4utWZhO.cs	High entropy of concatenated method names: 'l5BhWxkPDk', 'VIuhFKbkvb', 'seFhwvIWFq', 'vpahfHBMif', 'RykhufbqOi', 'vVkhCZhivX', 'lNDhp3lASM', 'PTLhUDRFfM', 'W46hXrc0wK', 'ulgh3VMZte'
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.78a0000.5.raw.unpack, XdjC4uVE5UkenmvWMk.cs	High entropy of concatenated method names: 'xIJgMWJuIF', 'gnfgOajXYB', 'fD9gtRkWsh', 'OmSgV5pmZq', 'PQvgRXY1Q3', 'zVfgZB7wr6', 'ShWgvZ7cVb', 'WHdgJlvf7A', 'OkpghRyudV', 'U56gKnJmWO'
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.78a0000.5.raw.unpack, S7BlF3nnYQJqffP3AEo.cs	High entropy of concatenated method names: 'mvQK7F1YFv', 'mYvKzuviaP', 'c9gqmLn6a0', 'leNqn4AmnJ', 'tSIq4RG7QS', 'dVJqBoZFVd', 'a81qr0s0Lm', 'i4hqYSYE4g', 'PjWqSMAO44', 'I9Fqk7bYGK'
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.78a0000.5.raw.unpack, TJk6Ea8KtNp4oC73Xr.cs	High entropy of concatenated method names: 'hUwvaqUwYv', 'MxWvyKbeRf', 'ToString', 'OE6vSKBSyT', 'YpmvkWkm2V', 'gh1vgksFY2', 'nVkv0n9hWf', 'SL8vPdH4SN', 's5KvLxcAgA', 'HaXvcsvQjM'
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.78a0000.5.raw.unpack, WjdjrT69v1lGu7JNqe.cs	High entropy of concatenated method names: 'QgSvN8DyiQ', 'F3Ev7Ucmlu', 'VylJmdq0oZ', 'CTxJnbQFlc', 'CLNveKn7XO', 'iYevjOTZQ1', 'Q5XviCirW2', 'm44vdfrsow', 'DbDvliC30K', 'tNtvQHvs2G'
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.78a0000.5.raw.unpack, IQadBZzP7RyEQfDt8U.cs	High entropy of concatenated method names: 'jbPKO9EmRO', 'MKBKtf4Yo4', 'fT7KViLOJn', 'o7mKWavWaE', 'jLkKF25uhE', 'FEFKfUKIbU', 'aG7KudEsU0', 'bn0KHGpjIn', 'qiBKbv5iHF', 'veOKTOytw0'
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.78a0000.5.raw.unpack, BT9FlhoUwUlbp7BeRj.cs	High entropy of concatenated method names: 'LRWhRh7jN8', 'zbJhvVFG0t', 'J9dhhAmjvF', 'tkIhq7hkV8', 'MN6hsYghXs', 'sYfhHToMKq', 'Dispose', 'DsIJSdMNs0', 'mfRJkNpv9I', 'bL1JghJ1uo'
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.78a0000.5.raw.unpack, vBSwlsnmCu85rtDst6u.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'dgTKegKgbf', 'DOhKjeh1HY', 'wRfKiyaZGg', 'skfKdBpyBS', 'EUnKlZawKq', 'E8GKQLNu6Z', 'tsCK8GqIDi'
Source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.78a0000.5.raw.unpack, paBtPIFSurx0jpBxcK.cs	High entropy of concatenated method names: 'ilUpMmVMb8cBWkR6eI2', 'W081bMVu4FmKVF2HJC7', 'wXBPJMhJUX', 'wrdPhiiXpI', 'amLPKFsCnF', 'AHbiHTV7UNfQXky7EQO', 'ShUqF1VCCI3Yot5wte5'

Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe

File created: C:\Users\user\AppData\Roaming\LVTDbQS.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LVTDbQS" /XML "C:\Users\user\AppData\Local\Temp\tmp2B05.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: HBL ASNLRU-20241001 & 20241002.exe PID: 2108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: LVTDbQS.exe PID: 2072, type: MEMORYSTR

Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Memory allocated: D30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Memory allocated: 2A50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Memory allocated: 4A50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Memory allocated: 8F10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Memory allocated: 7A60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Memory allocated: 2760000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Memory allocated: 29C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Memory allocated: 2800000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Memory allocated: 1560000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Memory allocated: 2F20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Memory allocated: 4F20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Memory allocated: 30D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Memory allocated: 3350000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Memory allocated: 3150000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 599853
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 599750
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 599640
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 599531
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 599422
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 599312
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 599203
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 599094
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 598984
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 598874
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 598765
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 598656
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 598547
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 598436
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 598328
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 598219
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 598094
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 597984
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 597875
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 597765
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 597656
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 597546
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 597437
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 597328
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 597219
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 597094
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 596984
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 596875
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 596765
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 596656
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 596547
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 596437
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 596328
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 596218
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 596094
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 595984
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 595874
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 595761
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 595656
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 595547
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 595437
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 595327
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 595218
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 595109
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 595000
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 594890
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 594781
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 594671
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 594562

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1453	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8548	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1125	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Window / User API: threadDelayed 1311
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Window / User API: threadDelayed 8546

Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe TID: 3472	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2076	Thread sleep count: 1453 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6200	Thread sleep count: 304 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6392	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1784	Thread sleep time: -11068046444225724s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe TID: 6844	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe TID: 2508	Thread sleep count: 34 > 30
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe TID: 2508	Thread sleep time: -31359464925306218s >= -30000s
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe TID: 2508	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe TID: 6632	Thread sleep count: 1311 > 30
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe TID: 2508	Thread sleep time: -599853s >= -30000s
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe TID: 6632	Thread sleep count: 8546 > 30
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe TID: 2508	Thread sleep time: -599750s >= -30000s
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe TID: 2508	Thread sleep time: -599640s >= -30000s
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe TID: 2508	Thread sleep time: -599531s >= -30000s
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe TID: 2508	Thread sleep time: -599422s >= -30000s
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe TID: 2508	Thread sleep time: -599312s >= -30000s
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe TID: 2508	Thread sleep time: -599203s >= -30000s
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe TID: 2508	Thread sleep time: -599094s >= -30000s
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe TID: 2508	Thread sleep time: -598984s >= -30000s
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe TID: 2508	Thread sleep time: -598874s >= -30000s
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe TID: 2508	Thread sleep time: -598765s >= -30000s
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe TID: 2508	Thread sleep time: -598656s >= -30000s
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe TID: 2508	Thread sleep time: -598547s >= -30000s
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe TID: 2508	Thread sleep time: -598436s >= -30000s
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe TID: 2508	Thread sleep time: -598328s >= -30000s
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe TID: 2508	Thread sleep time: -598219s >= -30000s
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe TID: 2508	Thread sleep time: -598094s >= -30000s
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe TID: 2508	Thread sleep time: -597984s >= -30000s
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe TID: 2508	Thread sleep time: -597875s >= -30000s
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe TID: 2508	Thread sleep time: -597765s >= -30000s
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe TID: 2508	Thread sleep time: -597656s >= -30000s
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe TID: 2508	Thread sleep time: -597546s >= -30000s
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe TID: 2508	Thread sleep time: -597437s >= -30000s
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe TID: 2508	Thread sleep time: -597328s >= -30000s
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe TID: 2508	Thread sleep time: -597219s >= -30000s
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe TID: 2508	Thread sleep time: -597094s >= -30000s
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe TID: 2508	Thread sleep time: -596984s >= -30000s
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe TID: 2508	Thread sleep time: -596875s >= -30000s
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe TID: 2508	Thread sleep time: -596765s >= -30000s
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe TID: 2508	Thread sleep time: -596656s >= -30000s
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe TID: 2508	Thread sleep time: -596547s >= -30000s
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe TID: 2508	Thread sleep time: -596437s >= -30000s
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe TID: 2508	Thread sleep time: -596328s >= -30000s
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe TID: 2508	Thread sleep time: -596218s >= -30000s
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe TID: 2508	Thread sleep time: -596094s >= -30000s
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe TID: 2508	Thread sleep time: -595984s >= -30000s
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe TID: 2508	Thread sleep time: -595874s >= -30000s
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe TID: 2508	Thread sleep time: -595761s >= -30000s
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe TID: 2508	Thread sleep time: -595656s >= -30000s
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe TID: 2508	Thread sleep time: -595547s >= -30000s
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe TID: 2508	Thread sleep time: -595437s >= -30000s
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe TID: 2508	Thread sleep time: -595327s >= -30000s
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe TID: 2508	Thread sleep time: -595218s >= -30000s
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe TID: 2508	Thread sleep time: -595109s >= -30000s
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe TID: 2508	Thread sleep time: -595000s >= -30000s
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe TID: 2508	Thread sleep time: -594890s >= -30000s
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe TID: 2508	Thread sleep time: -594781s >= -30000s
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe TID: 2508	Thread sleep time: -594671s >= -30000s
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe TID: 2508	Thread sleep time: -594562s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 599853
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 599750
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 599640
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 599531
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 599422
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 599312
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 599203
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 599094
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 598984
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 598874
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 598765
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 598656
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 598547
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 598436
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 598328
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 598219
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 598094
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 597984
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 597875
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 597765
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 597656
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 597546
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 597437
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 597328
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 597219
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 597094
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 596984
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 596875
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 596765
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 596656
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 596547
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 596437
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 596328
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 596218
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 596094
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 595984
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 595874
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 595761
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 595656
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 595547
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 595437
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 595327
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 595218
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 595109
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 595000
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 594890
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 594781
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 594671
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Thread delayed: delay time: 594562

Source: Amcache.hve.20.dr	Binary or memory string: VMware
Source: Amcache.hve.20.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.20.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.20.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.20.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.20.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.20.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.20.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.20.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.20.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.20.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.20.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: HBL ASNLRU-20241001 & 20241002.exe, 00000009.00000002.2384866535.0000000000E26000.00000004.00000020.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3328113938.000000000144A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.20.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.20.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: HBL ASNLRU-20241001 & 20241002.exe, 00000000.00000002.2130678181.0000000006EF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.20.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.20.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.20.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.20.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.20.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.20.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.20.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.20.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.20.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.20.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.20.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.20.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.20.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.20.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.20.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe

Code function: 17_2_05DE7D90 LdrInitializeThunk,

17_2_05DE7D90

Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe"
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LVTDbQS.exe"
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LVTDbQS.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Memory written: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Memory written: C:\Users\user\AppData\Roaming\LVTDbQS.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LVTDbQS.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LVTDbQS" /XML "C:\Users\user\AppData\Local\Temp\tmp2B05.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Process created: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe "C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LVTDbQS" /XML "C:\Users\user\AppData\Local\Temp\tmp3882.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process created: C:\Users\user\AppData\Roaming\LVTDbQS.exe "C:\Users\user\AppData\Roaming\LVTDbQS.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process created: C:\Users\user\AppData\Roaming\LVTDbQS.exe "C:\Users\user\AppData\Roaming\LVTDbQS.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process created: C:\Users\user\AppData\Roaming\LVTDbQS.exe "C:\Users\user\AppData\Roaming\LVTDbQS.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Process created: C:\Users\user\AppData\Roaming\LVTDbQS.exe "C:\Users\user\AppData\Roaming\LVTDbQS.exe"	Jump to behavior

Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Queries volume information: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Queries volume information: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Queries volume information: C:\Users\user\AppData\Roaming\LVTDbQS.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Queries volume information: C:\Users\user\AppData\Roaming\LVTDbQS.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.20.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.20.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.20.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.20.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3b6ac48.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3b4a228.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.HBL ASNLRU-20241001 & 20241002.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.LVTDbQS.exe.401b1c0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.LVTDbQS.exe.403bbe0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.LVTDbQS.exe.403bbe0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.LVTDbQS.exe.401b1c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3b6ac48.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3b4a228.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.3330703617.000000000351B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2384350555.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2162268144.000000000401B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2386416479.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3330703617.0000000003351000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2127647331.0000000003B4A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HBL ASNLRU-20241001 & 20241002.exe PID: 2108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HBL ASNLRU-20241001 & 20241002.exe PID: 7152, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: LVTDbQS.exe PID: 2072, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: LVTDbQS.exe PID: 2452, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Roaming\LVTDbQS.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3b6ac48.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3b4a228.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.HBL ASNLRU-20241001 & 20241002.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.LVTDbQS.exe.401b1c0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.LVTDbQS.exe.403bbe0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.LVTDbQS.exe.403bbe0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.LVTDbQS.exe.401b1c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3b6ac48.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3b4a228.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2384350555.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2162268144.000000000401B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2127647331.0000000003B4A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HBL ASNLRU-20241001 & 20241002.exe PID: 2108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HBL ASNLRU-20241001 & 20241002.exe PID: 7152, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: LVTDbQS.exe PID: 2072, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: LVTDbQS.exe PID: 2452, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3b6ac48.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3b4a228.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.HBL ASNLRU-20241001 & 20241002.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.LVTDbQS.exe.401b1c0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.LVTDbQS.exe.403bbe0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.LVTDbQS.exe.403bbe0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.LVTDbQS.exe.401b1c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3b6ac48.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HBL ASNLRU-20241001 & 20241002.exe.3b4a228.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.3330703617.000000000351B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2384350555.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2162268144.000000000401B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2386416479.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3330703617.0000000003351000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2127647331.0000000003B4A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HBL ASNLRU-20241001 & 20241002.exe PID: 2108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HBL ASNLRU-20241001 & 20241002.exe PID: 7152, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: LVTDbQS.exe PID: 2072, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: LVTDbQS.exe PID: 2452, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Masquerading	1 OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
HBL ASNLRU-20241001 & 20241002.exe	54%	Virustotal		Browse
HBL ASNLRU-20241001 & 20241002.exe	55%	ReversingLabs	Win32.Spyware.Snakekeylogger
HBL ASNLRU-20241001 & 20241002.exe	100%	Avira	TR/AD.SnakeStealer.yttup

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\LVTDbQS.exe	100%	Avira	TR/AD.SnakeStealer.yttup
C:\Users\user\AppData\Roaming\LVTDbQS.exe	55%	ReversingLabs	Win32.Spyware.Snakekeylogger

Source	Detection	Scanner	Label	Link
http://checkip.dyndns.org8	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.32.1	true	false	high
checkip.dyndns.com	158.101.44.242	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org	LVTDbQS.exe, 00000011.00000002.3330703617.00000000034C3000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.00000000034D1000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.0000000003414000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.0000000003457000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.00000000034A7000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.000000000350D000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.00000000034FF000.00000004.00000800.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.20.dr	false		high
http://checkip.dyndns.org	HBL ASNLRU-20241001 & 20241002.exe, 00000009.00000002.2386416479.0000000002A87000.00000004.00000800.00020000.00000000.sdmp, HBL ASNLRU-20241001 & 20241002.exe, 00000009.00000002.2386416479.0000000002A6B000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.00000000034DF000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.00000000034C3000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.00000000034D1000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.0000000003414000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.0000000003409000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.00000000034A7000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.000000000350D000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.00000000034FF000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.com	HBL ASNLRU-20241001 & 20241002.exe, 00000009.00000002.2386416479.0000000002A87000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.00000000034C3000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.00000000034D1000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.0000000003414000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.00000000034A7000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.000000000350D000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.00000000034FF000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	HBL ASNLRU-20241001 & 20241002.exe, 00000000.00000002.2126176784.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, HBL ASNLRU-20241001 & 20241002.exe, 00000009.00000002.2386416479.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 0000000A.00000002.2159198594.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.0000000003351000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org8	LVTDbQS.exe, 00000011.00000002.3330703617.0000000003457000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org/q	HBL ASNLRU-20241001 & 20241002.exe, 00000000.00000002.2127647331.0000000003B4A000.00000004.00000800.00020000.00000000.sdmp, HBL ASNLRU-20241001 & 20241002.exe, 00000009.00000002.2384350555.0000000000402000.00000040.00000400.00020000.00000000.sdmp, LVTDbQS.exe, 0000000A.00000002.2162268144.000000000401B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.189$	LVTDbQS.exe, 00000011.00000002.3330703617.00000000034C3000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.00000000034D1000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.0000000003457000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.00000000034A7000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.000000000350D000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.00000000034FF000.00000004.00000800.00020000.00000000.sdmp	false		high
http://reallyfreegeoip.org	LVTDbQS.exe, 00000011.00000002.3330703617.00000000034C3000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.00000000034D1000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.000000000342D000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.00000000034A7000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.000000000350D000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.00000000034FF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/	HBL ASNLRU-20241001 & 20241002.exe, 00000000.00000002.2127647331.0000000003B4A000.00000004.00000800.00020000.00000000.sdmp, HBL ASNLRU-20241001 & 20241002.exe, 00000009.00000002.2384350555.0000000000402000.00000040.00000400.00020000.00000000.sdmp, LVTDbQS.exe, 0000000A.00000002.2162268144.000000000401B000.00000004.00000800.00020000.00000000.sdmp, LVTDbQS.exe, 00000011.00000002.3330703617.0000000003414000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.32.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false
158.101.44.242	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1629255
Start date and time:	2025-03-04 15:29:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	HBL ASNLRU-20241001 & 20241002.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@26/18@2/2
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 91% Number of executed functions: 279 Number of non-executed functions: 59
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 40.69.146.102, 23.199.214.10, 20.190.159.2, 13.107.253.72, 4.175.87.197
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, onedsblobvmssprdcus04.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target HBL ASNLRU-20241001 & 20241002.exe, PID 7152 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:30:06	API Interceptor	1x Sleep call for process: HBL ASNLRU-20241001 & 20241002.exe modified
09:30:08	API Interceptor	16x Sleep call for process: powershell.exe modified
09:30:10	API Interceptor	1733003x Sleep call for process: LVTDbQS.exe modified
09:30:36	API Interceptor	1x Sleep call for process: WerFault.exe modified
15:30:08	Task Scheduler	Run new task: LVTDbQS path: C:\Users\user\AppData\Roaming\LVTDbQS.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.32.1	PRI_VTK250419A.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/scc1/five/fre.php
	Stormwater Works Drawings Spec.js	Get hash	malicious	FormBook	Browse	www.tumbetgirislinki.fit/k566/
	SFT20020117.exe	Get hash	malicious	FormBook	Browse	www.fz977.xyz/7p42/
	PO from tpc Type 34.1 34,2 35 Spec.js	Get hash	malicious	FormBook	Browse	www.tumbetgirislinki.fit/k566/
	REQUEST FOR QUOTATION.exe	Get hash	malicious	FormBook	Browse	www.clouser.store/3r9x/
	PO 87877889X,pdf.Vbs.vbs	Get hash	malicious	FormBook	Browse	www.tumbetgirislinki.fit/k566/
	http://projectlombok.org	Get hash	malicious	Unknown	Browse	projectlombok.org/
	(BBVA) SWIFT_consulta_de_operaciones 10-02-2025-PDF.exe	Get hash	malicious	FormBook	Browse	www.kdrqcyusevx.info/k7wl/
	SOA - Final Payment.exe	Get hash	malicious	FormBook	Browse	www.arryongro-nambe.live/ljgq/
	SOA-CAVER.exe	Get hash	malicious	FormBook	Browse	www.arryongro-nambe.live/ljgq/
158.101.44.242	SecuriteInfo.com.Win32.CrypterX-gen.12725.19686.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Win32.CrypterX-gen.15930.15097.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	Verger Doc.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	akXjj2a58b.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	SVT638HOPD-HWYCTUI-PLSZT7393NG-2WDUPD.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	NEW ORDER #3520187900.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	RFQ Pricelist.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Remittance Advice.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	Lfegtmdufjh.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Request for Quote Conversion to USD and Price Valid.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	AWB#5305323204643.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	SecuriteInfo.com.Win32.CrypterX-gen.12725.19686.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	SecuriteInfo.com.Win32.CrypterX-gen.15930.15097.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.112.1
	zooHQzUhh0xIDWC.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.32.1
	AI_25_46416_418811192810.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.112.1
	rPurchaseOrder-25-1201.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	Verger Doc.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	Payment_Advice.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.80.1
	HSBC_USD31,073.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.96.1
	Purchase Order # 8MJA15.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
checkip.dyndns.com	AWB#5305323204643.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	SecuriteInfo.com.Win32.CrypterX-gen.12725.19686.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	SecuriteInfo.com.Win32.CrypterX-gen.15930.15097.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	158.101.44.242
	zooHQzUhh0xIDWC.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	132.226.8.169
	AI_25_46416_418811192810.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	rPurchaseOrder-25-1201.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Verger Doc.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	Payment_Advice.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	HSBC_USD31,073.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	Purchase Order # 8MJA15.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	AWB#5305323204643.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	SecuriteInfo.com.Win32.CrypterX-gen.12725.19686.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	SecuriteInfo.com.Win32.CrypterX-gen.15930.15097.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	158.101.44.242
	Verger Doc.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	Payment_Advice.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	HSBC_USD31,073.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	akXjj2a58b.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	BL NO - SNKO05B25020019.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	SVT638HOPD-HWYCTUI-PLSZT7393NG-2WDUPD.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	NEW ORDER #3520187900.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
CLOUDFLARENETUS	https://getrunkhomuto.info/aVBHWG5WMzRlDD08Dz0rGTIEEFslNXZsIQoFN202HmE9C10gdiY6GlRgYSoLDW12fh0EbXZuSAJtYS5TWH50bEBaZmlsSBokNGVeTyA1NlNZdiI1DFRgYSwHDW12aVtYZnVgSBsoPmVfUGJ3B19ZaHd%2BBwczemlaTyV6a11ZZHFgXlBjdG1cWGB%2Bfg8ONSRlX15kd2BbXmR0akgPI3ppSAQyLDpTW2F0dlxYaXFpWFtgc25XWWhyfhwMNnowGh0gNH1dKHV1HktbFjQsQAo4JiwPBzcodg0GPWJqKAFlYmooDipiaigbYHRoX1tldmhdXHV1HgcNfi8sAwV2KCscVDEkPRQdIi41HUcgJj8LGn4jPRhPOjQsU1l2IjYcVGBhNA0cMXo1ARM5KzQPTGIBbUBZdXVoRh45KTwBHiNial4HJGJqXlhgaWhLWhJial4eOSluWkxjBX1cWShxbEdMYnc5Hhk8Ii8LCzsuLEtbFnJrWUdjcX1cWXgsMBoEPGJqLUxidzQHAjVial4ONSQzAUB1dWgNASIoNQtMYgFpXVp%2Bd3ZeR2Bial4aMSE5HAB1dR5bWmdpa1hPJD08U0RoYS0CBjN6fgcPbXd%2BDR1tdH4NHTN6YUg2YQYqO1RhcGxeUWZ2YVpdaXFtSBwkNWlTWWF9bllTZHdsXk8lMypcVGBhLRobY3poSBwkNWxTWXYyLBxcbXd%2BGx0icWVeTyUzKllUYGEuDwU5I2Vf	Get hash	malicious	Unknown	Browse	104.18.41.22
	Documentazione n 231-111.exe	Get hash	malicious	Destiny Stealer, PureLog Stealer, StormKitty, zgRAT	Browse	188.114.96.3
	kdfWuwngo2.exe	Get hash	malicious	Unknown	Browse	104.18.32.7
	https://drive.usercontent.google.com/u/0/uc?id=1HlAGxpD0Z9EdJFVn9k8S6TIRY_SBpAZ-&export=download	Get hash	malicious	Unknown	Browse	104.22.20.144
	AWB#5305323204643.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	SecuriteInfo.com.Win32.CrypterX-gen.12725.19686.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	SecuriteInfo.com.Win32.CrypterX-gen.15930.15097.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.112.1
	factura pagada pdf.exe	Get hash	malicious	FormBook	Browse	172.67.160.167
	QUILTERCHEVIOT Opening Quarter Wage - 1321135775.pdf	Get hash	malicious	HTMLPhisher, Invisible JS	Browse	104.17.25.14
	https://eu80394.ziflow.io/proof/3d14l9agtkgf3ks2oufr1jm9a5	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	AWB#5305323204643.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	SecuriteInfo.com.Win32.CrypterX-gen.12725.19686.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.32.1
	SecuriteInfo.com.Win32.CrypterX-gen.15930.15097.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.32.1
	zooHQzUhh0xIDWC.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.32.1
	rPurchaseOrder-25-1201.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.32.1
	Verger Doc.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	Payment_Advice.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.32.1
	HSBC_USD31,073.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.32.1
	Purchase Order # 8MJA15.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.32.1
	BL NO - SNKO05B25020019.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.32.1

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_HBL ASNLRU-20241_68d847ec65e7305a7f706541a48dbf8a20a7f3cf_92ce1c68_f6231f4d-cb93-47cf-9f84-cfaa73ec6071\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.108241490537727
Encrypted:	false
SSDEEP:	192:q6aRjcsb0T0BU/Ka6ce36izuiFHZ24IO8h:na1/b0ABU/KarVizuiFHY4IO8h
MD5:	BC0D9BC3FBA1D110E2428E004F3DC5C8
SHA1:	22ECFBA6044489C087A405E24794E5489FEBF83C
SHA-256:	1E164BFE2F725F3B421A2B0F50336013B1315C6C602AB7B015EBC944F8FBB8FA
SHA-512:	BFFDCB565181A7952FF954C9776760EAD026E4407255148D967A1C9FF3B00EC2E522AC0ACEF2C53F0ABB833EF560E4F9BB70A56A41326354185C3CA807B5A19D
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.5.5.7.2.2.1.8.1.5.1.2.3.0.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.5.5.7.2.2.1.8.8.8.5.6.0.8.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.6.2.3.1.f.4.d.-.c.b.9.3.-.4.7.c.f.-.9.f.8.4.-.c.f.a.a.7.3.e.c.6.0.7.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.1.d.f.3.3.c.d.-.c.a.d.1.-.4.f.3.7.-.8.a.e.3.-.5.b.b.a.c.2.c.a.e.2.6.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.H.B.L. .A.S.N.L.R.U.-.2.0.2.4.1.0.0.1. .&. .2.0.2.4.1.0.0.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.V.F.C.P.o.z...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.f.0.-.0.0.0.1.-.0.0.1.4.-.b.f.1.d.-.d.6.e.d.1.1.8.d.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.e.b.5.0.b.d.7.6.0.0.0.8.a.1.a.b.3.a.8.4.b.b.2.8.5.c.2.f.b.9.a.0.0.0.0.0.0.0.0.!.0.0.0.0.4.f.0.b.6.3.d.3.1.7.0.8.8.4.3.4.2.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B94.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Tue Mar 4 14:30:18 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	271390
Entropy (8bit):	3.6918577247540703
Encrypted:	false
SSDEEP:	1536:bWCdmCZapN4uE2aONSVXwSLTgX1KnAX8arPrCDUntTxOquBojR0csQ:bWOZc4uEqNy5LTgX8rUtNR0Q
MD5:	C4A318F8B7551519872DEF4B04F61365
SHA1:	48B894685731DC7B2AF8C5D3690FA77BFDD29735
SHA-256:	AA5E0797A197F72A14449EDD2A711409C219CCA4338D0FEC114DD95D9E070ABB
SHA-512:	8EB3B7EE9D13647BA6A7144C3A3A9601C0DE49D7D2A5BA6F553C3A39132F11DA0C3C5B245EEE8B39C4347C1CF866B1FAAD5350D273D032EDD14DA454454B3AD4
Malicious:	false
Preview:	MDMP..a..... .......z..g............D...............X.......<....#......d%..vS..........`.......8...........T............;..............,$...........&..............................................................................eJ.......&......GenuineIntel............T...........p..g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1D0C.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6412
Entropy (8bit):	3.7325742273232496
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetbEfj06pOY6C4xuQE/Kit5aM4UO89bf6sfC1m:R6l7wVeJ+j06wY340nprO89bf6sfC1m
MD5:	C17B38EAA741A8D684C3ED0F6F3F1E57
SHA1:	A812FB768BBFC6E75D706808A73AAFA7E753667C
SHA-256:	8D855DA8302E262BDA83E019EB8F275AFF6BBA07481B5B1B74EEB9A3BAD27FF6
SHA-512:	7125BDE0A572E9AC698DDA9A80B1F72728CE3614DBA431EE939F572AD7200BE22EF6814BF61909FF1C3C58D4DBF7F5E9944A4B54793D43E5A30833104C1BD07A
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.5.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1D4B.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4776
Entropy (8bit):	4.536929069099721
Encrypted:	false
SSDEEP:	48:cvIwWl8zsmJg77aI9AbWpW8VYKUYm8M4JgVUjFSmj+q8nJg5tOtK/KCd:uIjf8I7qq7VThJkmjF5tOUCCd
MD5:	D59F8218A1EB8F8ACA885591F179F9CA
SHA1:	0CF3BFD814AA4D09105F07072039214DDC54639A
SHA-256:	D31F69BF48CD18923D471B8D75AD486A19A4A7EFAC8652923AC2CAC23524F87B
SHA-512:	F08DC07222DABDCF5B8CE317542786275B047DB16902A4818BD6246D4FB9B294BC847D72DF1C50CFC9828FAE8F0BEB8CBCB85D7491A92529CA549B02B4DD8B20
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="746252" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HBL ASNLRU-20241001 & 20241002.exe.log

Download File

Process:	C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1396
Entropy (8bit):	5.337066511654157
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhg84qXKIE4oKNzKoZAE4Kze0E4xLE4qE4j:MIHK5HKH1qHiYHKh3ogvitHo6hAHKzez
MD5:	D57AD127A5ACBA75AAB48EA9837668DC
SHA1:	44CEDF77707CDFE90E176F836AC6F5596EC8A01F
SHA-256:	D44E4C857ADEC2657EDEEE67750775787007B70B7CED7A4C1EF40070DDA3E48D
SHA-512:	09E72155EA88645B2A93A581589469B964B9DC7600D2BCFDB537368670E3F4598A623C198E65CF8F678B84339014B9B653F1B917BF21F9C77D9671399C72FEB9
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\LVTDbQS.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\LVTDbQS.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1396
Entropy (8bit):	5.337066511654157
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhg84qXKIE4oKNzKoZAE4Kze0E4xLE4qE4j:MIHK5HKH1qHiYHKh3ogvitHo6hAHKzez
MD5:	D57AD127A5ACBA75AAB48EA9837668DC
SHA1:	44CEDF77707CDFE90E176F836AC6F5596EC8A01F
SHA-256:	D44E4C857ADEC2657EDEEE67750775787007B70B7CED7A4C1EF40070DDA3E48D
SHA-512:	09E72155EA88645B2A93A581589469B964B9DC7600D2BCFDB537368670E3F4598A623C198E65CF8F678B84339014B9B653F1B917BF21F9C77D9671399C72FEB9
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379460230152629
Encrypted:	false
SSDEEP:	48:fWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//ZPUyjNs:fLHyIFKL3IZ2KRH9OugWNs
MD5:	5040BC0AA3939852C2FCC47A13FA166B
SHA1:	509CA0EC93DC9A43512694FFC398328207DC8339
SHA-256:	17C04186A1ADA525DA8F869BB03747D347F45888CCA863DE1941B9FC457361F4
SHA-512:	B9508550F9045948C54E39BDF40C2DB62A768568C9A89930DABF211E8B24851A8F7506ACBA37F4138F16DF0746A323C84ABDB4DDE7214336C93958918F3E944B
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_azpotikz.xas.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gx0z3fnp.4jb.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gzfxj3eh.pay.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m0xmi2rw.syq.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pms11t1l.wcs.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r2hdiin5.x0w.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp2B05.tmp

Download File

Process:	C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1580
Entropy (8bit):	5.106244871020192
Encrypted:	false
SSDEEP:	24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtixvn:cgergYrFdOFzOzN33ODOiDdKrsuTmv
MD5:	0D20B23098EBBBBA9F9D95AA1D651AB0
SHA1:	AABB0827CB2E784FC96DF3551CB0D603CA5E9FD7
SHA-256:	4355A8189B52754EA56D70C25C7C70C80C322BBA667E12169BA31478C3D2D075
SHA-512:	DE7102F3764609434D142AB45B506FE0BE4235EF4B34877172D7B6C253D06DFCD30AAFEAA90EC23450D179E10703E39DF428FB2AF860E9009993C6B46DBB7962
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Local\Temp\tmp3882.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\LVTDbQS.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1580
Entropy (8bit):	5.106244871020192
Encrypted:	false
SSDEEP:	24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtixvn:cgergYrFdOFzOzN33ODOiDdKrsuTmv
MD5:	0D20B23098EBBBBA9F9D95AA1D651AB0
SHA1:	AABB0827CB2E784FC96DF3551CB0D603CA5E9FD7
SHA-256:	4355A8189B52754EA56D70C25C7C70C80C322BBA667E12169BA31478C3D2D075
SHA-512:	DE7102F3764609434D142AB45B506FE0BE4235EF4B34877172D7B6C253D06DFCD30AAFEAA90EC23450D179E10703E39DF428FB2AF860E9009993C6B46DBB7962
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Roaming\LVTDbQS.exe

Download File

Process:	C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	775168
Entropy (8bit):	7.733680679749396
Encrypted:	false
SSDEEP:	12288:1TertEuoAHXKjkHQ/Giy21sJStIqHHQBr+e1Ka1S7Zzrg:1i3oA6jkHdi3GStjHH4r+eIa1w
MD5:	FE222287C00487A369814CEB43C0CA5C
SHA1:	4F0B63D3170884342A2DD14F4417DF0704DE81FF
SHA-256:	FC49789A6BF991FBB9B3ABFC8BCB3F648FAEA56874F0ECFCF66587C1CA746133
SHA-512:	2D3D21B06F81FAB0F848FC1D20B05E8490F3FD0E3A15832B763792EA12293208A76A8A911CF1A0AB9BC650FD5C8891E59E80CA05CAB71D0F40654F878D922ECD
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 55%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...>.................0.............j.... ........@.. .......................@............@.....................................O............................ ..........p............................................ ............... ..H............text...p.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................J.......H.......$....y............................................................{......{....V.(......}......}.......0..C........u........6.,0(.....{.....{....o....,.(.....{.....{....o....+..+... ~.F. )UU.Z(.....{....o....X )UU.Z(.....{....o ...X.0..b........r...p......%..{.......%q.........-.&.+.......o!....%..{.......%q.........-.&.+.......o!....(".....{#.....{$.....{%...r.(......}#.....}$.....}%.....0..[........u........N.,H(.....{#....{#...o....,0(.....{$....{$...o....

C:\Users\user\AppData\Roaming\LVTDbQS.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.421884737040547
Encrypted:	false
SSDEEP:	6144:4Svfpi6ceLP/9skLmb0OTeWSPHaJG8nAgeMZMMhA2fX4WABlEnNR0uhiTw:DvloTeW+EZMM6DFyn03w
MD5:	99FBE489DAD2A665351CAB07884DE3DE
SHA1:	57468CED388025C8A8FD2F92436BED9EC1C7D2E5
SHA-256:	C5AC0DAB7F3EE7E74FAF840E71A2A284817E2B2B69333A9B3EAB0A27640EE1CE
SHA-512:	DC5977C5B7EB867070B1DD8E8B38F19225B68A5D58C29E2873ACD7556E8B948F165D06826B14AD8C495D6170525582F0A1BB5BA67C376196DC76C5302D3CA105
Malicious:	false
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...................................................................................................................................................................................................................................................................................................................................................a...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.733680679749396
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	HBL ASNLRU-20241001 & 20241002.exe
File size:	775'168 bytes
MD5:	fe222287c00487a369814ceb43c0ca5c
SHA1:	4f0b63d3170884342a2dd14f4417df0704de81ff
SHA256:	fc49789a6bf991fbb9b3abfc8bcb3f648faea56874f0ecfcf66587c1ca746133
SHA512:	2d3d21b06f81fab0f848fc1d20b05e8490f3fd0e3a15832b763792ea12293208a76a8a911cf1a0ab9bc650fd5c8891e59e80ca05cab71d0f40654f878d922ecd
SSDEEP:	12288:1TertEuoAHXKjkHQ/Giy21sJStIqHHQBr+e1Ka1S7Zzrg:1i3oA6jkHdi3GStjHH4r+eIa1w
TLSH:	78F4E0351668CB43D6B107F54536E07663782CECA424CA1AAFCA7CEBB9B6F031E14653
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...>.................0.............j.... ........@.. .......................@............@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4be96a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xF1FC883E [Tue Aug 26 02:36:46 2098 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbe916	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc0000	0x5f4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc2000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xbc6b4	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xbc970	0xbca00	d5d165b789cf66b7c6c43737c4217bc9	False	0.85756813286945	data	7.740647583879336	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc0000	0x5f4	0x600	103371fe60e74534b026803cd65ed4ae	False	0.4303385416666667	data	4.1924375203145745	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc2000	0xc	0x200	b6896c06e3c69ec991d86c9df25aaf06	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xc0090	0x364	data			0.41705069124423966
RT_MANIFEST	0xc0404	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
Comments
CompanyName
FileDescription	SkillsInternationalSchoolApp
FileVersion	1.0.0.0
InternalName	VFCPoz.exe
LegalCopyright	Copyright 2024
LegalTrademarks
OriginalFilename	VFCPoz.exe
ProductName	SkillsInternationalSchoolApp
ProductVersion	1.0.0.0
Assembly Version	1.0.0.0

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-04T15:30:23.038370+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49710	158.101.44.242	80	TCP
2025-03-04T15:30:25.475840+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49710	158.101.44.242	80	TCP
2025-03-04T15:30:26.077502+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49725	104.21.32.1	443	TCP
2025-03-04T15:30:27.710217+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49731	158.101.44.242	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 4, 2025 15:30:09.735548973 CET	49707	80	192.168.2.5	158.101.44.242
Mar 4, 2025 15:30:09.740683079 CET	80	49707	158.101.44.242	192.168.2.5
Mar 4, 2025 15:30:09.740876913 CET	49707	80	192.168.2.5	158.101.44.242
Mar 4, 2025 15:30:09.741151094 CET	49707	80	192.168.2.5	158.101.44.242
Mar 4, 2025 15:30:09.746181965 CET	80	49707	158.101.44.242	192.168.2.5
Mar 4, 2025 15:30:13.006028891 CET	49710	80	192.168.2.5	158.101.44.242
Mar 4, 2025 15:30:13.012747049 CET	80	49710	158.101.44.242	192.168.2.5
Mar 4, 2025 15:30:13.013134003 CET	49710	80	192.168.2.5	158.101.44.242
Mar 4, 2025 15:30:13.013134003 CET	49710	80	192.168.2.5	158.101.44.242
Mar 4, 2025 15:30:13.018282890 CET	80	49710	158.101.44.242	192.168.2.5
Mar 4, 2025 15:30:18.837897062 CET	80	49707	158.101.44.242	192.168.2.5
Mar 4, 2025 15:30:18.882042885 CET	49707	80	192.168.2.5	158.101.44.242
Mar 4, 2025 15:30:19.331442118 CET	80	49710	158.101.44.242	192.168.2.5
Mar 4, 2025 15:30:19.337151051 CET	49710	80	192.168.2.5	158.101.44.242
Mar 4, 2025 15:30:19.342262983 CET	80	49710	158.101.44.242	192.168.2.5
Mar 4, 2025 15:30:22.986114025 CET	80	49710	158.101.44.242	192.168.2.5
Mar 4, 2025 15:30:23.038369894 CET	49710	80	192.168.2.5	158.101.44.242
Mar 4, 2025 15:30:23.781766891 CET	49719	443	192.168.2.5	104.21.32.1
Mar 4, 2025 15:30:23.781785965 CET	443	49719	104.21.32.1	192.168.2.5
Mar 4, 2025 15:30:23.781882048 CET	49719	443	192.168.2.5	104.21.32.1
Mar 4, 2025 15:30:23.789922953 CET	49719	443	192.168.2.5	104.21.32.1
Mar 4, 2025 15:30:23.789937973 CET	443	49719	104.21.32.1	192.168.2.5
Mar 4, 2025 15:30:24.261814117 CET	443	49719	104.21.32.1	192.168.2.5
Mar 4, 2025 15:30:24.261904955 CET	49719	443	192.168.2.5	104.21.32.1
Mar 4, 2025 15:30:24.295384884 CET	49719	443	192.168.2.5	104.21.32.1
Mar 4, 2025 15:30:24.295411110 CET	443	49719	104.21.32.1	192.168.2.5
Mar 4, 2025 15:30:24.296482086 CET	443	49719	104.21.32.1	192.168.2.5
Mar 4, 2025 15:30:24.350811005 CET	49719	443	192.168.2.5	104.21.32.1
Mar 4, 2025 15:30:24.379255056 CET	49719	443	192.168.2.5	104.21.32.1
Mar 4, 2025 15:30:24.420344114 CET	443	49719	104.21.32.1	192.168.2.5
Mar 4, 2025 15:30:24.499259949 CET	443	49719	104.21.32.1	192.168.2.5
Mar 4, 2025 15:30:24.499321938 CET	443	49719	104.21.32.1	192.168.2.5
Mar 4, 2025 15:30:24.499376059 CET	49719	443	192.168.2.5	104.21.32.1
Mar 4, 2025 15:30:24.669616938 CET	49719	443	192.168.2.5	104.21.32.1
Mar 4, 2025 15:30:24.681212902 CET	49710	80	192.168.2.5	158.101.44.242
Mar 4, 2025 15:30:24.686733961 CET	80	49710	158.101.44.242	192.168.2.5
Mar 4, 2025 15:30:25.431437969 CET	80	49710	158.101.44.242	192.168.2.5
Mar 4, 2025 15:30:25.433948040 CET	49725	443	192.168.2.5	104.21.32.1
Mar 4, 2025 15:30:25.433973074 CET	443	49725	104.21.32.1	192.168.2.5
Mar 4, 2025 15:30:25.434154034 CET	49725	443	192.168.2.5	104.21.32.1
Mar 4, 2025 15:30:25.434493065 CET	49725	443	192.168.2.5	104.21.32.1
Mar 4, 2025 15:30:25.434506893 CET	443	49725	104.21.32.1	192.168.2.5
Mar 4, 2025 15:30:25.475840092 CET	49710	80	192.168.2.5	158.101.44.242
Mar 4, 2025 15:30:25.937689066 CET	443	49725	104.21.32.1	192.168.2.5
Mar 4, 2025 15:30:25.943855047 CET	49725	443	192.168.2.5	104.21.32.1
Mar 4, 2025 15:30:25.943876028 CET	443	49725	104.21.32.1	192.168.2.5
Mar 4, 2025 15:30:26.077414036 CET	443	49725	104.21.32.1	192.168.2.5
Mar 4, 2025 15:30:26.077465057 CET	443	49725	104.21.32.1	192.168.2.5
Mar 4, 2025 15:30:26.077832937 CET	49725	443	192.168.2.5	104.21.32.1
Mar 4, 2025 15:30:26.078568935 CET	49725	443	192.168.2.5	104.21.32.1
Mar 4, 2025 15:30:26.082936049 CET	49710	80	192.168.2.5	158.101.44.242
Mar 4, 2025 15:30:26.084434986 CET	49731	80	192.168.2.5	158.101.44.242
Mar 4, 2025 15:30:26.088136911 CET	80	49710	158.101.44.242	192.168.2.5
Mar 4, 2025 15:30:26.088279963 CET	49710	80	192.168.2.5	158.101.44.242
Mar 4, 2025 15:30:26.089449883 CET	80	49731	158.101.44.242	192.168.2.5
Mar 4, 2025 15:30:26.089538097 CET	49731	80	192.168.2.5	158.101.44.242
Mar 4, 2025 15:30:26.089624882 CET	49731	80	192.168.2.5	158.101.44.242
Mar 4, 2025 15:30:26.095716953 CET	80	49731	158.101.44.242	192.168.2.5
Mar 4, 2025 15:30:27.667506933 CET	80	49731	158.101.44.242	192.168.2.5
Mar 4, 2025 15:30:27.670533895 CET	49742	443	192.168.2.5	104.21.32.1
Mar 4, 2025 15:30:27.670563936 CET	443	49742	104.21.32.1	192.168.2.5
Mar 4, 2025 15:30:27.670681000 CET	49742	443	192.168.2.5	104.21.32.1
Mar 4, 2025 15:30:27.670939922 CET	49742	443	192.168.2.5	104.21.32.1
Mar 4, 2025 15:30:27.670955896 CET	443	49742	104.21.32.1	192.168.2.5
Mar 4, 2025 15:30:27.710216999 CET	49731	80	192.168.2.5	158.101.44.242
Mar 4, 2025 15:30:28.138226032 CET	443	49742	104.21.32.1	192.168.2.5
Mar 4, 2025 15:30:28.140681028 CET	49742	443	192.168.2.5	104.21.32.1
Mar 4, 2025 15:30:28.140697956 CET	443	49742	104.21.32.1	192.168.2.5
Mar 4, 2025 15:30:28.282330036 CET	443	49742	104.21.32.1	192.168.2.5
Mar 4, 2025 15:30:28.282390118 CET	443	49742	104.21.32.1	192.168.2.5
Mar 4, 2025 15:30:28.283034086 CET	49742	443	192.168.2.5	104.21.32.1
Mar 4, 2025 15:30:28.283437967 CET	49742	443	192.168.2.5	104.21.32.1
Mar 4, 2025 15:30:28.290357113 CET	49749	80	192.168.2.5	158.101.44.242
Mar 4, 2025 15:30:28.295573950 CET	80	49749	158.101.44.242	192.168.2.5
Mar 4, 2025 15:30:28.295972109 CET	49749	80	192.168.2.5	158.101.44.242
Mar 4, 2025 15:30:28.296329021 CET	49749	80	192.168.2.5	158.101.44.242
Mar 4, 2025 15:30:28.301614046 CET	80	49749	158.101.44.242	192.168.2.5
Mar 4, 2025 15:30:28.883644104 CET	80	49749	158.101.44.242	192.168.2.5
Mar 4, 2025 15:30:28.885000944 CET	49751	443	192.168.2.5	104.21.32.1
Mar 4, 2025 15:30:28.885036945 CET	443	49751	104.21.32.1	192.168.2.5
Mar 4, 2025 15:30:28.885103941 CET	49751	443	192.168.2.5	104.21.32.1
Mar 4, 2025 15:30:28.885329962 CET	49751	443	192.168.2.5	104.21.32.1
Mar 4, 2025 15:30:28.885343075 CET	443	49751	104.21.32.1	192.168.2.5
Mar 4, 2025 15:30:28.929080009 CET	49749	80	192.168.2.5	158.101.44.242
Mar 4, 2025 15:30:29.374376059 CET	443	49751	104.21.32.1	192.168.2.5
Mar 4, 2025 15:30:29.376560926 CET	49751	443	192.168.2.5	104.21.32.1
Mar 4, 2025 15:30:29.376585007 CET	443	49751	104.21.32.1	192.168.2.5
Mar 4, 2025 15:30:29.518199921 CET	443	49751	104.21.32.1	192.168.2.5
Mar 4, 2025 15:30:29.518260002 CET	443	49751	104.21.32.1	192.168.2.5
Mar 4, 2025 15:30:29.518424034 CET	49751	443	192.168.2.5	104.21.32.1
Mar 4, 2025 15:30:29.519109964 CET	49751	443	192.168.2.5	104.21.32.1
Mar 4, 2025 15:30:29.523525953 CET	49749	80	192.168.2.5	158.101.44.242
Mar 4, 2025 15:30:29.525127888 CET	49756	80	192.168.2.5	158.101.44.242
Mar 4, 2025 15:30:29.528888941 CET	80	49749	158.101.44.242	192.168.2.5
Mar 4, 2025 15:30:29.528968096 CET	49749	80	192.168.2.5	158.101.44.242
Mar 4, 2025 15:30:29.530435085 CET	80	49756	158.101.44.242	192.168.2.5
Mar 4, 2025 15:30:29.530915022 CET	49756	80	192.168.2.5	158.101.44.242
Mar 4, 2025 15:30:29.531058073 CET	49756	80	192.168.2.5	158.101.44.242
Mar 4, 2025 15:30:29.536134005 CET	80	49756	158.101.44.242	192.168.2.5
Mar 4, 2025 15:30:31.095462084 CET	80	49756	158.101.44.242	192.168.2.5
Mar 4, 2025 15:30:31.097671032 CET	49769	443	192.168.2.5	104.21.32.1
Mar 4, 2025 15:30:31.097716093 CET	443	49769	104.21.32.1	192.168.2.5
Mar 4, 2025 15:30:31.097774029 CET	49769	443	192.168.2.5	104.21.32.1
Mar 4, 2025 15:30:31.100358963 CET	49769	443	192.168.2.5	104.21.32.1
Mar 4, 2025 15:30:31.100380898 CET	443	49769	104.21.32.1	192.168.2.5
Mar 4, 2025 15:30:31.147676945 CET	49756	80	192.168.2.5	158.101.44.242
Mar 4, 2025 15:30:31.561207056 CET	443	49769	104.21.32.1	192.168.2.5
Mar 4, 2025 15:30:31.566468954 CET	49769	443	192.168.2.5	104.21.32.1
Mar 4, 2025 15:30:31.566509962 CET	443	49769	104.21.32.1	192.168.2.5
Mar 4, 2025 15:30:31.701070070 CET	443	49769	104.21.32.1	192.168.2.5
Mar 4, 2025 15:30:31.701133013 CET	443	49769	104.21.32.1	192.168.2.5
Mar 4, 2025 15:30:31.701230049 CET	49769	443	192.168.2.5	104.21.32.1
Mar 4, 2025 15:30:31.712958097 CET	49769	443	192.168.2.5	104.21.32.1
Mar 4, 2025 15:30:31.855784893 CET	49756	80	192.168.2.5	158.101.44.242
Mar 4, 2025 15:30:31.857981920 CET	49775	80	192.168.2.5	158.101.44.242
Mar 4, 2025 15:30:31.861130953 CET	80	49756	158.101.44.242	192.168.2.5
Mar 4, 2025 15:30:31.861265898 CET	49756	80	192.168.2.5	158.101.44.242
Mar 4, 2025 15:30:31.863078117 CET	80	49775	158.101.44.242	192.168.2.5
Mar 4, 2025 15:30:31.864803076 CET	49775	80	192.168.2.5	158.101.44.242
Mar 4, 2025 15:30:31.866004944 CET	49775	80	192.168.2.5	158.101.44.242
Mar 4, 2025 15:30:31.871021032 CET	80	49775	158.101.44.242	192.168.2.5
Mar 4, 2025 15:30:32.429085970 CET	80	49775	158.101.44.242	192.168.2.5
Mar 4, 2025 15:30:32.431328058 CET	49783	443	192.168.2.5	104.21.32.1
Mar 4, 2025 15:30:32.431339979 CET	443	49783	104.21.32.1	192.168.2.5
Mar 4, 2025 15:30:32.431421041 CET	49783	443	192.168.2.5	104.21.32.1
Mar 4, 2025 15:30:32.431780100 CET	49783	443	192.168.2.5	104.21.32.1
Mar 4, 2025 15:30:32.431786060 CET	443	49783	104.21.32.1	192.168.2.5
Mar 4, 2025 15:30:32.475828886 CET	49775	80	192.168.2.5	158.101.44.242
Mar 4, 2025 15:30:32.938750029 CET	443	49783	104.21.32.1	192.168.2.5
Mar 4, 2025 15:30:32.941998959 CET	49783	443	192.168.2.5	104.21.32.1
Mar 4, 2025 15:30:32.942013979 CET	443	49783	104.21.32.1	192.168.2.5
Mar 4, 2025 15:30:33.129004002 CET	443	49783	104.21.32.1	192.168.2.5
Mar 4, 2025 15:30:33.129070997 CET	443	49783	104.21.32.1	192.168.2.5
Mar 4, 2025 15:30:33.129152060 CET	49783	443	192.168.2.5	104.21.32.1
Mar 4, 2025 15:30:33.129676104 CET	49783	443	192.168.2.5	104.21.32.1
Mar 4, 2025 15:30:33.135081053 CET	49775	80	192.168.2.5	158.101.44.242
Mar 4, 2025 15:30:33.136321068 CET	49789	80	192.168.2.5	158.101.44.242
Mar 4, 2025 15:30:33.140347958 CET	80	49775	158.101.44.242	192.168.2.5
Mar 4, 2025 15:30:33.140419960 CET	49775	80	192.168.2.5	158.101.44.242
Mar 4, 2025 15:30:33.141396999 CET	80	49789	158.101.44.242	192.168.2.5
Mar 4, 2025 15:30:33.141480923 CET	49789	80	192.168.2.5	158.101.44.242
Mar 4, 2025 15:30:33.141587019 CET	49789	80	192.168.2.5	158.101.44.242
Mar 4, 2025 15:30:33.146593094 CET	80	49789	158.101.44.242	192.168.2.5
Mar 4, 2025 15:30:33.906666040 CET	80	49789	158.101.44.242	192.168.2.5
Mar 4, 2025 15:30:33.908485889 CET	49796	443	192.168.2.5	104.21.32.1
Mar 4, 2025 15:30:33.908515930 CET	443	49796	104.21.32.1	192.168.2.5
Mar 4, 2025 15:30:33.908591032 CET	49796	443	192.168.2.5	104.21.32.1
Mar 4, 2025 15:30:33.908883095 CET	49796	443	192.168.2.5	104.21.32.1
Mar 4, 2025 15:30:33.908896923 CET	443	49796	104.21.32.1	192.168.2.5
Mar 4, 2025 15:30:33.960249901 CET	49789	80	192.168.2.5	158.101.44.242
Mar 4, 2025 15:30:34.373269081 CET	443	49796	104.21.32.1	192.168.2.5
Mar 4, 2025 15:30:34.410006046 CET	49796	443	192.168.2.5	104.21.32.1
Mar 4, 2025 15:30:34.410022020 CET	443	49796	104.21.32.1	192.168.2.5
Mar 4, 2025 15:30:34.525281906 CET	443	49796	104.21.32.1	192.168.2.5
Mar 4, 2025 15:30:34.525347948 CET	443	49796	104.21.32.1	192.168.2.5
Mar 4, 2025 15:30:34.525405884 CET	49796	443	192.168.2.5	104.21.32.1
Mar 4, 2025 15:30:34.541188002 CET	49796	443	192.168.2.5	104.21.32.1
Mar 4, 2025 15:30:34.684990883 CET	49789	80	192.168.2.5	158.101.44.242
Mar 4, 2025 15:30:34.690193892 CET	80	49789	158.101.44.242	192.168.2.5
Mar 4, 2025 15:30:34.690277100 CET	49789	80	192.168.2.5	158.101.44.242
Mar 4, 2025 15:30:34.721201897 CET	49802	80	192.168.2.5	158.101.44.242
Mar 4, 2025 15:30:34.726289988 CET	80	49802	158.101.44.242	192.168.2.5
Mar 4, 2025 15:30:34.726377010 CET	49802	80	192.168.2.5	158.101.44.242
Mar 4, 2025 15:30:34.730902910 CET	49802	80	192.168.2.5	158.101.44.242
Mar 4, 2025 15:30:34.736116886 CET	80	49802	158.101.44.242	192.168.2.5
Mar 4, 2025 15:30:36.843164921 CET	80	49802	158.101.44.242	192.168.2.5
Mar 4, 2025 15:30:36.844707966 CET	49815	443	192.168.2.5	104.21.32.1
Mar 4, 2025 15:30:36.844763041 CET	443	49815	104.21.32.1	192.168.2.5
Mar 4, 2025 15:30:36.844849110 CET	49815	443	192.168.2.5	104.21.32.1
Mar 4, 2025 15:30:36.845118046 CET	49815	443	192.168.2.5	104.21.32.1
Mar 4, 2025 15:30:36.845129967 CET	443	49815	104.21.32.1	192.168.2.5
Mar 4, 2025 15:30:36.897681952 CET	49802	80	192.168.2.5	158.101.44.242
Mar 4, 2025 15:30:37.310853004 CET	443	49815	104.21.32.1	192.168.2.5
Mar 4, 2025 15:30:37.319287062 CET	49815	443	192.168.2.5	104.21.32.1
Mar 4, 2025 15:30:37.319303989 CET	443	49815	104.21.32.1	192.168.2.5
Mar 4, 2025 15:30:37.480622053 CET	443	49815	104.21.32.1	192.168.2.5
Mar 4, 2025 15:30:37.480684042 CET	443	49815	104.21.32.1	192.168.2.5
Mar 4, 2025 15:30:37.480729103 CET	49815	443	192.168.2.5	104.21.32.1
Mar 4, 2025 15:30:37.482825041 CET	49815	443	192.168.2.5	104.21.32.1
Mar 4, 2025 15:30:37.932084084 CET	49707	80	192.168.2.5	158.101.44.242
Mar 4, 2025 15:31:32.673739910 CET	80	49731	158.101.44.242	192.168.2.5
Mar 4, 2025 15:31:32.673811913 CET	49731	80	192.168.2.5	158.101.44.242
Mar 4, 2025 15:31:41.843893051 CET	80	49802	158.101.44.242	192.168.2.5
Mar 4, 2025 15:31:41.844053030 CET	49802	80	192.168.2.5	158.101.44.242

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 4, 2025 15:30:09.705899954 CET	59718	53	192.168.2.5	1.1.1.1
Mar 4, 2025 15:30:09.713336945 CET	53	59718	1.1.1.1	192.168.2.5
Mar 4, 2025 15:30:23.770514965 CET	59228	53	192.168.2.5	1.1.1.1
Mar 4, 2025 15:30:23.781088114 CET	53	59228	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 4, 2025 15:30:09.705899954 CET	192.168.2.5	1.1.1.1	0x62a6	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Mar 4, 2025 15:30:23.770514965 CET	192.168.2.5	1.1.1.1	0x86cc	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 4, 2025 15:30:09.713336945 CET	1.1.1.1	192.168.2.5	0x62a6	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 4, 2025 15:30:09.713336945 CET	1.1.1.1	192.168.2.5	0x62a6	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Mar 4, 2025 15:30:09.713336945 CET	1.1.1.1	192.168.2.5	0x62a6	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Mar 4, 2025 15:30:09.713336945 CET	1.1.1.1	192.168.2.5	0x62a6	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Mar 4, 2025 15:30:09.713336945 CET	1.1.1.1	192.168.2.5	0x62a6	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Mar 4, 2025 15:30:09.713336945 CET	1.1.1.1	192.168.2.5	0x62a6	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Mar 4, 2025 15:30:23.781088114 CET	1.1.1.1	192.168.2.5	0x86cc	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Mar 4, 2025 15:30:23.781088114 CET	1.1.1.1	192.168.2.5	0x86cc	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Mar 4, 2025 15:30:23.781088114 CET	1.1.1.1	192.168.2.5	0x86cc	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Mar 4, 2025 15:30:23.781088114 CET	1.1.1.1	192.168.2.5	0x86cc	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Mar 4, 2025 15:30:23.781088114 CET	1.1.1.1	192.168.2.5	0x86cc	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Mar 4, 2025 15:30:23.781088114 CET	1.1.1.1	192.168.2.5	0x86cc	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Mar 4, 2025 15:30:23.781088114 CET	1.1.1.1	192.168.2.5	0x86cc	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49707	158.101.44.242	80	7152	C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe

Timestamp	Bytes transferred	Direction	Data
Mar 4, 2025 15:30:09.741151094 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 4, 2025 15:30:18.837897062 CET	745	IN	HTTP/1.1 504 Gateway Time-out Date: Tue, 04 Mar 2025 14:30:18 GMT Content-Type: text/html Content-Length: 557 Connection: keep-alive X-Request-ID: d36016977cec9a108b7337849617f7af Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c [TRUNCATED] Data Ascii: <html><head><title>504 Gateway Time-out</title></head><body><center><h1>504 Gateway Time-out</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49710	158.101.44.242	80	2452	C:\Users\user\AppData\Roaming\LVTDbQS.exe

Timestamp	Bytes transferred	Direction	Data
Mar 4, 2025 15:30:13.013134003 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 4, 2025 15:30:19.331442118 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 04 Mar 2025 14:30:19 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 14e2cc0da19586ad4ccc09a6579abe04 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Mar 4, 2025 15:30:19.337151051 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Mar 4, 2025 15:30:22.986114025 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 04 Mar 2025 14:30:22 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 0e93254fc011927f89d3ca961ad631ec Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Mar 4, 2025 15:30:24.681212902 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Mar 4, 2025 15:30:25.431437969 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 04 Mar 2025 14:30:25 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 92146c148279f022edf4c0462e201ee0 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49731	158.101.44.242	80	2452	C:\Users\user\AppData\Roaming\LVTDbQS.exe

Timestamp	Bytes transferred	Direction	Data
Mar 4, 2025 15:30:26.089624882 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Mar 4, 2025 15:30:27.667506933 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 04 Mar 2025 14:30:27 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 477e8e431f3a1a7f3efb6225a00e30c9 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49749	158.101.44.242	80	2452	C:\Users\user\AppData\Roaming\LVTDbQS.exe

Timestamp	Bytes transferred	Direction	Data
Mar 4, 2025 15:30:28.296329021 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 4, 2025 15:30:28.883644104 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 04 Mar 2025 14:30:28 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 9554aacad8932ad4f43f77fca85160a6 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49756	158.101.44.242	80	2452	C:\Users\user\AppData\Roaming\LVTDbQS.exe

Timestamp	Bytes transferred	Direction	Data
Mar 4, 2025 15:30:29.531058073 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 4, 2025 15:30:31.095462084 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 04 Mar 2025 14:30:31 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: ac4914839fd0164bde6ad2bcf20a214e Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49775	158.101.44.242	80	2452	C:\Users\user\AppData\Roaming\LVTDbQS.exe

Timestamp	Bytes transferred	Direction	Data
Mar 4, 2025 15:30:31.866004944 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 4, 2025 15:30:32.429085970 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 04 Mar 2025 14:30:32 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d092fa9237205b248ed0abf1ec820352 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49789	158.101.44.242	80	2452	C:\Users\user\AppData\Roaming\LVTDbQS.exe

Timestamp	Bytes transferred	Direction	Data
Mar 4, 2025 15:30:33.141587019 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 4, 2025 15:30:33.906666040 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 04 Mar 2025 14:30:33 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 143fcaa6a3812b2060b0706f0eab6a04 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49802	158.101.44.242	80	2452	C:\Users\user\AppData\Roaming\LVTDbQS.exe

Timestamp	Bytes transferred	Direction	Data
Mar 4, 2025 15:30:34.730902910 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 4, 2025 15:30:36.843164921 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 04 Mar 2025 14:30:36 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: c1de2a620b4cf8444871ab63c4bea4e4 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49719	104.21.32.1	443	2452	C:\Users\user\AppData\Roaming\LVTDbQS.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-04 14:30:24 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-03-04 14:30:24 UTC	860	IN	HTTP/1.1 200 OK Date: Tue, 04 Mar 2025 14:30:24 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 184367 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Sun, 02 Mar 2025 11:17:37 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=si6Z%2FBtK4y4uT9OfV011u2Epx3%2BUJJuTU0MHRMLIyP5OikDCE73KrYSX4YXtlysC%2FAIChHW%2BoqI%2FfSJIpFLP24CvULRvqokmfSogOMffnxV%2BicKHJbmTZ5MOzVgviOBi3vcZF5J9"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91b21242bc6f1875-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1770&min_rtt=1752&rtt_var=670&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1666666&cwnd=190&unsent_bytes=0&cid=b10ed50ecdd34c4e&ts=252&x=0"
2025-03-04 14:30:24 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49725	104.21.32.1	443	2452	C:\Users\user\AppData\Roaming\LVTDbQS.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-04 14:30:25 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-03-04 14:30:26 UTC	862	IN	HTTP/1.1 200 OK Date: Tue, 04 Mar 2025 14:30:26 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 184368 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Sun, 02 Mar 2025 11:17:37 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=S4ytfY8x%2Fhbiyw7%2FP%2FnMQPbSpwandzQg3VJibzdK5Wq2452PkusccM6CIaPiZhn8Pb8xJR7WBv%2Brvh1nQJj1%2Fq4R11YwKfDi%2BvXG1VXfzJPstwc6v1kgfXlNWgGS2z25mt%2FlMYjC"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91b2124c981e72b9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1896&min_rtt=1888&rtt_var=724&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1495901&cwnd=238&unsent_bytes=0&cid=68e39ff851e2583e&ts=146&x=0"
2025-03-04 14:30:26 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49742	104.21.32.1	443	2452	C:\Users\user\AppData\Roaming\LVTDbQS.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-04 14:30:28 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-03-04 14:30:28 UTC	864	IN	HTTP/1.1 200 OK Date: Tue, 04 Mar 2025 14:30:28 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 184371 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Sun, 02 Mar 2025 11:17:37 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ozpuMK2qkaumRiAVTeCiuvi05nwLmTX7ctF%2FSoh595ug2Ok%2F4n5L0UY4UfiurYeZPEs94ZLpt%2BnYBy1nQXAtGIEiCNZHodkAkGtQnMp4XM%2BThN%2FJg6aO%2F%2F2yS2sr7%2BAZbtOfHC5V"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91b2125a5bce72b9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1859&min_rtt=1856&rtt_var=703&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1549893&cwnd=238&unsent_bytes=0&cid=0d3ce4b56a1d485f&ts=148&x=0"
2025-03-04 14:30:28 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49751	104.21.32.1	443	2452	C:\Users\user\AppData\Roaming\LVTDbQS.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-04 14:30:29 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-03-04 14:30:29 UTC	862	IN	HTTP/1.1 200 OK Date: Tue, 04 Mar 2025 14:30:29 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 184372 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Sun, 02 Mar 2025 11:17:37 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=U5jh52fmOvUr%2F3khJP7%2FtaUJFvRTD4qvJB2r53upTMzKTOAAVAX%2BsXACMTp6hJ9X4H74Egv6%2B3H1P1Bg7uI%2Bj%2FNaBvVIQuXfGCoRADLsbdNjxhbVUdijoc%2BDzIYG86npLg7VVDHP"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91b212621de3c327-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1806&min_rtt=1682&rtt_var=880&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1089552&cwnd=184&unsent_bytes=0&cid=58394ad475e9ef69&ts=150&x=0"
2025-03-04 14:30:29 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49769	104.21.32.1	443	2452	C:\Users\user\AppData\Roaming\LVTDbQS.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-04 14:30:31 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-03-04 14:30:31 UTC	850	IN	HTTP/1.1 200 OK Date: Tue, 04 Mar 2025 14:30:31 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 184374 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Sun, 02 Mar 2025 11:17:37 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hWIJ7T2k5i9kVWFEaSXLyZX4u8aHNJaQtqUfuKxIT5Uvt7YsRbCKuP3qCBJIFqSmvdHX8SN%2FNoym9W45E3DNISxA0OO28QPnZfDPHZP2zJBuDCyaBsLY7J83KQ5fwd25MMW44g1o"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91b2126fcef172b9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1871&min_rtt=1862&rtt_var=716&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1509043&cwnd=238&unsent_bytes=0&cid=3329644977765dfe&ts=142&x=0"
2025-03-04 14:30:31 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49783	104.21.32.1	443	2452	C:\Users\user\AppData\Roaming\LVTDbQS.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-04 14:30:32 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-03-04 14:30:33 UTC	858	IN	HTTP/1.1 200 OK Date: Tue, 04 Mar 2025 14:30:33 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 184375 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Sun, 02 Mar 2025 11:17:37 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hz40Eb6I8cPxE0RIgMXVDe54Fw6Zc%2FkpZnCDf1LyEcEXRopXP1ZfLWrRD5r51Mv0JSnOFhfKcvhMhbqm4Red%2FwmBf%2FiTzSKzFVxom2mPQ%2FAiJKv%2BszTv9SOz82m0j4S31bPPiUGJ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91b212787a154344-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1828&min_rtt=1821&rtt_var=688&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1603514&cwnd=159&unsent_bytes=0&cid=081943c83c280642&ts=198&x=0"
2025-03-04 14:30:33 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49796	104.21.32.1	443	2452	C:\Users\user\AppData\Roaming\LVTDbQS.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-04 14:30:34 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-03-04 14:30:34 UTC	852	IN	HTTP/1.1 200 OK Date: Tue, 04 Mar 2025 14:30:34 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 184377 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Sun, 02 Mar 2025 11:17:37 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5dwxOOUODqZn6S5PGjyPMyuOPLfVqZKSJUsROEzlDbrdTTdzyT3yXtLm5P1AbUpPWgiQcNy20WbkClE37QdojiBISeVMX9RKlhLxAbMpfIteyMuaITT99syms%2Fx7nX%2F3NEGb9XXl"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91b212816d084344-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1900&min_rtt=1871&rtt_var=723&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1560662&cwnd=159&unsent_bytes=0&cid=99d4e1b97f16102a&ts=157&x=0"
2025-03-04 14:30:34 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49815	104.21.32.1	443	2452	C:\Users\user\AppData\Roaming\LVTDbQS.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-04 14:30:37 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-03-04 14:30:37 UTC	854	IN	HTTP/1.1 200 OK Date: Tue, 04 Mar 2025 14:30:37 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 184380 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Sun, 02 Mar 2025 11:17:37 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FobUP14FKEcIJJ%2F2BMI4OIXT8qodhMKYKPekclRLMi2V41q0fBMEGKH0vpTOQNJRJddfb7GUAEtBP363N6XS07lcLRto6hzkEUgXPPHvstUEpuEFPgwsz4lar40gbhdMTn6K%2BqtI"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91b21293cba141a6-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1747&min_rtt=1736&rtt_var=674&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1594756&cwnd=213&unsent_bytes=0&cid=9e3105dff4a95b44&ts=177&x=0"
2025-03-04 14:30:37 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	09:30:05
Start date:	04/03/2025
Path:	C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe"
Imagebase:	0x650000
File size:	775'168 bytes
MD5 hash:	FE222287C00487A369814CEB43C0CA5C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2127647331.0000000003B4A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.2127647331.0000000003B4A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2127647331.0000000003B4A000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.2127647331.0000000003B4A000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:30:07
Start date:	04/03/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe"
Imagebase:	0x2b0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:30:07
Start date:	04/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:30:07
Start date:	04/03/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LVTDbQS.exe"
Imagebase:	0x2b0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	09:30:07
Start date:	04/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	09:30:07
Start date:	04/03/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LVTDbQS" /XML "C:\Users\user\AppData\Local\Temp\tmp2B05.tmp"
Imagebase:	0xea0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	09:30:07
Start date:	04/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	09:30:08
Start date:	04/03/2025
Path:	C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\HBL ASNLRU-20241001 & 20241002.exe"
Imagebase:	0x6c0000
File size:	775'168 bytes
MD5 hash:	FE222287C00487A369814CEB43C0CA5C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2384350555.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000009.00000002.2384350555.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000009.00000002.2384350555.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000009.00000002.2384350555.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000009.00000002.2386416479.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	09:30:08
Start date:	04/03/2025
Path:	C:\Users\user\AppData\Roaming\LVTDbQS.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\LVTDbQS.exe
Imagebase:	0xb10000
File size:	775'168 bytes
MD5 hash:	FE222287C00487A369814CEB43C0CA5C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.2162268144.000000000401B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000A.00000002.2162268144.000000000401B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000A.00000002.2162268144.000000000401B000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 0000000A.00000002.2162268144.000000000401B000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 55%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	09:30:09
Start date:	04/03/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff6ef0c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	09:30:11
Start date:	04/03/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LVTDbQS" /XML "C:\Users\user\AppData\Local\Temp\tmp3882.tmp"
Imagebase:	0xea0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	09:30:11
Start date:	04/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	09:30:11
Start date:	04/03/2025
Path:	C:\Users\user\AppData\Roaming\LVTDbQS.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\LVTDbQS.exe"
Imagebase:	0xa0000
File size:	775'168 bytes
MD5 hash:	FE222287C00487A369814CEB43C0CA5C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	09:30:11
Start date:	04/03/2025
Path:	C:\Users\user\AppData\Roaming\LVTDbQS.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\LVTDbQS.exe"
Imagebase:	0x3b0000
File size:	775'168 bytes
MD5 hash:	FE222287C00487A369814CEB43C0CA5C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	09:30:11
Start date:	04/03/2025
Path:	C:\Users\user\AppData\Roaming\LVTDbQS.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\LVTDbQS.exe"
Imagebase:	0x200000
File size:	775'168 bytes
MD5 hash:	FE222287C00487A369814CEB43C0CA5C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	09:30:11
Start date:	04/03/2025
Path:	C:\Users\user\AppData\Roaming\LVTDbQS.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\LVTDbQS.exe"
Imagebase:	0xf30000
File size:	775'168 bytes
MD5 hash:	FE222287C00487A369814CEB43C0CA5C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000011.00000002.3330703617.000000000351B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000011.00000002.3330703617.0000000003351000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	09:30:17
Start date:	04/03/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7152 -s 1516
Imagebase:	0x4c0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report HBL ASNLRU-20241001 & 20241002.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_HBL ASNLRU-20241_68d847ec65e7305a7f706541a48dbf8a20a7f3cf_92ce1c68_f6231f4d-cb93-47cf-9f84-cfaa73ec6071\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B94.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1D0C.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1D4B.tmp.xml

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HBL ASNLRU-20241001 & 20241002.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\LVTDbQS.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_azpotikz.xas.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gx0z3fnp.4jb.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gzfxj3eh.pay.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m0xmi2rw.syq.psm1

Windows Analysis Report
HBL ASNLRU-20241001 & 20241002.exe