Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1637445
MD5:4890b9e6f9b73e6ad6d1ddf88044eaf2
SHA1:939c961a8e06366a0d25b9c2815b64c3c0ac989e
SHA256:6e9fb253ec84086b218bb9e2f2993ac0a628e562073f1ed2bdcd21d3d65baead
Tags:NETexeMSILuser-jstrosch
Infos:

Detection

MSIL Logger, MassLogger RAT
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected MSIL Logger
Yara detected MassLogger RAT
Yara detected Telegram RAT
.NET source code references suspicious native API functions
Contains functionality to capture screen (.Net source)
Contains functionality to log keystrokes (.Net Source)
Joe Sandbox ML detected suspicious sample
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5236 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 4890B9E6F9B73E6AD6D1DDF88044EAF2)
  • cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "thejaswi@tsengg.com", "Password": "@bettermoney3490", "Server": "mail.tsengg.com"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
file.exeJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
    file.exeJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      file.exeJoeSecurity_MSILLoggerYara detected MSIL LoggerJoe Security
        file.exeJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
          file.exeWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
          • 0x101f9:$a1: get_encryptedPassword
          • 0x10535:$a2: get_encryptedUsername
          • 0xff86:$a3: get_timePasswordChanged
          • 0x100a7:$a4: get_passwordField
          • 0x1020f:$a5: set_encryptedPassword
          • 0x11bdf:$a7: get_logins
          • 0x11890:$a8: GetOutlookPasswords
          • 0x1166e:$a9: StartKeylogger
          • 0x11b2f:$a10: KeyLoggerEventArgs
          • 0x116cb:$a11: KeyLoggerEventArgsEventHandler
          Click to see the 1 entries

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000002.3378542731.00000000034AC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000000.00000002.3378542731.00000000034AC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
              00000000.00000000.916446752.0000000000ED2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
                00000000.00000000.916446752.0000000000ED2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  00000000.00000000.916446752.0000000000ED2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_MSILLoggerYara detected MSIL LoggerJoe Security
                    Click to see the 7 entries

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    0.0.file.exe.ed0000.0.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
                      0.0.file.exe.ed0000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                        0.0.file.exe.ed0000.0.unpackJoeSecurity_MSILLoggerYara detected MSIL LoggerJoe Security
                          0.0.file.exe.ed0000.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                            0.0.file.exe.ed0000.0.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                            • 0x101f9:$a1: get_encryptedPassword
                            • 0x10535:$a2: get_encryptedUsername
                            • 0xff86:$a3: get_timePasswordChanged
                            • 0x100a7:$a4: get_passwordField
                            • 0x1020f:$a5: set_encryptedPassword
                            • 0x11bdf:$a7: get_logins
                            • 0x11890:$a8: GetOutlookPasswords
                            • 0x1166e:$a9: StartKeylogger
                            • 0x11b2f:$a10: KeyLoggerEventArgs
                            • 0x116cb:$a11: KeyLoggerEventArgsEventHandler
                            Click to see the 1 entries

                            Sigma Signatures

                            System Summary

                            barindex
                            Sigma detected: Suspicious Outbound SMTP Connections
                            Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 103.21.58.29, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\file.exe, Initiated: true, ProcessId: 5236, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49683

                            Suricata Signatures

                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-03-13T16:36:36.106720+010028032742Potentially Bad Traffic192.168.2.749681132.226.247.7380TCP
                            2025-03-13T16:36:43.622353+010028032742Potentially Bad Traffic192.168.2.749681132.226.247.7380TCP
                            2025-03-13T16:36:53.169391+010028032742Potentially Bad Traffic192.168.2.749686132.226.247.7380TCP
                            2025-03-13T16:37:48.356838+010028032742Potentially Bad Traffic192.168.2.760536132.226.247.7380TCP
                            2025-03-13T16:37:55.903732+010028032742Potentially Bad Traffic192.168.2.760538132.226.247.7380TCP

                            Joe Sandbox Signatures

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection

                            barindex
                            Antivirus / Scanner detection for submitted sample
                            Source: file.exeAvira: detected
                            Found malware configuration
                            Source: 00000000.00000002.3378542731.0000000003471000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "thejaswi@tsengg.com", "Password": "@bettermoney3490", "Server": "mail.tsengg.com"}
                            Multi AV Scanner detection for submitted file
                            Source: file.exeVirustotal: Detection: 59%Perma Link
                            Source: file.exeReversingLabs: Detection: 63%
                            Joe Sandbox ML detected suspicious sample
                            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

                            Location Tracking

                            barindex
                            Tries to detect the country of the analysis system (by using the IP)
                            Source: unknownDNS query: name: reallyfreegeoip.org
                            Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                            Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49682 version: TLS 1.0
                            Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp 016A9731h0_2_016A9480
                            Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp 016A9E5Ah0_2_016A9A40
                            Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp 016A9E5Ah0_2_016A9A30
                            Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp 016A9E5Ah0_2_016A9D87
                            Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp 03455E15h0_2_03455AD8
                            Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp 034554D1h0_2_03455228
                            Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp 0345E5A0h0_2_0345E2F8
                            Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp 034583D8h0_2_03458130
                            Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp 0345F2A8h0_2_0345F000
                            Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp 0345E9F8h0_2_0345E750
                            Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp 03455929h0_2_03455680
                            Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp 034547C9h0_2_03454520
                            Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp 03458830h0_2_03458588
                            Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp 0345F700h0_2_0345F458
                            Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp 034576D0h0_2_03457428
                            Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp 0345EE50h0_2_0345EBA8
                            Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp 03454C21h0_2_03454978
                            Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp 03457B28h0_2_03457880
                            Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp 0345FB58h0_2_0345F8B0
                            Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp 03457278h0_2_03456FD0
                            Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp 03455079h0_2_03454DD0
                            Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp 03457F80h0_2_03457CD8
                            Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov ecx, 000003E8h0_2_071D84D0
                            Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov ecx, 000003E8h0_2_071D84C0
                            Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then push 00000000h0_2_071DE2C0
                            Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]0_2_071DE2C0
                            Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then push 00000000h0_2_071DEE0B
                            Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then push 00000000h0_2_0746A7B8
                            Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp 0746C25Eh0_2_0746C0A8
                            Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp 0746C25Eh0_2_0746C1AD
                            Source: global trafficTCP traffic: 192.168.2.7:49683 -> 103.21.58.29:587
                            Source: global trafficTCP traffic: 192.168.2.7:60519 -> 1.1.1.1:53
                            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                            Source: Joe Sandbox ViewIP Address: 104.21.112.1 104.21.112.1
                            Source: Joe Sandbox ViewIP Address: 104.21.112.1 104.21.112.1
                            Source: Joe Sandbox ViewIP Address: 132.226.247.73 132.226.247.73
                            Source: Joe Sandbox ViewASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
                            Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                            Source: unknownDNS query: name: checkip.dyndns.org
                            Source: unknownDNS query: name: reallyfreegeoip.org
                            Source: unknownDNS query: name: checkip.dyndns.org
                            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49686 -> 132.226.247.73:80
                            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49681 -> 132.226.247.73:80
                            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:60536 -> 132.226.247.73:80
                            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:60538 -> 132.226.247.73:80
                            Source: global trafficTCP traffic: 192.168.2.7:49683 -> 103.21.58.29:587
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49682 version: TLS 1.0
                            Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                            Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                            Source: global trafficDNS traffic detected: DNS query: mail.tsengg.com
                            Source: file.exe, 00000000.00000002.3381315764.00000000068A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://checkip.du
                            Source: file.exe, 00000000.00000002.3378542731.0000000003511000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                            Source: file.exe, 00000000.00000002.3378542731.0000000003471000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3381315764.00000000068A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                            Source: file.exeString found in binary or memory: http://checkip.dyndns.org/q
                            Source: file.exe, 00000000.00000002.3382787776.00000000090B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://purl.oen
                            Source: file.exe, 00000000.00000002.3381315764.00000000068BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r10.i.lencr
                            Source: file.exe, 00000000.00000002.3378542731.00000000034AC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3377143293.0000000001533000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3381315764.0000000006868000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3378542731.0000000003511000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3381315764.0000000006820000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3378542731.00000000034E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r10.i.lencr.org/0#
                            Source: file.exe, 00000000.00000002.3378542731.00000000034AC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3377143293.0000000001533000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3381315764.0000000006868000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3381315764.00000000068BB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3378542731.0000000003511000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3381315764.0000000006820000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3378542731.00000000034E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r10.o.lencr.org0#
                            Source: file.exe, 00000000.00000002.3378542731.0000000003471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                            Source: file.exe, 00000000.00000002.3381315764.00000000068BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lenc
                            Source: file.exe, 00000000.00000002.3381315764.0000000006868000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3381315764.00000000068BB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3381315764.0000000006820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                            Source: file.exe, 00000000.00000002.3381315764.0000000006868000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3381315764.00000000068BB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3381315764.0000000006820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                            Source: file.exe, 00000000.00000002.3378542731.00000000034AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                            Source: file.exeString found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
                            Source: file.exeString found in binary or memory: https://reallyfreegeoip.org/xml/
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49682
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49682 -> 443

                            Key, Mouse, Clipboard, Microphone and Screen Capturing

                            barindex
                            Contains functionality to capture screen (.Net source)
                            Source: file.exe, UltraSpeed.cs.Net Code: TakeScreenshot
                            Contains functionality to log keystrokes (.Net Source)
                            Source: file.exe, UltraSpeed.cs.Net Code: VKCodeToUnicode
                            Source: C:\Users\user\Desktop\file.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                            System Summary

                            barindex
                            Malicious sample detected (through community Yara rule)
                            Source: file.exe, type: SAMPLEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                            Source: file.exe, type: SAMPLEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                            Source: 0.0.file.exe.ed0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                            Source: 0.0.file.exe.ed0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                            Source: 00000000.00000000.916446752.0000000000ED2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                            Source: Process Memory Space: file.exe PID: 5236, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                            Source: C:\Users\user\Desktop\file.exeProcess Stats: CPU usage > 49%
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_016AC5300_2_016AC530
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_016A27B90_2_016A27B9
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_016A2DD10_2_016A2DD1
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_016A94800_2_016A9480
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_016AC5210_2_016AC521
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_016A946F0_2_016A946F
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_034513A80_2_034513A8
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_034561380_2_03456138
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_03455AD80_2_03455AD8
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_03450AB80_2_03450AB8
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_034589E00_2_034589E0
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0345AE780_2_0345AE78
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0345BC500_2_0345BC50
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_034503200_2_03450320
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_034503300_2_03450330
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0345521A0_2_0345521A
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_034552280_2_03455228
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0345E2F80_2_0345E2F8
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0345E1700_2_0345E170
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_034581200_2_03458120
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_034581300_2_03458130
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_034560610_2_03456061
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0345F0000_2_0345F000
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0345602A0_2_0345602A
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0345E7400_2_0345E740
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0345E7500_2_0345E750
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0345566F0_2_0345566F
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_034556800_2_03455680
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_034585790_2_03458579
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0345450F0_2_0345450F
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_034545200_2_03454520
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_034585880_2_03458588
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0345F4480_2_0345F448
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0345F4580_2_0345F458
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_034574180_2_03457418
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_034574280_2_03457428
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0345EB980_2_0345EB98
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0345EBA80_2_0345EBA8
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_03455ACA0_2_03455ACA
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_034549690_2_03454969
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_034549780_2_03454978
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_034578710_2_03457871
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_034578800_2_03457880
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0345F8A10_2_0345F8A1
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0345F8B00_2_0345F8B0
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_03456FD00_2_03456FD0
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0345EFF00_2_0345EFF0
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_03454DC00_2_03454DC0
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_03454DD00_2_03454DD0
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_03457CC80_2_03457CC8
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_03450CD80_2_03450CD8
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_03457CD80_2_03457CD8
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_071DF5100_2_071DF510
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_071DD1080_2_071DD108
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_071DF5000_2_071DF500
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_071DE2AF0_2_071DE2AF
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_071DE2C00_2_071DE2C0
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_071D69080_2_071D6908
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0746A7B80_2_0746A7B8
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_074668280_2_07466828
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0746B8A00_2_0746B8A0
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_074674910_2_07467491
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_074674A00_2_074674A0
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0746B8900_2_0746B890
                            Source: file.exe, 00000000.00000002.3377143293.00000000014FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
                            Source: file.exe, 00000000.00000002.3382288941.0000000007319000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs file.exe
                            Source: file.exe, 00000000.00000000.916446752.0000000000ED2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs file.exe
                            Source: file.exeBinary or memory string: OriginalFilenameCloudServices.exe< vs file.exe
                            Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                            Source: file.exe, type: SAMPLEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                            Source: file.exe, type: SAMPLEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: 0.0.file.exe.ed0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                            Source: 0.0.file.exe.ed0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: 00000000.00000000.916446752.0000000000ED2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                            Source: Process Memory Space: file.exe PID: 5236, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                            Source: file.exe, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
                            Source: file.exe, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
                            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/1@4/3
                            Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\Documents\NOVAJump to behavior
                            Source: C:\Users\user\Desktop\file.exeMutant created: NULL
                            Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: file.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                            Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                            Source: file.exeVirustotal: Detection: 59%
                            Source: file.exeReversingLabs: Detection: 63%
                            Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: rasapi32.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: rasman.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: rtutils.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: dhcpcsvc6.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: dhcpcsvc.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: rasadhlp.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: fwpuclnt.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: secur32.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: schannel.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: mskeyprotect.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: ncryptsslp.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: dpapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: edputil.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: windowscodecs.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                            Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                            Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Source: file.exeStatic PE information: 0xB1486ED1 [Tue Apr 1 22:23:13 2064 UTC]
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0746CBFA push es; retf 0_2_0746CC01
                            Source: C:\Users\user\Desktop\file.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeMemory allocated: 1640000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\Desktop\file.exeMemory allocated: 3470000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\Desktop\file.exeMemory allocated: 31C0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 2337Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 7527Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeWindow / User API: foregroundWindowGot 1770Jump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 6844Thread sleep time: -28592453314249787s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 6844Thread sleep time: -100000s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 6844Thread sleep time: -99890s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 6844Thread sleep time: -99781s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 6844Thread sleep time: -99672s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 6844Thread sleep time: -99562s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 6844Thread sleep time: -99453s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 6844Thread sleep time: -99343s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 6844Thread sleep time: -99234s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 6844Thread sleep time: -99125s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 6844Thread sleep time: -99015s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 6844Thread sleep time: -98904s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 6844Thread sleep time: -98797s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 6844Thread sleep time: -98672s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 6844Thread sleep time: -98545s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 6844Thread sleep time: -98436s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 6844Thread sleep time: -98325s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 6844Thread sleep time: -98219s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 6844Thread sleep time: -98109s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 6844Thread sleep time: -98000s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 6844Thread sleep time: -97890s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 6844Thread sleep time: -97781s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 6844Thread sleep time: -97672s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 6844Thread sleep time: -97562s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 6844Thread sleep time: -97453s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 6844Thread sleep time: -97344s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 6844Thread sleep time: -97234s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 6844Thread sleep time: -97125s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 6844Thread sleep time: -97015s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 6844Thread sleep time: -96906s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 6844Thread sleep time: -96797s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 6844Thread sleep time: -96687s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 6844Thread sleep time: -96578s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 6844Thread sleep time: -96469s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 6844Thread sleep time: -96359s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 6844Thread sleep time: -96250s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 6844Thread sleep time: -96140s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 6844Thread sleep time: -96030s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 6844Thread sleep time: -95921s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 6844Thread sleep time: -95812s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 6844Thread sleep time: -95703s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 6844Thread sleep time: -95594s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 6844Thread sleep time: -95484s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 6844Thread sleep time: -95375s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 6844Thread sleep time: -95265s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 6844Thread sleep time: -95156s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 6844Thread sleep time: -95047s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 6844Thread sleep time: -94937s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 6844Thread sleep time: -94828s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 6844Thread sleep time: -94719s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 6844Thread sleep time: -94609s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 100000Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 99890Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 99781Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 99672Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 99562Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 99453Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 99343Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 99234Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 99125Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 99015Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 98904Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 98797Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 98672Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 98545Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 98436Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 98325Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 98219Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 98109Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 98000Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 97890Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 97781Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 97672Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 97562Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 97453Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 97344Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 97234Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 97125Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 97015Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 96906Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 96797Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 96687Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 96578Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 96469Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 96359Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 96250Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 96140Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 96030Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 95921Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 95812Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 95703Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 95594Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 95484Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 95375Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 95265Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 95156Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 95047Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 94937Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 94828Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 94719Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 94609Jump to behavior
                            Source: file.exe, 00000000.00000002.3377143293.0000000001533000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll3
                            Source: file.exe, 00000000.00000002.3380532756.0000000004526000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3380532756.0000000004471000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ffRtmSO3FYDIPy8GUdbRkgcKO2JREhJLxd6wJs6Bz/IIscd/lYCKwEVHgFspCDHH1jnX
                            Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_03450AB8 LdrInitializeThunk,LdrInitializeThunk,0_2_03450AB8
                            Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior

                            HIPS / PFW / Operating System Protection Evasion

                            barindex
                            .NET source code references suspicious native API functions
                            Source: file.exe, UltraSpeed.csReference to suspicious API methods: MapVirtualKey(VKCode, 0u)
                            Source: file.exe, FFDecryptor.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
                            Source: file.exe, FFDecryptor.csReference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))
                            Source: file.exe, 00000000.00000002.3378542731.0000000003692000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3378542731.0000000003511000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3378542731.000000000368E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR
                            Source: file.exe, 00000000.00000002.3378542731.0000000003692000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3378542731.0000000003511000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3378542731.000000000368E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                            Source: file.exe, 00000000.00000002.3378542731.0000000003511000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager,
                            Source: file.exe, 00000000.00000002.3378542731.0000000003692000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager\
                            Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                            Stealing of Sensitive Information

                            barindex
                            Yara detected MSIL Logger
                            Source: Yara matchFile source: file.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.file.exe.ed0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000000.916446752.0000000000ED2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: file.exe PID: 5236, type: MEMORYSTR
                            Yara detected MassLogger RAT
                            Source: Yara matchFile source: file.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.file.exe.ed0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000000.916446752.0000000000ED2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: file.exe PID: 5236, type: MEMORYSTR
                            Yara detected Telegram RAT
                            Source: Yara matchFile source: file.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.file.exe.ed0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000002.3378542731.00000000034AC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000000.916446752.0000000000ED2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: file.exe PID: 5236, type: MEMORYSTR
                            Tries to harvest and steal browser information (history, passwords, etc)
                            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                            Tries to steal Mail credentials (via file / registry access)
                            Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                            Source: Yara matchFile source: file.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.file.exe.ed0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000002.3378542731.00000000034AC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000000.916446752.0000000000ED2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: file.exe PID: 5236, type: MEMORYSTR

                            Remote Access Functionality

                            barindex
                            Yara detected MSIL Logger
                            Source: Yara matchFile source: file.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.file.exe.ed0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000000.916446752.0000000000ED2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: file.exe PID: 5236, type: MEMORYSTR
                            Yara detected MassLogger RAT
                            Source: Yara matchFile source: file.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.file.exe.ed0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000000.916446752.0000000000ED2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: file.exe PID: 5236, type: MEMORYSTR
                            Yara detected Telegram RAT
                            Source: Yara matchFile source: file.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.file.exe.ed0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000002.3378542731.00000000034AC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000000.916446752.0000000000ED2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: file.exe PID: 5236, type: MEMORYSTR

                            Mitre Att&ck Matrix

                            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                            Native API                            		1
                            DLL Side-Loading                            		1
                            DLL Side-Loading                            		1
                            Disable or Modify Tools                            		1
                            OS Credential Dumping                            		13
                            System Information Discovery                            		Remote Services11
                            Archive Collected Data                            		1
                            Ingress Tool Transfer                            		Exfiltration Over Other Network MediumAbuse Accessibility Features
                            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                            Process Injection                            		1
                            Deobfuscate/Decode Files or Information                            		1
                            Input Capture                            		1
                            Query Registry                            		Remote Desktop Protocol1
                            Data from Local System                            		11
                            Encrypted Channel                            		Exfiltration Over BluetoothNetwork Denial of Service
                            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
                            Obfuscated Files or Information                            		Security Account Manager1
                            Security Software Discovery                            		SMB/Windows Admin Shares1
                            Screen Capture                            		1
                            Non-Standard Port                            		Automated ExfiltrationData Encrypted for Impact
                            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                            Timestomp                            		NTDS2
                            Process Discovery                            		Distributed Component Object Model1
                            Email Collection                            		2
                            Non-Application Layer Protocol                            		Traffic DuplicationData Destruction
                            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                            DLL Side-Loading                            		LSA Secrets31
                            Virtualization/Sandbox Evasion                            		SSH1
                            Input Capture                            		23
                            Application Layer Protocol                            		Scheduled TransferData Encrypted for Impact
                            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                            Masquerading                            		Cached Domain Credentials1
                            Application Window Discovery                            		VNC1
                            Clipboard Data                            		Multiband CommunicationData Transfer Size LimitsService Stop
                            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items31
                            Virtualization/Sandbox Evasion                            		DCSync1
                            System Network Configuration Discovery                            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                            Process Injection                            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                            Behavior Graph

                            Hide Legend

                            Legend:

                            • Process
                            • Signature
                            • Created File
                            • DNS/IP Info
                            • Is Dropped
                            • Is Windows Process
                            • Number of created Registry Values
                            • Number of created Files
                            • Visual Basic
                            • Delphi
                            • Java
                            • .Net C# or VB.NET
                            • C, C++ or other language
                            • Is malicious
                            • Internet

                            Screenshots

                            Thumbnails

                            This section contains all screenshots as thumbnails, including those not shown in the slideshow.