Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
JgRVqrgNs4.exe

Overview

General Information

Sample name:JgRVqrgNs4.exe
renamed because original name is a hash value
Original sample name:e80d50169fc57630d4b0c5c53a321ccd86797779bababefff31268224f1a4163.exe
Analysis ID:1465428
MD5:119685d67c747bc9fe473e98d4f37f48
SHA1:12523edc262cf3c0e37be13a2aa2e49db7043439
SHA256:e80d50169fc57630d4b0c5c53a321ccd86797779bababefff31268224f1a4163
Tags:exeSnakeKeylogger
Infos:

Detection

Snake Keylogger
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
.NET source code references suspicious native API functions
AI detected suspicious sample
Machine Learning detection for sample
Self deletion via cmd or bat file
Tries to detect the country of the analysis system (by using the IP)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • JgRVqrgNs4.exe (PID: 5256 cmdline: "C:\Users\user\Desktop\JgRVqrgNs4.exe" MD5: 119685D67C747BC9FE473E98D4F37F48)
    • JgRVqrgNs4.exe (PID: 820 cmdline: "C:\Users\user\Desktop\JgRVqrgNs4.exe" MD5: 119685D67C747BC9FE473E98D4F37F48)
      • cmd.exe (PID: 6836 cmdline: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\JgRVqrgNs4.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 1156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • choice.exe (PID: 1588 cmdline: choice /C Y /N /D Y /T 3 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "leftlutvar@valleycountysar.org", "Password": "DKw(r0%wpbd]", "Host": "mail.valleycountysar.org", "Port": "587"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1485853658.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000002.00000002.1485853658.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
      00000002.00000002.1485853658.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
      • 0x148e3:$a1: get_encryptedPassword
      • 0x14bd9:$a2: get_encryptedUsername
      • 0x146ef:$a3: get_timePasswordChanged
      • 0x147ea:$a4: get_passwordField
      • 0x148f9:$a5: set_encryptedPassword
      • 0x15ed0:$a7: get_logins
      • 0x15e33:$a10: KeyLoggerEventArgs
      • 0x15acc:$a11: KeyLoggerEventArgsEventHandler
      00000002.00000002.1485853658.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_SnakeKeyloggerDetects Snake KeyloggerditekSHen
      • 0x180c8:$x1: $%SMTPDV$
      • 0x1812e:$x2: $#TheHashHere%&
      • 0x1976f:$x3: %FTPDV$
      • 0x19863:$x4: $%TelegramDv$
      • 0x15acc:$x5: KeyLoggerEventArgs
      • 0x15e33:$x5: KeyLoggerEventArgs
      • 0x19793:$m2: Clipboard Logs ID
      • 0x1995f:$m2: Screenshot Logs ID
      • 0x19a2b:$m2: keystroke Logs ID
      • 0x19937:$m4: \SnakeKeylogger\
      00000002.00000002.1486909813.0000000002FE1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
        Click to see the 12 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.JgRVqrgNs4.exe.43c8840.2.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          0.2.JgRVqrgNs4.exe.43c8840.2.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
            0.2.JgRVqrgNs4.exe.43c8840.2.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
            • 0x12ce3:$a1: get_encryptedPassword
            • 0x12fd9:$a2: get_encryptedUsername
            • 0x12aef:$a3: get_timePasswordChanged
            • 0x12bea:$a4: get_passwordField
            • 0x12cf9:$a5: set_encryptedPassword
            • 0x142d0:$a7: get_logins
            • 0x14233:$a10: KeyLoggerEventArgs
            • 0x13ecc:$a11: KeyLoggerEventArgsEventHandler
            0.2.JgRVqrgNs4.exe.43c8840.2.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
            • 0x1a4eb:$a2: \Comodo\Dragon\User Data\Default\Login Data
            • 0x1971d:$a3: \Google\Chrome\User Data\Default\Login Data
            • 0x19b50:$a4: \Orbitum\User Data\Default\Login Data
            • 0x1ab8f:$a5: \Kometa\User Data\Default\Login Data
            0.2.JgRVqrgNs4.exe.43c8840.2.unpackINDICATOR_SUSPICIOUS_EXE_DotNetProcHookDetects executables with potential process hoockingditekSHen
            • 0x1386f:$s1: UnHook
            • 0x13876:$s2: SetHook
            • 0x1387e:$s3: CallNextHook
            • 0x1388b:$s4: _hook
            Click to see the 34 entries

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Found malware configuration
            Source: 00000002.00000002.1486909813.0000000002FE1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "leftlutvar@valleycountysar.org", "Password": "DKw(r0%wpbd]", "Host": "mail.valleycountysar.org", "Port": "587"}
            Multi AV Scanner detection for submitted file
            Source: JgRVqrgNs4.exeReversingLabs: Detection: 71%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: JgRVqrgNs4.exeJoe Sandbox ML: detected

            Location Tracking

            barindex
            Tries to detect the country of the analysis system (by using the IP)
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: JgRVqrgNs4.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49704 version: TLS 1.0
            Source: JgRVqrgNs4.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: JgRVqrgNs4.exe, 00000000.00000002.1377002113.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000000.00000002.1378885112.0000000005C30000.00000004.08000000.00040000.00000000.sdmp

            Networking

            barindex
            Yara detected Generic Downloader
            Source: Yara matchFile source: 2.2.JgRVqrgNs4.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.JgRVqrgNs4.exe.43c8840.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.JgRVqrgNs4.exe.43a7e10.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.JgRVqrgNs4.exe.4317d70.3.raw.unpack, type: UNPACKEDPE
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
            Source: Joe Sandbox ViewIP Address: 193.122.6.168 193.122.6.168
            Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
            Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
            Source: unknownDNS query: name: checkip.dyndns.org
            Source: unknownDNS query: name: checkip.dyndns.org
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49704 version: TLS 1.0
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
            Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
            Source: JgRVqrgNs4.exe, 00000000.00000002.1377173369.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1485853658.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://103.130.147.85
            Source: JgRVqrgNs4.exe, 00000002.00000002.1486909813.0000000003147000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.000000000313A000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.0000000003190000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.00000000030A7000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.000000000319F000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.0000000003155000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.0000000003163000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
            Source: JgRVqrgNs4.exe, 00000002.00000002.1486909813.0000000003147000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.00000000030EA000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.000000000313A000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.0000000003190000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.00000000030A7000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.000000000309B000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.000000000319F000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.0000000003155000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.0000000003163000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
            Source: JgRVqrgNs4.exe, 00000002.00000002.1486909813.0000000002FE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
            Source: JgRVqrgNs4.exe, 00000000.00000002.1377173369.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1485853658.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
            Source: JgRVqrgNs4.exe, 00000002.00000002.1486909813.0000000003147000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.000000000313A000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.0000000003190000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.00000000030BF000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.000000000319F000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.0000000003155000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.0000000003163000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
            Source: JgRVqrgNs4.exe, 00000002.00000002.1486909813.0000000002FE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: JgRVqrgNs4.exe, 00000002.00000002.1486909813.0000000003147000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.00000000030EA000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.000000000313A000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.0000000003190000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.00000000030A7000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.000000000319F000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.0000000003155000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.0000000003163000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
            Source: JgRVqrgNs4.exe, 00000000.00000002.1377173369.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.00000000030A7000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1485853658.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
            Source: JgRVqrgNs4.exe, 00000002.00000002.1486909813.0000000003163000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
            Source: JgRVqrgNs4.exe, 00000002.00000002.1486909813.0000000003147000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.00000000030EA000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.000000000313A000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.0000000003190000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.000000000319F000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.0000000003155000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.0000000003163000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
            Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
            Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
            Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
            Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 0.2.JgRVqrgNs4.exe.43c8840.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 0.2.JgRVqrgNs4.exe.43c8840.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 0.2.JgRVqrgNs4.exe.43c8840.2.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 0.2.JgRVqrgNs4.exe.43c8840.2.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 0.2.JgRVqrgNs4.exe.43a7e10.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 0.2.JgRVqrgNs4.exe.43a7e10.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 0.2.JgRVqrgNs4.exe.43a7e10.4.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 0.2.JgRVqrgNs4.exe.43a7e10.4.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 2.2.JgRVqrgNs4.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 2.2.JgRVqrgNs4.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 2.2.JgRVqrgNs4.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 2.2.JgRVqrgNs4.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 0.2.JgRVqrgNs4.exe.43c8840.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 0.2.JgRVqrgNs4.exe.43c8840.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 0.2.JgRVqrgNs4.exe.43c8840.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 0.2.JgRVqrgNs4.exe.43c8840.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 0.2.JgRVqrgNs4.exe.43a7e10.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 0.2.JgRVqrgNs4.exe.43a7e10.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 0.2.JgRVqrgNs4.exe.43a7e10.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 0.2.JgRVqrgNs4.exe.43a7e10.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 0.2.JgRVqrgNs4.exe.4317d70.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 0.2.JgRVqrgNs4.exe.4317d70.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 0.2.JgRVqrgNs4.exe.4317d70.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 00000002.00000002.1485853658.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 00000002.00000002.1485853658.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 00000000.00000002.1377173369.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 00000000.00000002.1377173369.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: Process Memory Space: JgRVqrgNs4.exe PID: 5256, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: Process Memory Space: JgRVqrgNs4.exe PID: 5256, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: Process Memory Space: JgRVqrgNs4.exe PID: 820, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: Process Memory Space: JgRVqrgNs4.exe PID: 820, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeCode function: 0_2_01A5D3DC0_2_01A5D3DC
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeCode function: 2_2_02EAB3882_2_02EAB388
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeCode function: 2_2_02EAC1F02_2_02EAC1F0
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeCode function: 2_2_02EA61782_2_02EA6178
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeCode function: 2_2_02EAC7B22_2_02EAC7B2
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeCode function: 2_2_02EAC4D02_2_02EAC4D0
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeCode function: 2_2_02EACA922_2_02EACA92
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeCode function: 2_2_02EA4B312_2_02EA4B31
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeCode function: 2_2_02EA68E02_2_02EA68E0
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeCode function: 2_2_02EA98B82_2_02EA98B8
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeCode function: 2_2_02EABF102_2_02EABF10
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeCode function: 2_2_02EABC322_2_02EABC32
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeCode function: 2_2_02EA35D82_2_02EA35D8
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeCode function: 2_2_02EAB5522_2_02EAB552
            Source: JgRVqrgNs4.exe, 00000000.00000002.1378591343.00000000059B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameExample.dll0 vs JgRVqrgNs4.exe
            Source: JgRVqrgNs4.exe, 00000000.00000002.1377002113.00000000032C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs JgRVqrgNs4.exe
            Source: JgRVqrgNs4.exe, 00000000.00000002.1377002113.00000000032C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs JgRVqrgNs4.exe
            Source: JgRVqrgNs4.exe, 00000000.00000002.1377002113.00000000032C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameriched20.dllp( vs JgRVqrgNs4.exe
            Source: JgRVqrgNs4.exe, 00000000.00000002.1377002113.00000000032C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs JgRVqrgNs4.exe
            Source: JgRVqrgNs4.exe, 00000000.00000002.1377002113.00000000032C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q,\\StringFileInfo\\000004B0\\OriginalFilename vs JgRVqrgNs4.exe
            Source: JgRVqrgNs4.exe, 00000000.00000002.1376304264.000000000146E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs JgRVqrgNs4.exe
            Source: JgRVqrgNs4.exe, 00000000.00000000.1369688903.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameGoMonopoly.exe. vs JgRVqrgNs4.exe
            Source: JgRVqrgNs4.exe, 00000000.00000002.1377173369.00000000042C9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameExample.dll0 vs JgRVqrgNs4.exe
            Source: JgRVqrgNs4.exe, 00000000.00000002.1377173369.00000000042C9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs JgRVqrgNs4.exe
            Source: JgRVqrgNs4.exe, 00000000.00000002.1378885112.0000000005C30000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs JgRVqrgNs4.exe
            Source: JgRVqrgNs4.exe, 00000002.00000002.1485853658.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs JgRVqrgNs4.exe
            Source: JgRVqrgNs4.exeBinary or memory string: OriginalFilenameGoMonopoly.exe. vs JgRVqrgNs4.exe
            Source: JgRVqrgNs4.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 0.2.JgRVqrgNs4.exe.43c8840.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 0.2.JgRVqrgNs4.exe.43c8840.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.JgRVqrgNs4.exe.43c8840.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 0.2.JgRVqrgNs4.exe.43c8840.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 0.2.JgRVqrgNs4.exe.43a7e10.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 0.2.JgRVqrgNs4.exe.43a7e10.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.JgRVqrgNs4.exe.43a7e10.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 0.2.JgRVqrgNs4.exe.43a7e10.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 2.2.JgRVqrgNs4.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 2.2.JgRVqrgNs4.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 2.2.JgRVqrgNs4.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 2.2.JgRVqrgNs4.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 0.2.JgRVqrgNs4.exe.43c8840.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 0.2.JgRVqrgNs4.exe.43c8840.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.JgRVqrgNs4.exe.43c8840.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 0.2.JgRVqrgNs4.exe.43c8840.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 0.2.JgRVqrgNs4.exe.43a7e10.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 0.2.JgRVqrgNs4.exe.43a7e10.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.JgRVqrgNs4.exe.43a7e10.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 0.2.JgRVqrgNs4.exe.43a7e10.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 0.2.JgRVqrgNs4.exe.4317d70.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 0.2.JgRVqrgNs4.exe.4317d70.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 0.2.JgRVqrgNs4.exe.4317d70.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 00000002.00000002.1485853658.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 00000002.00000002.1485853658.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 00000000.00000002.1377173369.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 00000000.00000002.1377173369.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: Process Memory Space: JgRVqrgNs4.exe PID: 5256, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: Process Memory Space: JgRVqrgNs4.exe PID: 5256, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: Process Memory Space: JgRVqrgNs4.exe PID: 820, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: Process Memory Space: JgRVqrgNs4.exe PID: 820, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 0.2.JgRVqrgNs4.exe.43c8840.2.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.JgRVqrgNs4.exe.43c8840.2.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.JgRVqrgNs4.exe.43c8840.2.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.JgRVqrgNs4.exe.43c8840.2.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.JgRVqrgNs4.exe.43a7e10.4.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.JgRVqrgNs4.exe.43a7e10.4.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.JgRVqrgNs4.exe.43a7e10.4.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.JgRVqrgNs4.exe.43a7e10.4.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.JgRVqrgNs4.exe.4317d70.3.raw.unpack, DarkListView.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.JgRVqrgNs4.exe.59b0000.5.raw.unpack, DarkListView.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.JgRVqrgNs4.exe.4317d70.3.raw.unpack, DarkComboBox.csBase64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
            Source: 0.2.JgRVqrgNs4.exe.59b0000.5.raw.unpack, DarkComboBox.csBase64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
            Source: classification engineClassification label: mal96.troj.evad.winEXE@8/1@2/2
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\JgRVqrgNs4.exe.logJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1156:120:WilError_03
            Source: JgRVqrgNs4.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: JgRVqrgNs4.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: JgRVqrgNs4.exeReversingLabs: Detection: 71%
            Source: unknownProcess created: C:\Users\user\Desktop\JgRVqrgNs4.exe "C:\Users\user\Desktop\JgRVqrgNs4.exe"
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess created: C:\Users\user\Desktop\JgRVqrgNs4.exe "C:\Users\user\Desktop\JgRVqrgNs4.exe"
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\JgRVqrgNs4.exe"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess created: C:\Users\user\Desktop\JgRVqrgNs4.exe "C:\Users\user\Desktop\JgRVqrgNs4.exe"Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\JgRVqrgNs4.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: JgRVqrgNs4.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: JgRVqrgNs4.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: JgRVqrgNs4.exe, 00000000.00000002.1377002113.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000000.00000002.1378885112.0000000005C30000.00000004.08000000.00040000.00000000.sdmp
            Source: JgRVqrgNs4.exeStatic PE information: 0xB30A4D71 [Mon Mar 9 04:00:49 2065 UTC]
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeCode function: 0_2_064EC5BD push FFFFFF8Bh; iretd 0_2_064EC5BF
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeCode function: 0_2_064E7112 push eax; retf 0_2_064E7119
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeCode function: 2_2_02EA9770 push esp; ret 2_2_02EA9771
            Source: JgRVqrgNs4.exeStatic PE information: section name: .text entropy: 7.161229069281804

            Hooking and other Techniques for Hiding and Protection

            barindex
            Self deletion via cmd or bat file
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess created: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\JgRVqrgNs4.exe"
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess created: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\JgRVqrgNs4.exe"Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeMemory allocated: 1690000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeMemory allocated: 32C0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeMemory allocated: 3210000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeMemory allocated: 2DF0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeMemory allocated: 2FE0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeMemory allocated: 2DF0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 599891Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 599766Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 599641Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 599531Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 599422Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 599313Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 599188Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 599063Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 598953Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 598844Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 598719Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 598610Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 598485Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 598360Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 598235Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 598110Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 597985Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 597872Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 597765Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 597641Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 597532Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 597407Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 597282Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 597172Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 597032Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 596907Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 596782Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 596657Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 596532Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 596420Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 596312Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 596188Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 596063Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 595953Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 595829Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 595704Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 595579Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 595454Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 595344Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 595235Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 595094Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 594985Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 594875Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 594766Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 594641Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 594532Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 594407Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 594282Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 594172Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeWindow / User API: threadDelayed 1379Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeWindow / User API: threadDelayed 8449Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exe TID: 6956Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exe TID: 6372Thread sleep time: -24903104499507879s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exe TID: 6372Thread sleep time: -600000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exe TID: 2980Thread sleep count: 1379 > 30Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exe TID: 6372Thread sleep time: -599891s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exe TID: 2980Thread sleep count: 8449 > 30Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exe TID: 6372Thread sleep time: -599766s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exe TID: 6372Thread sleep time: -599641s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exe TID: 6372Thread sleep time: -599531s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exe TID: 6372Thread sleep time: -599422s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exe TID: 6372Thread sleep time: -599313s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exe TID: 6372Thread sleep time: -599188s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exe TID: 6372Thread sleep time: -599063s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exe TID: 6372Thread sleep time: -598953s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exe TID: 6372Thread sleep time: -598844s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exe TID: 6372Thread sleep time: -598719s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exe TID: 6372Thread sleep time: -598610s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exe TID: 6372Thread sleep time: -598485s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exe TID: 6372Thread sleep time: -598360s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exe TID: 6372Thread sleep time: -598235s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exe TID: 6372Thread sleep time: -598110s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exe TID: 6372Thread sleep time: -597985s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exe TID: 6372Thread sleep time: -597872s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exe TID: 6372Thread sleep time: -597765s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exe TID: 6372Thread sleep time: -597641s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exe TID: 6372Thread sleep time: -597532s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exe TID: 6372Thread sleep time: -597407s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exe TID: 6372Thread sleep time: -597282s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exe TID: 6372Thread sleep time: -597172s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exe TID: 6372Thread sleep time: -597032s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exe TID: 6372Thread sleep time: -596907s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exe TID: 6372Thread sleep time: -596782s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exe TID: 6372Thread sleep time: -596657s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exe TID: 6372Thread sleep time: -596532s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exe TID: 6372Thread sleep time: -596420s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exe TID: 6372Thread sleep time: -596312s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exe TID: 6372Thread sleep time: -596188s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exe TID: 6372Thread sleep time: -596063s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exe TID: 6372Thread sleep time: -595953s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exe TID: 6372Thread sleep time: -595829s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exe TID: 6372Thread sleep time: -595704s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exe TID: 6372Thread sleep time: -595579s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exe TID: 6372Thread sleep time: -595454s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exe TID: 6372Thread sleep time: -595344s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exe TID: 6372Thread sleep time: -595235s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exe TID: 6372Thread sleep time: -595094s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exe TID: 6372Thread sleep time: -594985s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exe TID: 6372Thread sleep time: -594875s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exe TID: 6372Thread sleep time: -594766s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exe TID: 6372Thread sleep time: -594641s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exe TID: 6372Thread sleep time: -594532s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exe TID: 6372Thread sleep time: -594407s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exe TID: 6372Thread sleep time: -594282s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exe TID: 6372Thread sleep time: -594172s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 599891Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 599766Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 599641Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 599531Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 599422Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 599313Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 599188Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 599063Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 598953Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 598844Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 598719Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 598610Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 598485Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 598360Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 598235Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 598110Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 597985Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 597872Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 597765Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 597641Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 597532Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 597407Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 597282Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 597172Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 597032Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 596907Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 596782Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 596657Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 596532Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 596420Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 596312Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 596188Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 596063Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 595953Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 595829Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 595704Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 595579Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 595454Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 595344Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 595235Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 595094Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 594985Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 594875Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 594766Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 594641Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 594532Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 594407Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 594282Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeThread delayed: delay time: 594172Jump to behavior
            Source: JgRVqrgNs4.exe, 00000002.00000002.1488700064.000000000686A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\e
            Source: JgRVqrgNs4.exe, 00000002.00000002.1486135493.00000000013C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllm
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            .NET source code references suspicious native API functions
            Source: JgRVqrgNs4.exe, UiaCoreTypesApi.csReference to suspicious API methods: LoadLibraryHelper.SecureLoadLibraryEx("UIAutomationCore.dll", IntPtr.Zero, UnsafeNativeMethods.LoadLibraryFlags.LOAD_LIBRARY_SEARCH_SYSTEM32)
            Source: JgRVqrgNs4.exe, UiaCoreTypesApi.csReference to suspicious API methods: UnsafeNativeMethods.GetProcAddressNoThrow(new HandleRef(null, intPtr), "SynchronizedInputPattern_StartListening")
            Source: 0.2.JgRVqrgNs4.exe.33199bc.1.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.csReference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess created: C:\Users\user\Desktop\JgRVqrgNs4.exe "C:\Users\user\Desktop\JgRVqrgNs4.exe"Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\JgRVqrgNs4.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3Jump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeQueries volume information: C:\Users\user\Desktop\JgRVqrgNs4.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeQueries volume information: C:\Users\user\Desktop\JgRVqrgNs4.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JgRVqrgNs4.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected Snake Keylogger
            Source: Yara matchFile source: 0.2.JgRVqrgNs4.exe.43c8840.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.JgRVqrgNs4.exe.43a7e10.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.JgRVqrgNs4.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.JgRVqrgNs4.exe.43c8840.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.JgRVqrgNs4.exe.43a7e10.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.JgRVqrgNs4.exe.4317d70.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.1485853658.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1486909813.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1377173369.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: JgRVqrgNs4.exe PID: 5256, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: JgRVqrgNs4.exe PID: 820, type: MEMORYSTR
            Source: Yara matchFile source: 0.2.JgRVqrgNs4.exe.43c8840.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.JgRVqrgNs4.exe.43a7e10.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.JgRVqrgNs4.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.JgRVqrgNs4.exe.43c8840.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.JgRVqrgNs4.exe.43a7e10.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.JgRVqrgNs4.exe.4317d70.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.1485853658.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1377173369.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: JgRVqrgNs4.exe PID: 5256, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: JgRVqrgNs4.exe PID: 820, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Snake Keylogger
            Source: Yara matchFile source: 0.2.JgRVqrgNs4.exe.43c8840.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.JgRVqrgNs4.exe.43a7e10.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.JgRVqrgNs4.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.JgRVqrgNs4.exe.43c8840.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.JgRVqrgNs4.exe.43a7e10.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.JgRVqrgNs4.exe.4317d70.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.1485853658.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1486909813.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1377173369.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: JgRVqrgNs4.exe PID: 5256, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: JgRVqrgNs4.exe PID: 820, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Native API            		1
            DLL Side-Loading            		11
            Process Injection            		1
            Masquerading            		OS Credential Dumping1
            Security Software Discovery            		Remote Services11
            Archive Collected Data            		11
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            DLL Side-Loading            		1
            Disable or Modify Tools            		LSASS Memory1
            Process Discovery            		Remote Desktop ProtocolData from Removable Media1
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
            Virtualization/Sandbox Evasion            		Security Account Manager31
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive2
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture13
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets1
            System Network Configuration Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts21
            Obfuscated Files or Information            		Cached Domain Credentials1
            File and Directory Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            Software Packing            		DCSync12
            System Information Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            Timestomp            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            DLL Side-Loading            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
            File Deletion            		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            JgRVqrgNs4.exe71%ReversingLabsByteCode-MSIL.Spyware.Snakekeylogger
            JgRVqrgNs4.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            http://checkip.dyndns.com0%Avira URL Cloudsafe
            https://reallyfreegeoip.org/xml/8.46.123.33$0%Avira URL Cloudsafe
            http://103.130.147.850%Avira URL Cloudsafe
            http://checkip.dyndns.org/q0%Avira URL Cloudsafe
            http://checkip.dyndns.org/0%Avira URL Cloudsafe
            https://reallyfreegeoip.org/xml/0%Avira URL Cloudsafe
            https://reallyfreegeoip.org/xml/8.46.123.330%Avira URL Cloudsafe
            http://checkip.dyndns.org0%Avira URL Cloudsafe
            http://reallyfreegeoip.org0%Avira URL Cloudsafe
            https://reallyfreegeoip.org0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            reallyfreegeoip.org
            		188.114.96.3
            		truetrue
              		unknown
              checkip.dyndns.com
              		193.122.6.168
              		truefalse
                		unknown
                checkip.dyndns.org
                		unknown
                		unknowntrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://checkip.dyndns.org/false
                  • Avira URL Cloud: safe
                  		unknown
                  https://reallyfreegeoip.org/xml/8.46.123.33false
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://reallyfreegeoip.orgJgRVqrgNs4.exe, 00000002.00000002.1486909813.0000000003147000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.00000000030EA000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.000000000313A000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.0000000003190000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.00000000030A7000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.000000000319F000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.0000000003155000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.0000000003163000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://checkip.dyndns.orgJgRVqrgNs4.exe, 00000002.00000002.1486909813.0000000003147000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.00000000030EA000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.000000000313A000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.0000000003190000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.00000000030A7000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.000000000309B000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.000000000319F000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.0000000003155000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.0000000003163000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://checkip.dyndns.comJgRVqrgNs4.exe, 00000002.00000002.1486909813.0000000003147000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.000000000313A000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.0000000003190000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.00000000030A7000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.000000000319F000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.0000000003155000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.0000000003163000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://reallyfreegeoip.org/xml/8.46.123.33$JgRVqrgNs4.exe, 00000002.00000002.1486909813.0000000003147000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.00000000030EA000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.000000000313A000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.0000000003190000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.000000000319F000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.0000000003155000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.0000000003163000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameJgRVqrgNs4.exe, 00000002.00000002.1486909813.0000000002FE1000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://103.130.147.85JgRVqrgNs4.exe, 00000000.00000002.1377173369.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1485853658.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://checkip.dyndns.org/qJgRVqrgNs4.exe, 00000000.00000002.1377173369.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1485853658.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://reallyfreegeoip.orgJgRVqrgNs4.exe, 00000002.00000002.1486909813.0000000003147000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.000000000313A000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.0000000003190000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.00000000030BF000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.000000000319F000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.0000000003155000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.0000000003163000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://reallyfreegeoip.org/xml/JgRVqrgNs4.exe, 00000000.00000002.1377173369.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1486909813.00000000030A7000.00000004.00000800.00020000.00000000.sdmp, JgRVqrgNs4.exe, 00000002.00000002.1485853658.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  193.122.6.168
                  		checkip.dyndns.comUnited States
                  		31898ORACLE-BMC-31898USfalse
                  188.114.96.3
                  		reallyfreegeoip.orgEuropean Union
                  		13335CLOUDFLARENETUStrue

                  General Information

                  Joe Sandbox version:40.0.0 Tourmaline
                  Analysis ID:1465428
                  Start date and time:2024-07-01 16:26:07 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 6m 27s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:12
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:JgRVqrgNs4.exe
                  renamed because original name is a hash value
                  Original Sample Name:e80d50169fc57630d4b0c5c53a321ccd86797779bababefff31268224f1a4163.exe
                  Detection:MAL
                  Classification:mal96.troj.evad.winEXE@8/1@2/2
                  EGA Information:
                  • Successful, ratio: 50%
                  HCA Information:
                  • Successful, ratio: 100%
                  • Number of executed functions: 66
                  • Number of non-executed functions: 3
                  Cookbook Comments:
                  • Found application associated with file extension: .exe

                  Warnings

                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                  • Execution Graph export aborted for target JgRVqrgNs4.exe, PID 820 because it is empty
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                  • VT rate limit hit for: JgRVqrgNs4.exe

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  10:27:19API Interceptor73x Sleep call for process: JgRVqrgNs4.exe modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  193.122.6.168H3fwQALXDX.exeGet hashmaliciousSnake KeyloggerBrowse
                  • checkip.dyndns.org/
                  MT Marine Tiger.exeGet hashmaliciousSnake KeyloggerBrowse
                  • checkip.dyndns.org/
                  vsl particulars packing list.exeGet hashmaliciousSnake KeyloggerBrowse
                  • checkip.dyndns.org/
                  new order.exeGet hashmaliciousSnake KeyloggerBrowse
                  • checkip.dyndns.org/
                  z1MB267382625AE.exeGet hashmaliciousSnake KeyloggerBrowse
                  • checkip.dyndns.org/
                  Prouduct list Specifictions.exeGet hashmaliciousSnake KeyloggerBrowse
                  • checkip.dyndns.org/
                  LAQ-PO088PDF.exeGet hashmaliciousSnake KeyloggerBrowse
                  • checkip.dyndns.org/
                  IMG_0071191023.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                  • checkip.dyndns.org/
                  new purchase order.exeGet hashmaliciousSnake KeyloggerBrowse
                  • checkip.dyndns.org/
                  SecuriteInfo.com.Win64.PWSX-gen.18963.11831.exeGet hashmaliciousSnake KeyloggerBrowse
                  • checkip.dyndns.org/
                  188.114.96.3QUOTATION_JULQTRA071244#U00faPDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                  • filetransfer.io/data-package/mHgyHEv5/download
                  file.exeGet hashmaliciousFormBookBrowse
                  • www.cavetta.org.mt/yhnb/
                  http://johnlewisfr.comGet hashmaliciousUnknownBrowse
                  • johnlewisfr.com/
                  cL7A9wGE3w.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                  • 445798cm.nyashka.top/ProviderEternalLinephpRequestSecurePacketprocessauthwordpress.php
                  http://www.youkonew.anakembok.de/Get hashmaliciousHTMLPhisherBrowse
                  • www.youkonew.anakembok.de/cdn-cgi/challenge-platform/h/g/jsd/r/89b98144d9c843b7
                  hnCn8gE6NH.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                  • yenot.top/providerlowAuthApibigloadprotectflower.php
                  288292021 ABB.exeGet hashmaliciousFormBookBrowse
                  • www.oc7o0.top/2zff/?Hp=4L8xoD0W4Zo4sy87CvwWXXlmZfhaBYNiZZOBxyE5jHDJEgkxN8cq+PG6NIXzy1XRCqQIvL5VyJCknvUNNLKk6zzmBcbZOQR3Nr9VCMayuUBptQdoGcq8y485hKv0f5POEUdLprTAYpXY&5H=CtUlKhgP42a
                  eiqj38BeRo.rtfGet hashmaliciousFormBookBrowse
                  • www.liposuctionclinics2.today/btrd/?OR-TJfQ=g2Awi9g0RhXmDXdNu5BlCrpPGRTrEfCXfESYZTVa1wMirmNXITW5szlP5E4EhRYb22U+Mw==&2dc=kvXd-rKHCF
                  Purchase Order -JJ023639-PDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                  • filetransfer.io/data-package/9a4iHwft/download
                  Techno_PO LV12406-00311.xla.xlsxGet hashmaliciousUnknownBrowse
                  • qr-in.com/cpGHnqq

                  Domains

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  reallyfreegeoip.orgH3fwQALXDX.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.97.3
                  oHchwlxMNG.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.97.3
                  zkB0qfWSJk.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.97.3
                  file.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.96.3
                  scan copy.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.97.3
                  f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.97.3
                  vsl particulars packing list.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.96.3
                  MT Marine Tiger.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.97.3
                  Order Details.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.97.3
                  new order.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.96.3
                  checkip.dyndns.comH3fwQALXDX.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 193.122.6.168
                  oHchwlxMNG.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 132.226.247.73
                  zkB0qfWSJk.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 193.122.130.0
                  file.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 193.122.130.0
                  scan copy.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 132.226.8.169
                  f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 158.101.44.242
                  vsl particulars packing list.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 132.226.247.73
                  MT Marine Tiger.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 193.122.6.168
                  Order Details.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 132.226.247.73
                  new order.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 158.101.44.242

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  ORACLE-BMC-31898USH3fwQALXDX.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 193.122.6.168
                  zkB0qfWSJk.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 193.122.130.0
                  file.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 193.122.130.0
                  f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 158.101.44.242
                  MT Marine Tiger.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 193.122.6.168
                  new order.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 158.101.44.242
                  MT Marine Tiger.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 158.101.44.242
                  vsl particulars packing list.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 193.122.6.168
                  new order.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 193.122.6.168
                  LETTER OF AUTHORIZATION.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 193.122.130.0
                  CLOUDFLARENETUShttps://ovexpv.clicks.mlsend.com/ty/cl/eyJ2Ijoie1wiYVwiOjk3MTY5NyxcImxcIjoxMjU2NjAyNTc1MjMzMzY2MzUsXCJyXCI6MTI1NjYwMjkyMTk2NTk4OTEyfSIsInMiOiJjMDRkNjQ0MTU5NWJmNWU5In0Get hashmaliciousUnknownBrowse
                  • 188.114.96.3
                  https://wazzootech.co/cgi-ssl/Get hashmaliciousUnknownBrowse
                  • 1.1.1.1
                  rQoutation.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                  • 104.26.13.205
                  F46VBJ6Yvy.exeGet hashmaliciousAgentTeslaBrowse
                  • 104.26.13.205
                  Arch0000000000.msiGet hashmaliciousMetamorfoBrowse
                  • 104.21.76.57
                  H3fwQALXDX.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.97.3
                  8w5wHh755H.exeGet hashmaliciousAgentTeslaBrowse
                  • 172.67.74.152
                  gB49zgUhr8.exeGet hashmaliciousAgentTeslaBrowse
                  • 172.67.74.152
                  AdhP1WMUi5.exeGet hashmaliciousAgentTeslaBrowse
                  • 104.26.12.205
                  https://webmail1.stormsedge.net/owa/service.svc/s/GetFileAttachment?id=AQMkAGMwMmFiOTE0LWQ5NzktNGE0Zi1iMGM1LTk0MmMzOTFkOWFiZQBGAAADlc4kQ%2BohlEKrqrljxlKVCAcAdJc2TJHT4kmUv1nAYVqHPQAAAgENAAAAdJc2TJHT4kmUv1nAYVqHPQAIOoZlWwAAAAESABAAXD0T7tDHs0qNRd1q6RSkXg%3D%3D&X-OWA-CANARY=sGBeAWNDQUKlLbLOAT0gQCqn7N7UmdwIRGBfhrj-axh_Ij0BMl3fKgjckXCzGSCTl-2kH-3ilbs.Get hashmaliciousOutlook Phishing, HTMLPhisherBrowse
                  • 1.1.1.1

                  JA3 Fingerprints

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  54328bd36c14bd82ddaa0c04b25ed9adH3fwQALXDX.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.96.3
                  oHchwlxMNG.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.96.3
                  zkB0qfWSJk.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.96.3
                  YBzCUPEvkm.exeGet hashmaliciousUnknownBrowse
                  • 188.114.96.3
                  YBzCUPEvkm.exeGet hashmaliciousUnknownBrowse
                  • 188.114.96.3
                  file.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.96.3
                  scan copy.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.96.3
                  f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.96.3
                  vsl particulars packing list.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.96.3
                  MT Marine Tiger.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.96.3

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\JgRVqrgNs4.exe.log

                  Download File
                  Process:C:\Users\user\Desktop\JgRVqrgNs4.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):1216
                  Entropy (8bit):5.34331486778365
                  Encrypted:false
                  SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                  MD5:1330C80CAAC9A0FB172F202485E9B1E8
                  SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                  SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                  SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                  Malicious:true
                  Reputation:high, very likely benign file
                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Entropy (8bit):7.149905623090227
                  TrID:
                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                  • Win32 Executable (generic) a (10002005/4) 49.75%
                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                  • Windows Screen Saver (13104/52) 0.07%
                  • Generic Win/DOS Executable (2004/3) 0.01%
                  File name:JgRVqrgNs4.exe
                  File size:550'400 bytes
                  MD5:119685d67c747bc9fe473e98d4f37f48
                  SHA1:12523edc262cf3c0e37be13a2aa2e49db7043439
                  SHA256:e80d50169fc57630d4b0c5c53a321ccd86797779bababefff31268224f1a4163
                  SHA512:bcf5fd9f4eb4d62529f16afea7315197e1779493646b0c2db9ee4bda7cb965122fa77d80476f07af4b52afe48f18e0b8a1a8f8ea67b6e55b17ccdd2fdd080723
                  SSDEEP:12288:fn3Kpgo/C7vHH2cJ1JkRA4R06mgJuqsJv/v+MLuSn:vnvHXJkRFRzJ4v/BLB
                  TLSH:0EC4CF1D73E4419BD9AA9BF938F39E420179BFA63412E60E13E3864D08F3706D81D65B
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...qM................0..\...........{... ........@.. ....................................@................................

                  File Icon

                  Icon Hash:00928e8e8686b000

                  Static PE Info

                  General

                  Entrypoint:0x487b8e
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Time Stamp:0xB30A4D71 [Mon Mar 9 04:00:49 2065 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                  Entrypoint Preview

                  Instruction
                  jmp dword ptr [00402000h]
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x87b340x57.text
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x880000x5a6.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x8a0000xc.reloc
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x20000x85b940x85c00298fced749b41a5412066f37356c9089False0.5712050963785047data7.161229069281804IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  .rsrc0x880000x5a60x600132a37b5442e964e380a204121be0dc2False0.4212239583333333data4.073970029987344IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .reloc0x8a0000xc0x20047ed0f319ea66e35ecfe856d11836d76False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountryZLIB Complexity
                  RT_VERSION0x880a00x31cdata0.4334170854271357
                  RT_MANIFEST0x883bc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                  Imports

                  DLLImport
                  mscoree.dll_CorExeMain

                  Network Behavior

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jul 1, 2024 16:27:17.749023914 CEST4970180192.168.2.7193.122.6.168
                  Jul 1, 2024 16:27:17.753897905 CEST8049701193.122.6.168192.168.2.7
                  Jul 1, 2024 16:27:17.753958941 CEST4970180192.168.2.7193.122.6.168
                  Jul 1, 2024 16:27:17.754148960 CEST4970180192.168.2.7193.122.6.168
                  Jul 1, 2024 16:27:17.758932114 CEST8049701193.122.6.168192.168.2.7
                  Jul 1, 2024 16:27:18.407052040 CEST8049701193.122.6.168192.168.2.7
                  Jul 1, 2024 16:27:18.410988092 CEST4970180192.168.2.7193.122.6.168
                  Jul 1, 2024 16:27:18.415880919 CEST8049701193.122.6.168192.168.2.7
                  Jul 1, 2024 16:27:18.600079060 CEST8049701193.122.6.168192.168.2.7
                  Jul 1, 2024 16:27:18.641064882 CEST4970180192.168.2.7193.122.6.168
                  Jul 1, 2024 16:27:18.651335001 CEST49704443192.168.2.7188.114.96.3
                  Jul 1, 2024 16:27:18.651366949 CEST44349704188.114.96.3192.168.2.7
                  Jul 1, 2024 16:27:18.651662111 CEST49704443192.168.2.7188.114.96.3
                  Jul 1, 2024 16:27:18.655704021 CEST49704443192.168.2.7188.114.96.3
                  Jul 1, 2024 16:27:18.655716896 CEST44349704188.114.96.3192.168.2.7
                  Jul 1, 2024 16:27:19.139259100 CEST44349704188.114.96.3192.168.2.7
                  Jul 1, 2024 16:27:19.139388084 CEST49704443192.168.2.7188.114.96.3
                  Jul 1, 2024 16:27:19.145838022 CEST49704443192.168.2.7188.114.96.3
                  Jul 1, 2024 16:27:19.145849943 CEST44349704188.114.96.3192.168.2.7
                  Jul 1, 2024 16:27:19.146178007 CEST44349704188.114.96.3192.168.2.7
                  Jul 1, 2024 16:27:19.187942982 CEST49704443192.168.2.7188.114.96.3
                  Jul 1, 2024 16:27:19.190063953 CEST49704443192.168.2.7188.114.96.3
                  Jul 1, 2024 16:27:19.232512951 CEST44349704188.114.96.3192.168.2.7
                  Jul 1, 2024 16:27:19.909313917 CEST44349704188.114.96.3192.168.2.7
                  Jul 1, 2024 16:27:19.909420967 CEST44349704188.114.96.3192.168.2.7
                  Jul 1, 2024 16:27:19.909535885 CEST49704443192.168.2.7188.114.96.3
                  Jul 1, 2024 16:27:19.914907932 CEST49704443192.168.2.7188.114.96.3
                  Jul 1, 2024 16:27:19.918437004 CEST4970180192.168.2.7193.122.6.168
                  Jul 1, 2024 16:27:19.923198938 CEST8049701193.122.6.168192.168.2.7
                  Jul 1, 2024 16:27:20.116552114 CEST8049701193.122.6.168192.168.2.7
                  Jul 1, 2024 16:27:20.119369030 CEST49706443192.168.2.7188.114.96.3
                  Jul 1, 2024 16:27:20.119391918 CEST44349706188.114.96.3192.168.2.7
                  Jul 1, 2024 16:27:20.119507074 CEST49706443192.168.2.7188.114.96.3
                  Jul 1, 2024 16:27:20.119761944 CEST49706443192.168.2.7188.114.96.3
                  Jul 1, 2024 16:27:20.119779110 CEST44349706188.114.96.3192.168.2.7
                  Jul 1, 2024 16:27:20.156677008 CEST4970180192.168.2.7193.122.6.168
                  Jul 1, 2024 16:27:20.500365019 CEST8049701193.122.6.168192.168.2.7
                  Jul 1, 2024 16:27:20.500447989 CEST4970180192.168.2.7193.122.6.168
                  Jul 1, 2024 16:27:20.620917082 CEST44349706188.114.96.3192.168.2.7
                  Jul 1, 2024 16:27:20.623509884 CEST49706443192.168.2.7188.114.96.3
                  Jul 1, 2024 16:27:20.623536110 CEST44349706188.114.96.3192.168.2.7
                  Jul 1, 2024 16:27:20.777756929 CEST44349706188.114.96.3192.168.2.7
                  Jul 1, 2024 16:27:20.777862072 CEST44349706188.114.96.3192.168.2.7
                  Jul 1, 2024 16:27:20.778079987 CEST49706443192.168.2.7188.114.96.3
                  Jul 1, 2024 16:27:20.778436899 CEST49706443192.168.2.7188.114.96.3
                  Jul 1, 2024 16:27:20.781563044 CEST4970180192.168.2.7193.122.6.168
                  Jul 1, 2024 16:27:20.782875061 CEST4970780192.168.2.7193.122.6.168
                  Jul 1, 2024 16:27:20.786781073 CEST8049701193.122.6.168192.168.2.7
                  Jul 1, 2024 16:27:20.786859035 CEST4970180192.168.2.7193.122.6.168
                  Jul 1, 2024 16:27:20.787712097 CEST8049707193.122.6.168192.168.2.7
                  Jul 1, 2024 16:27:20.787883043 CEST4970780192.168.2.7193.122.6.168
                  Jul 1, 2024 16:27:20.788005114 CEST4970780192.168.2.7193.122.6.168
                  Jul 1, 2024 16:27:20.792773008 CEST8049707193.122.6.168192.168.2.7
                  Jul 1, 2024 16:27:21.429789066 CEST8049707193.122.6.168192.168.2.7
                  Jul 1, 2024 16:27:21.431523085 CEST49708443192.168.2.7188.114.96.3
                  Jul 1, 2024 16:27:21.431571960 CEST44349708188.114.96.3192.168.2.7
                  Jul 1, 2024 16:27:21.431937933 CEST49708443192.168.2.7188.114.96.3
                  Jul 1, 2024 16:27:21.431937933 CEST49708443192.168.2.7188.114.96.3
                  Jul 1, 2024 16:27:21.431972027 CEST44349708188.114.96.3192.168.2.7
                  Jul 1, 2024 16:27:21.484934092 CEST4970780192.168.2.7193.122.6.168
                  Jul 1, 2024 16:27:21.931307077 CEST44349708188.114.96.3192.168.2.7
                  Jul 1, 2024 16:27:21.933226109 CEST49708443192.168.2.7188.114.96.3
                  Jul 1, 2024 16:27:21.933259010 CEST44349708188.114.96.3192.168.2.7
                  Jul 1, 2024 16:27:22.074081898 CEST44349708188.114.96.3192.168.2.7
                  Jul 1, 2024 16:27:22.074181080 CEST44349708188.114.96.3192.168.2.7
                  Jul 1, 2024 16:27:22.074248075 CEST49708443192.168.2.7188.114.96.3
                  Jul 1, 2024 16:27:22.074687004 CEST49708443192.168.2.7188.114.96.3
                  Jul 1, 2024 16:27:22.078532934 CEST4970980192.168.2.7193.122.6.168
                  Jul 1, 2024 16:27:22.083766937 CEST8049709193.122.6.168192.168.2.7
                  Jul 1, 2024 16:27:22.083882093 CEST4970980192.168.2.7193.122.6.168
                  Jul 1, 2024 16:27:22.083980083 CEST4970980192.168.2.7193.122.6.168
                  Jul 1, 2024 16:27:22.089807034 CEST8049709193.122.6.168192.168.2.7
                  Jul 1, 2024 16:27:22.719938993 CEST8049709193.122.6.168192.168.2.7
                  Jul 1, 2024 16:27:22.721339941 CEST49711443192.168.2.7188.114.96.3
                  Jul 1, 2024 16:27:22.721375942 CEST44349711188.114.96.3192.168.2.7
                  Jul 1, 2024 16:27:22.721440077 CEST49711443192.168.2.7188.114.96.3
                  Jul 1, 2024 16:27:22.722146034 CEST49711443192.168.2.7188.114.96.3
                  Jul 1, 2024 16:27:22.722161055 CEST44349711188.114.96.3192.168.2.7
                  Jul 1, 2024 16:27:22.766055107 CEST4970980192.168.2.7193.122.6.168
                  Jul 1, 2024 16:27:23.192269087 CEST44349711188.114.96.3192.168.2.7
                  Jul 1, 2024 16:27:23.194022894 CEST49711443192.168.2.7188.114.96.3
                  Jul 1, 2024 16:27:23.194047928 CEST44349711188.114.96.3192.168.2.7
                  Jul 1, 2024 16:27:23.352309942 CEST44349711188.114.96.3192.168.2.7
                  Jul 1, 2024 16:27:23.352866888 CEST44349711188.114.96.3192.168.2.7
                  Jul 1, 2024 16:27:23.352951050 CEST49711443192.168.2.7188.114.96.3
                  Jul 1, 2024 16:27:23.353338003 CEST49711443192.168.2.7188.114.96.3
                  Jul 1, 2024 16:27:23.356386900 CEST4970980192.168.2.7193.122.6.168
                  Jul 1, 2024 16:27:23.357362032 CEST4971380192.168.2.7193.122.6.168
                  Jul 1, 2024 16:27:23.361665964 CEST8049709193.122.6.168192.168.2.7
                  Jul 1, 2024 16:27:23.361720085 CEST4970980192.168.2.7193.122.6.168
                  Jul 1, 2024 16:27:23.362240076 CEST8049713193.122.6.168192.168.2.7
                  Jul 1, 2024 16:27:23.362421036 CEST4971380192.168.2.7193.122.6.168
                  Jul 1, 2024 16:27:23.362526894 CEST4971380192.168.2.7193.122.6.168
                  Jul 1, 2024 16:27:23.367858887 CEST8049713193.122.6.168192.168.2.7
                  Jul 1, 2024 16:27:24.004183054 CEST8049713193.122.6.168192.168.2.7
                  Jul 1, 2024 16:27:24.005345106 CEST49714443192.168.2.7188.114.96.3
                  Jul 1, 2024 16:27:24.005383015 CEST44349714188.114.96.3192.168.2.7
                  Jul 1, 2024 16:27:24.005438089 CEST49714443192.168.2.7188.114.96.3
                  Jul 1, 2024 16:27:24.005702972 CEST49714443192.168.2.7188.114.96.3
                  Jul 1, 2024 16:27:24.005713940 CEST44349714188.114.96.3192.168.2.7
                  Jul 1, 2024 16:27:24.047305107 CEST4971380192.168.2.7193.122.6.168
                  Jul 1, 2024 16:27:24.502330065 CEST44349714188.114.96.3192.168.2.7
                  Jul 1, 2024 16:27:24.503998995 CEST49714443192.168.2.7188.114.96.3
                  Jul 1, 2024 16:27:24.504024029 CEST44349714188.114.96.3192.168.2.7
                  Jul 1, 2024 16:27:24.629815102 CEST44349714188.114.96.3192.168.2.7
                  Jul 1, 2024 16:27:24.629913092 CEST44349714188.114.96.3192.168.2.7
                  Jul 1, 2024 16:27:24.630198956 CEST49714443192.168.2.7188.114.96.3
                  Jul 1, 2024 16:27:24.630517006 CEST49714443192.168.2.7188.114.96.3
                  Jul 1, 2024 16:27:24.633723974 CEST4971380192.168.2.7193.122.6.168
                  Jul 1, 2024 16:27:24.634850979 CEST4971580192.168.2.7193.122.6.168
                  Jul 1, 2024 16:27:24.638813019 CEST8049713193.122.6.168192.168.2.7
                  Jul 1, 2024 16:27:24.638879061 CEST4971380192.168.2.7193.122.6.168
                  Jul 1, 2024 16:27:24.639674902 CEST8049715193.122.6.168192.168.2.7
                  Jul 1, 2024 16:27:24.639792919 CEST4971580192.168.2.7193.122.6.168
                  Jul 1, 2024 16:27:24.639812946 CEST4971580192.168.2.7193.122.6.168
                  Jul 1, 2024 16:27:24.644577026 CEST8049715193.122.6.168192.168.2.7
                  Jul 1, 2024 16:27:25.297102928 CEST8049715193.122.6.168192.168.2.7
                  Jul 1, 2024 16:27:25.298486948 CEST49716443192.168.2.7188.114.96.3
                  Jul 1, 2024 16:27:25.298531055 CEST44349716188.114.96.3192.168.2.7
                  Jul 1, 2024 16:27:25.298634052 CEST49716443192.168.2.7188.114.96.3
                  Jul 1, 2024 16:27:25.298986912 CEST49716443192.168.2.7188.114.96.3
                  Jul 1, 2024 16:27:25.298999071 CEST44349716188.114.96.3192.168.2.7
                  Jul 1, 2024 16:27:25.344398022 CEST4971580192.168.2.7193.122.6.168
                  Jul 1, 2024 16:27:25.793502092 CEST44349716188.114.96.3192.168.2.7
                  Jul 1, 2024 16:27:25.795159101 CEST49716443192.168.2.7188.114.96.3
                  Jul 1, 2024 16:27:25.795183897 CEST44349716188.114.96.3192.168.2.7
                  Jul 1, 2024 16:27:26.056556940 CEST44349716188.114.96.3192.168.2.7
                  Jul 1, 2024 16:27:26.056680918 CEST44349716188.114.96.3192.168.2.7
                  Jul 1, 2024 16:27:26.056756020 CEST49716443192.168.2.7188.114.96.3
                  Jul 1, 2024 16:27:26.057279110 CEST49716443192.168.2.7188.114.96.3
                  Jul 1, 2024 16:27:26.060345888 CEST4971580192.168.2.7193.122.6.168
                  Jul 1, 2024 16:27:26.061463118 CEST4971780192.168.2.7193.122.6.168
                  Jul 1, 2024 16:27:26.065500021 CEST8049715193.122.6.168192.168.2.7
                  Jul 1, 2024 16:27:26.065579891 CEST4971580192.168.2.7193.122.6.168
                  Jul 1, 2024 16:27:26.066286087 CEST8049717193.122.6.168192.168.2.7
                  Jul 1, 2024 16:27:26.066364050 CEST4971780192.168.2.7193.122.6.168
                  Jul 1, 2024 16:27:26.066482067 CEST4971780192.168.2.7193.122.6.168
                  Jul 1, 2024 16:27:26.071269989 CEST8049717193.122.6.168192.168.2.7
                  Jul 1, 2024 16:27:26.712627888 CEST8049717193.122.6.168192.168.2.7
                  Jul 1, 2024 16:27:26.714205027 CEST49718443192.168.2.7188.114.96.3
                  Jul 1, 2024 16:27:26.714258909 CEST44349718188.114.96.3192.168.2.7
                  Jul 1, 2024 16:27:26.714327097 CEST49718443192.168.2.7188.114.96.3
                  Jul 1, 2024 16:27:26.714601994 CEST49718443192.168.2.7188.114.96.3
                  Jul 1, 2024 16:27:26.714615107 CEST44349718188.114.96.3192.168.2.7
                  Jul 1, 2024 16:27:26.766097069 CEST4971780192.168.2.7193.122.6.168
                  Jul 1, 2024 16:27:27.184307098 CEST44349718188.114.96.3192.168.2.7
                  Jul 1, 2024 16:27:27.185966015 CEST49718443192.168.2.7188.114.96.3
                  Jul 1, 2024 16:27:27.185982943 CEST44349718188.114.96.3192.168.2.7
                  Jul 1, 2024 16:27:27.317867994 CEST44349718188.114.96.3192.168.2.7
                  Jul 1, 2024 16:27:27.317975044 CEST44349718188.114.96.3192.168.2.7
                  Jul 1, 2024 16:27:27.318033934 CEST49718443192.168.2.7188.114.96.3
                  Jul 1, 2024 16:27:27.318602085 CEST49718443192.168.2.7188.114.96.3
                  Jul 1, 2024 16:27:27.321865082 CEST4971780192.168.2.7193.122.6.168
                  Jul 1, 2024 16:27:27.323010921 CEST4971980192.168.2.7193.122.6.168
                  Jul 1, 2024 16:27:27.328260899 CEST8049717193.122.6.168192.168.2.7
                  Jul 1, 2024 16:27:27.328351974 CEST4971780192.168.2.7193.122.6.168
                  Jul 1, 2024 16:27:27.329581976 CEST8049719193.122.6.168192.168.2.7
                  Jul 1, 2024 16:27:27.329663038 CEST4971980192.168.2.7193.122.6.168
                  Jul 1, 2024 16:27:27.329763889 CEST4971980192.168.2.7193.122.6.168
                  Jul 1, 2024 16:27:27.334646940 CEST8049719193.122.6.168192.168.2.7
                  Jul 1, 2024 16:27:27.971240044 CEST8049719193.122.6.168192.168.2.7
                  Jul 1, 2024 16:27:27.972436905 CEST49720443192.168.2.7188.114.96.3
                  Jul 1, 2024 16:27:27.972470999 CEST44349720188.114.96.3192.168.2.7
                  Jul 1, 2024 16:27:27.972532988 CEST49720443192.168.2.7188.114.96.3
                  Jul 1, 2024 16:27:27.972773075 CEST49720443192.168.2.7188.114.96.3
                  Jul 1, 2024 16:27:27.972790956 CEST44349720188.114.96.3192.168.2.7
                  Jul 1, 2024 16:27:28.016128063 CEST4971980192.168.2.7193.122.6.168
                  Jul 1, 2024 16:27:28.465984106 CEST44349720188.114.96.3192.168.2.7
                  Jul 1, 2024 16:27:28.467835903 CEST49720443192.168.2.7188.114.96.3
                  Jul 1, 2024 16:27:28.467859030 CEST44349720188.114.96.3192.168.2.7
                  Jul 1, 2024 16:27:28.602966070 CEST44349720188.114.96.3192.168.2.7
                  Jul 1, 2024 16:27:28.603076935 CEST44349720188.114.96.3192.168.2.7
                  Jul 1, 2024 16:27:28.603142977 CEST49720443192.168.2.7188.114.96.3
                  Jul 1, 2024 16:27:28.603647947 CEST49720443192.168.2.7188.114.96.3
                  Jul 1, 2024 16:27:28.702553988 CEST4971980192.168.2.7193.122.6.168
                  Jul 1, 2024 16:27:28.702630997 CEST4970780192.168.2.7193.122.6.168

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jul 1, 2024 16:27:17.733555079 CEST6333853192.168.2.71.1.1.1
                  Jul 1, 2024 16:27:17.741656065 CEST53633381.1.1.1192.168.2.7
                  Jul 1, 2024 16:27:18.641859055 CEST6003853192.168.2.71.1.1.1
                  Jul 1, 2024 16:27:18.650626898 CEST53600381.1.1.1192.168.2.7

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                  Jul 1, 2024 16:27:17.733555079 CEST192.168.2.71.1.1.10xa6Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                  Jul 1, 2024 16:27:18.641859055 CEST192.168.2.71.1.1.10x43c9Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                  Jul 1, 2024 16:27:17.741656065 CEST1.1.1.1192.168.2.70xa6No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                  Jul 1, 2024 16:27:17.741656065 CEST1.1.1.1192.168.2.70xa6No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                  Jul 1, 2024 16:27:17.741656065 CEST1.1.1.1192.168.2.70xa6No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                  Jul 1, 2024 16:27:17.741656065 CEST1.1.1.1192.168.2.70xa6No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                  Jul 1, 2024 16:27:17.741656065 CEST1.1.1.1192.168.2.70xa6No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                  Jul 1, 2024 16:27:17.741656065 CEST1.1.1.1192.168.2.70xa6No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                  Jul 1, 2024 16:27:18.650626898 CEST1.1.1.1192.168.2.70x43c9No error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                  Jul 1, 2024 16:27:18.650626898 CEST1.1.1.1192.168.2.70x43c9No error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false

                  HTTP Request Dependency Graph

                  • reallyfreegeoip.org
                  • checkip.dyndns.org

                  HTTP Packets

                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  0192.168.2.749701193.122.6.16880820C:\Users\user\Desktop\JgRVqrgNs4.exe
                  TimestampBytes transferredDirectionData
                  Jul 1, 2024 16:27:17.754148960 CEST151OUTGET / HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                  Host: checkip.dyndns.org
                  Connection: Keep-Alive
                  Jul 1, 2024 16:27:18.407052040 CEST320INHTTP/1.1 200 OK
                  Date: Mon, 01 Jul 2024 14:27:18 GMT
                  Content-Type: text/html
                  Content-Length: 103
                  Connection: keep-alive
                  Cache-Control: no-cache
                  Pragma: no-cache
                  X-Request-ID: 5d9839f2970dfb9d826f98db011cc9df
                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                  Jul 1, 2024 16:27:18.410988092 CEST127OUTGET / HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                  Host: checkip.dyndns.org
                  Jul 1, 2024 16:27:18.600079060 CEST320INHTTP/1.1 200 OK
                  Date: Mon, 01 Jul 2024 14:27:18 GMT
                  Content-Type: text/html
                  Content-Length: 103
                  Connection: keep-alive
                  Cache-Control: no-cache
                  Pragma: no-cache
                  X-Request-ID: 7ae5e7f4c72d61fb7f13ef27b31a90e5
                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                  Jul 1, 2024 16:27:19.918437004 CEST127OUTGET / HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                  Host: checkip.dyndns.org
                  Jul 1, 2024 16:27:20.116552114 CEST320INHTTP/1.1 200 OK
                  Date: Mon, 01 Jul 2024 14:27:20 GMT
                  Content-Type: text/html
                  Content-Length: 103
                  Connection: keep-alive
                  Cache-Control: no-cache
                  Pragma: no-cache
                  X-Request-ID: 351d4ab76a28e5376a4bde54bc6ec850
                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                  Jul 1, 2024 16:27:20.500365019 CEST320INHTTP/1.1 200 OK
                  Date: Mon, 01 Jul 2024 14:27:20 GMT
                  Content-Type: text/html
                  Content-Length: 103
                  Connection: keep-alive
                  Cache-Control: no-cache
                  Pragma: no-cache
                  X-Request-ID: 351d4ab76a28e5376a4bde54bc6ec850
                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  1192.168.2.749707193.122.6.16880820C:\Users\user\Desktop\JgRVqrgNs4.exe
                  TimestampBytes transferredDirectionData
                  Jul 1, 2024 16:27:20.788005114 CEST127OUTGET / HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                  Host: checkip.dyndns.org
                  Jul 1, 2024 16:27:21.429789066 CEST320INHTTP/1.1 200 OK
                  Date: Mon, 01 Jul 2024 14:27:21 GMT
                  Content-Type: text/html
                  Content-Length: 103
                  Connection: keep-alive
                  Cache-Control: no-cache
                  Pragma: no-cache
                  X-Request-ID: 77d29dd182cd27784de654db1fc32034
                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  2192.168.2.749709193.122.6.16880820C:\Users\user\Desktop\JgRVqrgNs4.exe
                  TimestampBytes transferredDirectionData
                  Jul 1, 2024 16:27:22.083980083 CEST151OUTGET / HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                  Host: checkip.dyndns.org
                  Connection: Keep-Alive
                  Jul 1, 2024 16:27:22.719938993 CEST320INHTTP/1.1 200 OK
                  Date: Mon, 01 Jul 2024 14:27:22 GMT
                  Content-Type: text/html
                  Content-Length: 103
                  Connection: keep-alive
                  Cache-Control: no-cache
                  Pragma: no-cache
                  X-Request-ID: 3955f0d1058549d297d499ab366c5013
                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  3192.168.2.749713193.122.6.16880820C:\Users\user\Desktop\JgRVqrgNs4.exe
                  TimestampBytes transferredDirectionData
                  Jul 1, 2024 16:27:23.362526894 CEST151OUTGET / HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                  Host: checkip.dyndns.org
                  Connection: Keep-Alive
                  Jul 1, 2024 16:27:24.004183054 CEST320INHTTP/1.1 200 OK
                  Date: Mon, 01 Jul 2024 14:27:23 GMT
                  Content-Type: text/html
                  Content-Length: 103
                  Connection: keep-alive
                  Cache-Control: no-cache
                  Pragma: no-cache
                  X-Request-ID: 456e767dcdb100faadd15e7d8c5ba826
                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  4192.168.2.749715193.122.6.16880820C:\Users\user\Desktop\JgRVqrgNs4.exe
                  TimestampBytes transferredDirectionData
                  Jul 1, 2024 16:27:24.639812946 CEST151OUTGET / HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                  Host: checkip.dyndns.org
                  Connection: Keep-Alive
                  Jul 1, 2024 16:27:25.297102928 CEST320INHTTP/1.1 200 OK
                  Date: Mon, 01 Jul 2024 14:27:25 GMT
                  Content-Type: text/html
                  Content-Length: 103
                  Connection: keep-alive
                  Cache-Control: no-cache
                  Pragma: no-cache
                  X-Request-ID: 363dd02243a785f1dac0b4fe8e240604
                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  5192.168.2.749717193.122.6.16880820C:\Users\user\Desktop\JgRVqrgNs4.exe
                  TimestampBytes transferredDirectionData
                  Jul 1, 2024 16:27:26.066482067 CEST151OUTGET / HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                  Host: checkip.dyndns.org
                  Connection: Keep-Alive
                  Jul 1, 2024 16:27:26.712627888 CEST320INHTTP/1.1 200 OK
                  Date: Mon, 01 Jul 2024 14:27:26 GMT
                  Content-Type: text/html
                  Content-Length: 103
                  Connection: keep-alive
                  Cache-Control: no-cache
                  Pragma: no-cache
                  X-Request-ID: be1ef0f1877bac0906d687dc4250c969
                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  6192.168.2.749719193.122.6.16880820C:\Users\user\Desktop\JgRVqrgNs4.exe
                  TimestampBytes transferredDirectionData
                  Jul 1, 2024 16:27:27.329763889 CEST151OUTGET / HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                  Host: checkip.dyndns.org
                  Connection: Keep-Alive
                  Jul 1, 2024 16:27:27.971240044 CEST320INHTTP/1.1 200 OK
                  Date: Mon, 01 Jul 2024 14:27:27 GMT
                  Content-Type: text/html
                  Content-Length: 103
                  Connection: keep-alive
                  Cache-Control: no-cache
                  Pragma: no-cache
                  X-Request-ID: c1b4b2e9f54a9b4f31fac38fe10d54b0
                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                  HTTPS Proxied Packets

                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  0192.168.2.749704188.114.96.3443820C:\Users\user\Desktop\JgRVqrgNs4.exe
                  TimestampBytes transferredDirectionData
                  2024-07-01 14:27:19 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                  Host: reallyfreegeoip.org
                  Connection: Keep-Alive
                  2024-07-01 14:27:19 UTC696INHTTP/1.1 200 OK
                  Date: Mon, 01 Jul 2024 14:27:19 GMT
                  Content-Type: application/xml
                  Transfer-Encoding: chunked
                  Connection: close
                  access-control-allow-origin: *
                  vary: Accept-Encoding
                  Cache-Control: max-age=86400
                  CF-Cache-Status: EXPIRED
                  Last-Modified: Sun, 30 Jun 2024 14:23:56 GMT
                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dHQ21l8gSKqNxmkJFfMFHHyEOAyLNR12oQNGfj4Tf8xWHLjKIcfguaMjcxEMteCR%2BSXKlR2ibpBIgS4%2F3XrNwyDzEFRr9sFB43JDJLrfhpeuwOT5PaWHybcSFmHC2VgOTYHvc68b"}],"group":"cf-nel","max_age":604800}
                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                  Server: cloudflare
                  CF-RAY: 89c7137d4b490f7c-EWR
                  alt-svc: h3=":443"; ma=86400
                  2024-07-01 14:27:19 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                  Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                  2024-07-01 14:27:19 UTC5INData Raw: 30 0d 0a 0d 0a
                  Data Ascii: 0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  1192.168.2.749706188.114.96.3443820C:\Users\user\Desktop\JgRVqrgNs4.exe
                  TimestampBytes transferredDirectionData
                  2024-07-01 14:27:20 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                  Host: reallyfreegeoip.org
                  2024-07-01 14:27:20 UTC704INHTTP/1.1 200 OK
                  Date: Mon, 01 Jul 2024 14:27:20 GMT
                  Content-Type: application/xml
                  Transfer-Encoding: chunked
                  Connection: close
                  access-control-allow-origin: *
                  vary: Accept-Encoding
                  Cache-Control: max-age=86400
                  CF-Cache-Status: HIT
                  Age: 1
                  Last-Modified: Mon, 01 Jul 2024 14:27:19 GMT
                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Alow6w5Jo2wYMNQ%2B%2FP8IgZ9oI8d7Hl3P5kz54PCr0utHEZR23ATLiFfetH3kJMUaSgnpoZcATopNlOgaBqBamPUT5kVb1ol4skrlF54%2FLx2adK8cnZTV%2Bc7y2KNP7U2MoMLzvgkt"}],"group":"cf-nel","max_age":604800}
                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                  Server: cloudflare
                  CF-RAY: 89c71386787e32e8-EWR
                  alt-svc: h3=":443"; ma=86400
                  2024-07-01 14:27:20 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                  Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                  2024-07-01 14:27:20 UTC5INData Raw: 30 0d 0a 0d 0a
                  Data Ascii: 0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  2192.168.2.749708188.114.96.3443820C:\Users\user\Desktop\JgRVqrgNs4.exe
                  TimestampBytes transferredDirectionData
                  2024-07-01 14:27:21 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                  Host: reallyfreegeoip.org
                  Connection: Keep-Alive
                  2024-07-01 14:27:22 UTC700INHTTP/1.1 200 OK
                  Date: Mon, 01 Jul 2024 14:27:22 GMT
                  Content-Type: application/xml
                  Transfer-Encoding: chunked
                  Connection: close
                  access-control-allow-origin: *
                  vary: Accept-Encoding
                  Cache-Control: max-age=86400
                  CF-Cache-Status: HIT
                  Age: 3
                  Last-Modified: Mon, 01 Jul 2024 14:27:19 GMT
                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kiXTT3OPwoJdF2mqdQyWzzM75mWOClCSnJSzzWtL1UgyNMOkn3RNFM8Jza29OIHAyvxVobqk2TSM2oEHIAYlGUAC4E%2FYRtiVkIbgEs6K194AKiocLHG%2F9LCjAzlb2efUsCAuQHES"}],"group":"cf-nel","max_age":604800}
                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                  Server: cloudflare
                  CF-RAY: 89c7138e8c188c36-EWR
                  alt-svc: h3=":443"; ma=86400
                  2024-07-01 14:27:22 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                  Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                  2024-07-01 14:27:22 UTC5INData Raw: 30 0d 0a 0d 0a
                  Data Ascii: 0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  3192.168.2.749711188.114.96.3443820C:\Users\user\Desktop\JgRVqrgNs4.exe
                  TimestampBytes transferredDirectionData
                  2024-07-01 14:27:23 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                  Host: reallyfreegeoip.org
                  Connection: Keep-Alive
                  2024-07-01 14:27:23 UTC702INHTTP/1.1 200 OK
                  Date: Mon, 01 Jul 2024 14:27:23 GMT
                  Content-Type: application/xml
                  Transfer-Encoding: chunked
                  Connection: close
                  access-control-allow-origin: *
                  vary: Accept-Encoding
                  Cache-Control: max-age=86400
                  CF-Cache-Status: HIT
                  Age: 4
                  Last-Modified: Mon, 01 Jul 2024 14:27:19 GMT
                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ypmbiyxEFM2D8NtTSj41COdt%2Fgsg5oRPshCN3xGXsKt4Kp6gmmPiAqfFeqA%2Fvl0DAVslUFEIfqE8LsWwIfuie6sFsjh8JqNZMXEUTMI8l9oBykGiC01Ww%2BFJqg9G66VE0SKHqMbu"}],"group":"cf-nel","max_age":604800}
                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                  Server: cloudflare
                  CF-RAY: 89c713969e646a5e-EWR
                  alt-svc: h3=":443"; ma=86400
                  2024-07-01 14:27:23 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                  Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                  2024-07-01 14:27:23 UTC5INData Raw: 30 0d 0a 0d 0a
                  Data Ascii: 0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  4192.168.2.749714188.114.96.3443820C:\Users\user\Desktop\JgRVqrgNs4.exe
                  TimestampBytes transferredDirectionData
                  2024-07-01 14:27:24 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                  Host: reallyfreegeoip.org
                  Connection: Keep-Alive
                  2024-07-01 14:27:24 UTC704INHTTP/1.1 200 OK
                  Date: Mon, 01 Jul 2024 14:27:24 GMT
                  Content-Type: application/xml
                  Transfer-Encoding: chunked
                  Connection: close
                  access-control-allow-origin: *
                  vary: Accept-Encoding
                  Cache-Control: max-age=86400
                  CF-Cache-Status: HIT
                  Age: 5
                  Last-Modified: Mon, 01 Jul 2024 14:27:19 GMT
                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SZ8Wf7NoIjUYJ3jLF7z3cmeu9WSXj3%2Fx64GwNd7RhMjOqgvzdUaNeaMjgYN9eTjZQZYl%2FmUfK4%2Ffb1bXxYK4GYREbM9EYtEvA%2FnKKyoxfAZlMHCnCfO34wJDatTbuASRaMnKnSfz"}],"group":"cf-nel","max_age":604800}
                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                  Server: cloudflare
                  CF-RAY: 89c7139e8c9c72c2-EWR
                  alt-svc: h3=":443"; ma=86400
                  2024-07-01 14:27:24 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                  Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                  2024-07-01 14:27:24 UTC5INData Raw: 30 0d 0a 0d 0a
                  Data Ascii: 0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  5192.168.2.749716188.114.96.3443820C:\Users\user\Desktop\JgRVqrgNs4.exe
                  TimestampBytes transferredDirectionData
                  2024-07-01 14:27:25 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                  Host: reallyfreegeoip.org
                  Connection: Keep-Alive
                  2024-07-01 14:27:26 UTC710INHTTP/1.1 200 OK
                  Date: Mon, 01 Jul 2024 14:27:25 GMT
                  Content-Type: application/xml
                  Transfer-Encoding: chunked
                  Connection: close
                  access-control-allow-origin: *
                  vary: Accept-Encoding
                  Cache-Control: max-age=86400
                  CF-Cache-Status: HIT
                  Age: 6
                  Last-Modified: Mon, 01 Jul 2024 14:27:19 GMT
                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BlLiZ02GDCnG2ZWEbNVt4%2BzNDJhG%2Fh%2BA5nYfvX%2ByaAiqqsk6wIPJ7dOETFri8Ygt8NimpepaXOmnLs%2F2FxquG8uzkfj2NYE%2BL5VAZFDAAQvwWGwCpAM%2BlWeXXbw56J2WVMni8iER"}],"group":"cf-nel","max_age":604800}
                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                  Server: cloudflare
                  CF-RAY: 89c713a6cc72c44f-EWR
                  alt-svc: h3=":443"; ma=86400
                  2024-07-01 14:27:26 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                  Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                  2024-07-01 14:27:26 UTC5INData Raw: 30 0d 0a 0d 0a
                  Data Ascii: 0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  6192.168.2.749718188.114.96.3443820C:\Users\user\Desktop\JgRVqrgNs4.exe
                  TimestampBytes transferredDirectionData
                  2024-07-01 14:27:27 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                  Host: reallyfreegeoip.org
                  Connection: Keep-Alive
                  2024-07-01 14:27:27 UTC708INHTTP/1.1 200 OK
                  Date: Mon, 01 Jul 2024 14:27:27 GMT
                  Content-Type: application/xml
                  Transfer-Encoding: chunked
                  Connection: close
                  access-control-allow-origin: *
                  vary: Accept-Encoding
                  Cache-Control: max-age=86400
                  CF-Cache-Status: HIT
                  Age: 8
                  Last-Modified: Mon, 01 Jul 2024 14:27:19 GMT
                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0xU8ijb0hR8UcNlvhI%2FrGUDtjo38zq1M2qzvwBNr6jkeKG1nY14v1IwnY4sA4qtXFcfbMybISfOVxvSJcol5%2FL6ZYzBWQeTaIfyZ%2B%2FVrbqSE%2FIZxNDQPs6hIDVBkF4%2BpCnHbN8Ja"}],"group":"cf-nel","max_age":604800}
                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                  Server: cloudflare
                  CF-RAY: 89c713af5d480f88-EWR
                  alt-svc: h3=":443"; ma=86400
                  2024-07-01 14:27:27 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                  Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                  2024-07-01 14:27:27 UTC5INData Raw: 30 0d 0a 0d 0a
                  Data Ascii: 0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  7192.168.2.749720188.114.96.3443820C:\Users\user\Desktop\JgRVqrgNs4.exe
                  TimestampBytes transferredDirectionData
                  2024-07-01 14:27:28 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                  Host: reallyfreegeoip.org
                  2024-07-01 14:27:28 UTC704INHTTP/1.1 200 OK
                  Date: Mon, 01 Jul 2024 14:27:28 GMT
                  Content-Type: application/xml
                  Transfer-Encoding: chunked
                  Connection: close
                  access-control-allow-origin: *
                  vary: Accept-Encoding
                  Cache-Control: max-age=86400
                  CF-Cache-Status: HIT
                  Age: 9
                  Last-Modified: Mon, 01 Jul 2024 14:27:19 GMT
                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SOlVXcecvHOHV0glJwHdL1xwpOq3xf3nSh8RsCVzln7Ug8i05JYpuc1JafjYjRGGIVqj%2F0%2BlfACBoWLzE%2FRkNwf0WudSwpX3ymMsA2bxb0DXKmuE6eIia%2BTnP8LZgUMdIUJ4V47X"}],"group":"cf-nel","max_age":604800}
                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                  Server: cloudflare
                  CF-RAY: 89c713b75e097cb4-EWR
                  alt-svc: h3=":443"; ma=86400
                  2024-07-01 14:27:28 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                  Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                  2024-07-01 14:27:28 UTC5INData Raw: 30 0d 0a 0d 0a
                  Data Ascii: 0


                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:0
                  Start time:10:27:15
                  Start date:01/07/2024
                  Path:C:\Users\user\Desktop\JgRVqrgNs4.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\JgRVqrgNs4.exe"
                  Imagebase:0xef0000
                  File size:550'400 bytes
                  MD5 hash:119685D67C747BC9FE473E98D4F37F48
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1377173369.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.1377173369.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1377173369.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                  • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.1377173369.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                  Reputation:low
                  Has exited:true

                  General

                  Target ID:2
                  Start time:10:27:16
                  Start date:01/07/2024
                  Path:C:\Users\user\Desktop\JgRVqrgNs4.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\JgRVqrgNs4.exe"
                  Imagebase:0xc50000
                  File size:550'400 bytes
                  MD5 hash:119685D67C747BC9FE473E98D4F37F48
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1485853658.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.1485853658.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.1485853658.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                  • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000002.00000002.1485853658.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                  • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.1486909813.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  Reputation:low
                  Has exited:true

                  General

                  Target ID:4
                  Start time:10:27:28
                  Start date:01/07/2024
                  Path:C:\Windows\SysWOW64\cmd.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\JgRVqrgNs4.exe"
                  Imagebase:0x410000
                  File size:236'544 bytes
                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:5
                  Start time:10:27:28
                  Start date:01/07/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff75da10000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:6
                  Start time:10:27:29
                  Start date:01/07/2024
                  Path:C:\Windows\SysWOW64\choice.exe
                  Wow64 process (32bit):true
                  Commandline:choice /C Y /N /D Y /T 3
                  Imagebase:0xdd0000
                  File size:28'160 bytes
                  MD5 hash:FCE0E41C87DC4ABBE976998AD26C27E4
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:moderate
                  Has exited:true

                  Disassembly

                  Reset < >

                    Execution Graph

                    Execution Coverage:8.8%
                    Dynamic/Decrypted Code Coverage:100%
                    Signature Coverage:0%
                    Total number of Nodes:60
                    Total number of Limit Nodes:10
                    execution_graph 25445 64ea9a8 25446 64eab33 25445->25446 25448 64ea9ce 25445->25448 25448->25446 25449 64e8bf4 25448->25449 25450 64eac28 PostMessageW 25449->25450 25451 64eac94 25450->25451 25451->25448 25452 64e1ad9 25453 64e1af5 25452->25453 25457 64e2eb0 25453->25457 25462 64e2ec0 25453->25462 25454 64e1b01 25458 64e2ece 25457->25458 25459 64e2eed 25457->25459 25467 64e2364 FindCloseChangeNotification 25458->25467 25461 64e2ee9 25461->25454 25463 64e2ece 25462->25463 25464 64e2eed 25462->25464 25468 64e2364 FindCloseChangeNotification 25463->25468 25466 64e2ee9 25466->25454 25467->25461 25468->25466 25469 1a5a598 25470 1a5a599 25469->25470 25474 1a5a680 25470->25474 25482 1a5a690 25470->25482 25471 1a5a5a7 25475 1a5a6a1 25474->25475 25476 1a5a6c4 25474->25476 25475->25476 25490 1a5a928 25475->25490 25494 1a5a91b 25475->25494 25476->25471 25477 1a5a6bc 25477->25476 25478 1a5a8c8 GetModuleHandleW 25477->25478 25479 1a5a8f5 25478->25479 25479->25471 25483 1a5a6c4 25482->25483 25484 1a5a6a1 25482->25484 25483->25471 25484->25483 25488 1a5a928 LoadLibraryExW 25484->25488 25489 1a5a91b LoadLibraryExW 25484->25489 25485 1a5a6bc 25485->25483 25486 1a5a8c8 GetModuleHandleW 25485->25486 25487 1a5a8f5 25486->25487 25487->25471 25488->25485 25489->25485 25491 1a5a929 25490->25491 25493 1a5a961 25491->25493 25498 1a5a118 25491->25498 25493->25477 25495 1a5a924 25494->25495 25496 1a5a961 25495->25496 25497 1a5a118 LoadLibraryExW 25495->25497 25496->25477 25497->25496 25499 1a5ab08 LoadLibraryExW 25498->25499 25501 1a5ab81 25499->25501 25501->25493 25502 1a5c918 25503 1a5c95e 25502->25503 25504 1a5ca4b 25503->25504 25507 1a5cae9 25503->25507 25511 1a5caf8 25503->25511 25508 1a5caf8 25507->25508 25515 1a5bde0 25508->25515 25512 1a5cafd 25511->25512 25513 1a5bde0 DuplicateHandle 25512->25513 25514 1a5cb26 25513->25514 25514->25504 25516 1a5cb60 DuplicateHandle 25515->25516 25517 1a5cb26 25516->25517 25517->25504 25518 64e3030 FindCloseChangeNotification 25519 64e309f 25518->25519

                    Executed Functions

                    Function 01A5A690 Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 810 1a5a690-1a5a69f 811 1a5a6a1-1a5a6ae call 1a586ac 810->811 812 1a5a6cb-1a5a6cf 810->812 817 1a5a6c4 811->817 818 1a5a6b0 811->818 813 1a5a6d1-1a5a6db 812->813 814 1a5a6e3-1a5a724 812->814 813->814 821 1a5a726-1a5a72e 814->821 822 1a5a731-1a5a73f 814->822 817->812 865 1a5a6b6 call 1a5a928 818->865 866 1a5a6b6 call 1a5a91b 818->866 821->822 824 1a5a741-1a5a746 822->824 825 1a5a763-1a5a765 822->825 823 1a5a6bc-1a5a6be 823->817 828 1a5a800-1a5a8c0 823->828 826 1a5a751 824->826 827 1a5a748-1a5a74f call 1a5a0bc 824->827 829 1a5a768-1a5a76f 825->829 833 1a5a753-1a5a761 826->833 827->833 860 1a5a8c2-1a5a8c5 828->860 861 1a5a8c8-1a5a8f3 GetModuleHandleW 828->861 831 1a5a771-1a5a779 829->831 832 1a5a77c-1a5a783 829->832 831->832 836 1a5a785-1a5a78d 832->836 837 1a5a790-1a5a799 call 1a5a0cc 832->837 833->829 836->837 841 1a5a7a6-1a5a7ab 837->841 842 1a5a79b-1a5a7a3 837->842 844 1a5a7ad-1a5a7b4 841->844 845 1a5a7c9-1a5a7d6 841->845 842->841 844->845 846 1a5a7b6-1a5a7c6 call 1a5a0dc call 1a5a0ec 844->846 851 1a5a7f9-1a5a7ff 845->851 852 1a5a7d8-1a5a7f6 845->852 846->845 852->851 860->861 862 1a5a8f5-1a5a8fb 861->862 863 1a5a8fc-1a5a910 861->863 862->863 865->823 866->823
                    APIs
                    • GetModuleHandleW.KERNELBASE(00000000), ref: 01A5A8E6
                    Memory Dump Source
                    • Source File: 00000000.00000002.1376773905.0000000001A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A50000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_1a50000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID: HandleModule
                    • String ID:
                    • API String ID: 4139908857-0
                    • Opcode ID: 77740ebe8284fd03fd154bd204b0dd7e67bcc0b2e4f8ee0059975fe71215d917
                    • Instruction ID: 7adf509720f26525497b2ae55c426ddf03e8973a0a06e0105d72105855903b04
                    • Opcode Fuzzy Hash: 77740ebe8284fd03fd154bd204b0dd7e67bcc0b2e4f8ee0059975fe71215d917
                    • Instruction Fuzzy Hash: 637168B0A04B058FE764DF29D55075ABBF1FF88210F108A2ED84ADBB50DB35E845CBA1
                    Function 01A5CB58 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 873 1a5cb58-1a5cb5b 874 1a5cb60-1a5cbf4 DuplicateHandle 873->874 875 1a5cbf6-1a5cbfc 874->875 876 1a5cbfd-1a5cc1a 874->876 875->876
                    APIs
                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,01A5CB26,?,?,?,?,?), ref: 01A5CBE7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1376773905.0000000001A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A50000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_1a50000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID: DuplicateHandle
                    • String ID:
                    • API String ID: 3793708945-0
                    • Opcode ID: a8256d2995a451a8a3f48c76d1f0103ec9203399762d9c13cd1706d9d1c44df6
                    • Instruction ID: 77aa25d17945eef6bb6ddab14e681491f6104cd802ecbf606102319976db273e
                    • Opcode Fuzzy Hash: a8256d2995a451a8a3f48c76d1f0103ec9203399762d9c13cd1706d9d1c44df6
                    • Instruction Fuzzy Hash: E821D4B5D00219AFDB10CFAAD884ADEFBF9EB48220F14841AE914E3350D375A944CF65
                    Function 01A5BDE0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 867 1a5bde0-1a5cbf4 DuplicateHandle 869 1a5cbf6-1a5cbfc 867->869 870 1a5cbfd-1a5cc1a 867->870 869->870
                    APIs
                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,01A5CB26,?,?,?,?,?), ref: 01A5CBE7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1376773905.0000000001A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A50000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_1a50000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID: DuplicateHandle
                    • String ID:
                    • API String ID: 3793708945-0
                    • Opcode ID: 7eb0a948c455e26a3d83c5d7d35712059fcea653eca1c4f7463483dae09c3fc8
                    • Instruction ID: 2c8b590d8727b7ff8b996d1a1b36c65bdfacb78756b74f974865b8c29f345ae9
                    • Opcode Fuzzy Hash: 7eb0a948c455e26a3d83c5d7d35712059fcea653eca1c4f7463483dae09c3fc8
                    • Instruction Fuzzy Hash: F721D4B5D04308AFDB10CFAAD884ADEBBF8FB48220F14801AE914A7350D375A944DFA5
                    Function 01A5A100 Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 879 1a5a100-1a5ab48 883 1a5ab50-1a5ab7f LoadLibraryExW 879->883 884 1a5ab4a-1a5ab4d 879->884 885 1a5ab81-1a5ab87 883->885 886 1a5ab88-1a5aba5 883->886 884->883 885->886
                    APIs
                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01A5A961,00000800,00000000,00000000), ref: 01A5AB72
                    Memory Dump Source
                    • Source File: 00000000.00000002.1376773905.0000000001A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A50000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_1a50000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID: LibraryLoad
                    • String ID:
                    • API String ID: 1029625771-0
                    • Opcode ID: eeb9a0916e8171b1ed2e9f81074badc6e5a6ab60d8fccc6433d1da75d261f00c
                    • Instruction ID: e671999e04c3ba39afe69c855f7d955fb142bee9d5a4337e6631b04da9dccbfb
                    • Opcode Fuzzy Hash: eeb9a0916e8171b1ed2e9f81074badc6e5a6ab60d8fccc6433d1da75d261f00c
                    • Instruction Fuzzy Hash: 652159B6D043489FDB10CFAAC844ADEBBF5AB48220F15851ED919A7211C3745545CFA5
                    Function 01A5AB00 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 889 1a5ab00-1a5ab02 890 1a5ab04-1a5ab06 889->890 891 1a5ab09-1a5ab48 889->891 890->891 892 1a5ab50-1a5ab7f LoadLibraryExW 891->892 893 1a5ab4a-1a5ab4d 891->893 894 1a5ab81-1a5ab87 892->894 895 1a5ab88-1a5aba5 892->895 893->892 894->895
                    APIs
                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01A5A961,00000800,00000000,00000000), ref: 01A5AB72
                    Memory Dump Source
                    • Source File: 00000000.00000002.1376773905.0000000001A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A50000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_1a50000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID: LibraryLoad
                    • String ID:
                    • API String ID: 1029625771-0
                    • Opcode ID: 09b9fbac9508c60281c9a9fd684fa97ddb0316b616721ec9599b357e137a910f
                    • Instruction ID: c397021fc2b5e7c53d0a8ed569972d8dc8b596f101e409ff32fdb32846badfab
                    • Opcode Fuzzy Hash: 09b9fbac9508c60281c9a9fd684fa97ddb0316b616721ec9599b357e137a910f
                    • Instruction Fuzzy Hash: 6E11F2B6D002499FDB20CF9AD844A9EBBF5AB48310F11852AE919A7600C379A945CFA5
                    Function 01A5A118 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 898 1a5a118-1a5ab48 901 1a5ab50-1a5ab7f LoadLibraryExW 898->901 902 1a5ab4a-1a5ab4d 898->902 903 1a5ab81-1a5ab87 901->903 904 1a5ab88-1a5aba5 901->904 902->901 903->904
                    APIs
                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01A5A961,00000800,00000000,00000000), ref: 01A5AB72
                    Memory Dump Source
                    • Source File: 00000000.00000002.1376773905.0000000001A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A50000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_1a50000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID: LibraryLoad
                    • String ID:
                    • API String ID: 1029625771-0
                    • Opcode ID: d7732bdf98777a2e599f0134fa06a110f5df7a60a0cda6693adf2f9a824c0e87
                    • Instruction ID: 27c33fa133d9a71158cbf780c15d03900917c1ba0f060aabcae81eabfdc2efc6
                    • Opcode Fuzzy Hash: d7732bdf98777a2e599f0134fa06a110f5df7a60a0cda6693adf2f9a824c0e87
                    • Instruction Fuzzy Hash: A81133B6D043089FDB20CF9AD844A9EFBF5AB48210F10852AE919A7200C375A904CFA5
                    Function 064E2364 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 907 64e2364-64e236b 908 64e3038-64e309d FindCloseChangeNotification 907->908 909 64e309f-64e30a5 908->909 910 64e30a6-64e30ce 908->910 909->910
                    APIs
                    • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,064E2EE9,?,?), ref: 064E3090
                    Memory Dump Source
                    • Source File: 00000000.00000002.1379164513.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_64e0000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID: ChangeCloseFindNotification
                    • String ID:
                    • API String ID: 2591292051-0
                    • Opcode ID: 61aa0752b938b16d0d121b9abb2dd7cc73206463bf8735986942edc9789242c4
                    • Instruction ID: 53b21beaac4f81de5ac9aa573ac0703a56ccfd3677cac65742f5c61f9d8c0b35
                    • Opcode Fuzzy Hash: 61aa0752b938b16d0d121b9abb2dd7cc73206463bf8735986942edc9789242c4
                    • Instruction Fuzzy Hash: 5A1125B5C007499FDB21DF9AD444BEEBBF4EB48320F20841AE958A7340D379A944CFA5
                    Function 064E3030 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 913 64e3030-64e309d FindCloseChangeNotification 914 64e309f-64e30a5 913->914 915 64e30a6-64e30ce 913->915 914->915
                    APIs
                    • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,064E2EE9,?,?), ref: 064E3090
                    Memory Dump Source
                    • Source File: 00000000.00000002.1379164513.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_64e0000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID: ChangeCloseFindNotification
                    • String ID:
                    • API String ID: 2591292051-0
                    • Opcode ID: 405e40a2c1853ab95870003df72c0f3550aa32ab92da2773795bc7a6179d0999
                    • Instruction ID: 517bbb1bfbaf7b98701b0a8392248db5c7b2c7ad1ef7a539027384ce48d7383e
                    • Opcode Fuzzy Hash: 405e40a2c1853ab95870003df72c0f3550aa32ab92da2773795bc7a6179d0999
                    • Instruction Fuzzy Hash: B71125B6C003098FDB21CF99D545BDEBBF4AF48324F21841AD558A7740D339A544CFA5
                    Function 01A5A880 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 918 1a5a880-1a5a8c0 919 1a5a8c2-1a5a8c5 918->919 920 1a5a8c8-1a5a8f3 GetModuleHandleW 918->920 919->920 921 1a5a8f5-1a5a8fb 920->921 922 1a5a8fc-1a5a910 920->922 921->922
                    APIs
                    • GetModuleHandleW.KERNELBASE(00000000), ref: 01A5A8E6
                    Memory Dump Source
                    • Source File: 00000000.00000002.1376773905.0000000001A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A50000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_1a50000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID: HandleModule
                    • String ID:
                    • API String ID: 4139908857-0
                    • Opcode ID: 4b04cbc27ef458c4cca0831b84cb32ed7138e97b5a331a10787addc5c8eba178
                    • Instruction ID: 128b218b31d40c59532a38a48a9087848a1b81617e0a561ddf2f7590dc7100db
                    • Opcode Fuzzy Hash: 4b04cbc27ef458c4cca0831b84cb32ed7138e97b5a331a10787addc5c8eba178
                    • Instruction Fuzzy Hash: 1A1102B6D002498FDB10CF9AD444ADEFBF4EF88210F10851AD819A7600C375A545CFA5
                    Function 064EAC20 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 929 64eac20-64eac92 PostMessageW 932 64eac9b-64eacaf 929->932 933 64eac94-64eac9a 929->933 933->932
                    APIs
                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 064EAC85
                    Memory Dump Source
                    • Source File: 00000000.00000002.1379164513.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_64e0000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID: MessagePost
                    • String ID:
                    • API String ID: 410705778-0
                    • Opcode ID: f7a489caf24cc0581c6ce7d1541b1768e3730ba330da42f7a1ef605fcdc890cf
                    • Instruction ID: 421b0809d78ee427baa4ab0042e65cbd0d04ff383fc441ce5eaa2e580e310b50
                    • Opcode Fuzzy Hash: f7a489caf24cc0581c6ce7d1541b1768e3730ba330da42f7a1ef605fcdc890cf
                    • Instruction Fuzzy Hash: 1611D6B58003499FDB21CF9AD945BDEFBF8FB48324F10841AE558A7640C375A584CFA5
                    Function 064E8BF4 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 924 64e8bf4-64eac92 PostMessageW 926 64eac9b-64eacaf 924->926 927 64eac94-64eac9a 924->927 927->926
                    APIs
                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 064EAC85
                    Memory Dump Source
                    • Source File: 00000000.00000002.1379164513.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_64e0000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID: MessagePost
                    • String ID:
                    • API String ID: 410705778-0
                    • Opcode ID: 20e6a709d1965dbe081820d949db0326cfae266e6d61da362c59efa350afa906
                    • Instruction ID: 605ed6efc37a6abae28c2caa536174dfe699ab54f0ade4420fda792d31248819
                    • Opcode Fuzzy Hash: 20e6a709d1965dbe081820d949db0326cfae266e6d61da362c59efa350afa906
                    • Instruction Fuzzy Hash: F011F5B59003589FDB10CF9AD985BDEFBF8FB48314F10841AE518A7600C375A984CFA5
                    Function 0164D01C Relevance: .1, Instructions: 72COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1376592844.000000000164D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0164D000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_164d000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f85f4c8201c4fcb40ca05d9d580ee4abfdc142922f84495d86b070a724c1fc36
                    • Instruction ID: fa47577633b7c4313dc3dc68400008714eec8bd54276886e4717ee9ce517f0c3
                    • Opcode Fuzzy Hash: f85f4c8201c4fcb40ca05d9d580ee4abfdc142922f84495d86b070a724c1fc36
                    • Instruction Fuzzy Hash: C021F271A04300EFDB25DFA4D9C4B16BBA5FB94B14F20C56DE90A4B396C33AD447CA62
                    Function 0164D1EC Relevance: .1, Instructions: 72COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1376592844.000000000164D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0164D000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_164d000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 312484c99fd47ab42fd72a87b6a999246f1e6810f7a784c8b235fdb3c04c4e55
                    • Instruction ID: c587cda3d7265c2966e609217f8b36ee73a38602a4f4cf84fea9b9200ea0acdc
                    • Opcode Fuzzy Hash: 312484c99fd47ab42fd72a87b6a999246f1e6810f7a784c8b235fdb3c04c4e55
                    • Instruction Fuzzy Hash: 6F21F271A04300EFDB15DFA4D9C0B17BBA5FB94324F20C56DEA0A4B392C336D846CAA1
                    Function 0164D017 Relevance: .1, Instructions: 53COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1376592844.000000000164D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0164D000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_164d000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
                    • Instruction ID: 84ded695545e2dce13b0dcab404170ff7a75cf552c8544f6240dd7260a08790e
                    • Opcode Fuzzy Hash: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
                    • Instruction Fuzzy Hash: 6211BB75904280CFCB16CF54D9C4B15BBA2FB84714F24C6AAD8094B796C33AD40ACBA2
                    Function 0164D1E7 Relevance: .1, Instructions: 53COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1376592844.000000000164D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0164D000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_164d000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
                    • Instruction ID: 0117b0988ec8defd852b0cbe7f58813ba7fcfd9497b1793dc153bd0c0338411b
                    • Opcode Fuzzy Hash: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
                    • Instruction Fuzzy Hash: 9D11DD75904280DFCB12CF54D9C4B16BFA2FB84324F24C6A9D9094B796C33AD40ACFA1

                    Non-executed Functions

                    Function 01A5D3DC Relevance: .3, Instructions: 264COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1376773905.0000000001A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A50000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_1a50000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2cce3f1410e959ce650d7c90161897095effa803d8353dd21d6263ff2c103ce4
                    • Instruction ID: ae68b3f533dbe14341f5a41136d403e88671db73a6f713524ca31afe4d7acb17
                    • Opcode Fuzzy Hash: 2cce3f1410e959ce650d7c90161897095effa803d8353dd21d6263ff2c103ce4
                    • Instruction Fuzzy Hash: 6AA1A432E0020ACFCF45DFB4C5405DEBBB2FF85300B15856AE906AB221DB31E945CB90

                    Executed Functions

                    Function 02EA68E0 Relevance: 5.3, Strings: 4, Instructions: 331COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1486806886.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2ea0000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID:
                    • String ID: (oq$(oq$,q$,q
                    • API String ID: 0-620556200
                    • Opcode ID: efee9c99ed6c1306994e60530d9cfb402a16941aca1dc1a73c1ceacdc385ed21
                    • Instruction ID: 74d52dbc575ba0b3643e99082debf52e185a9e02bd25beb5ef5385a5c1ec8413
                    • Opcode Fuzzy Hash: efee9c99ed6c1306994e60530d9cfb402a16941aca1dc1a73c1ceacdc385ed21
                    • Instruction Fuzzy Hash: F4D10D70A40119DFDF14CFA9C9A4AEDBBB6FF8A308F59D065E415AB261D730E841CB50
                    Function 02EA98B8 Relevance: 3.4, Strings: 2, Instructions: 854COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1486806886.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2ea0000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID:
                    • String ID: (oq$4'q
                    • API String ID: 0-1336004174
                    • Opcode ID: 1761ab7f8c0443804ab4adaaf40ad2a4c4794a1656cb2cb9761e76e54a50ee44
                    • Instruction ID: d7ff2772a482987bd14fa7b77111df41e9224a3b6eda9a34f7e1f29dc9085e03
                    • Opcode Fuzzy Hash: 1761ab7f8c0443804ab4adaaf40ad2a4c4794a1656cb2cb9761e76e54a50ee44
                    • Instruction Fuzzy Hash: 8E726970A40209DFCB14CFA8C9A4AAEBBF2BF89304F15D569E8059B365D731F855CB60
                    Function 02EA6178 Relevance: 3.1, Strings: 2, Instructions: 564COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1486806886.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2ea0000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID:
                    • String ID: (oq$Hq
                    • API String ID: 0-2917151738
                    • Opcode ID: ed0f017fb9f1c72d5ecd59e7eb977a083be389eabba2a71844a2c1c90fa6bb97
                    • Instruction ID: 1d30539fe541d8d7afda19785d02276d9fe71e21c5c2b6a230fa847051dbcd18
                    • Opcode Fuzzy Hash: ed0f017fb9f1c72d5ecd59e7eb977a083be389eabba2a71844a2c1c90fa6bb97
                    • Instruction Fuzzy Hash: 83226B70A002199FDB14DF69D864BAEBBBAFFC9304F189469E5059B394DB34AC41CB90
                    Function 02EAB388 Relevance: 2.8, Strings: 2, Instructions: 349COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1486806886.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2ea0000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID:
                    • String ID: PHq$PHq
                    • API String ID: 0-1274609152
                    • Opcode ID: a18ea223c0b8594875e3836cae494036a03a63d995bb366d181b2e56fd7471a4
                    • Instruction ID: 4f49363550a0eb8ac7a8d3f08b01df380fc7c1e3ebc76abacc96605c36a3f601
                    • Opcode Fuzzy Hash: a18ea223c0b8594875e3836cae494036a03a63d995bb366d181b2e56fd7471a4
                    • Instruction Fuzzy Hash: FFE1E675A40218CFDB14DFA9C994A9DBBB2FF98318F15D069E819AF361DB30A841CF50
                    Function 02EAC7B2 Relevance: 2.7, Strings: 2, Instructions: 191COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1486806886.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2ea0000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID:
                    • String ID: PHq$PHq
                    • API String ID: 0-1274609152
                    • Opcode ID: e348a1d6e0cb77c9407ae4a23d610f825d391aa54d86d776d04d0cb741bcde5d
                    • Instruction ID: 6d77f7f7a4c269ef9e3c942b46ad642961985d30a72d470effab2e504dd14340
                    • Opcode Fuzzy Hash: e348a1d6e0cb77c9407ae4a23d610f825d391aa54d86d776d04d0cb741bcde5d
                    • Instruction Fuzzy Hash: 54819474E002189FDB14DFA9D994B9DBBF2BF88314F24E06AE409AB365DB709941CF50
                    Function 02EAC1F0 Relevance: 2.7, Strings: 2, Instructions: 189COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1486806886.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2ea0000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID:
                    • String ID: PHq$PHq
                    • API String ID: 0-1274609152
                    • Opcode ID: 051268b70e0317d47f17b376b8f22ab7627c6363054dcb5eb0315297f2d23320
                    • Instruction ID: 4cae0b9ae523c424e0a5d7588f0c4df911205e7ccf1a3e0cae44d1abaf5249a3
                    • Opcode Fuzzy Hash: 051268b70e0317d47f17b376b8f22ab7627c6363054dcb5eb0315297f2d23320
                    • Instruction Fuzzy Hash: 8A91D974E00218CFDB14DFA9D994A9DBBF2BF88304F24E06AE409AB355DB709945CF54
                    Function 02EACA92 Relevance: 2.7, Strings: 2, Instructions: 189COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1486806886.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2ea0000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID:
                    • String ID: PHq$PHq
                    • API String ID: 0-1274609152
                    • Opcode ID: 5bc35c22830d1894bba6d4053475b291a6bd0c4c5065602a2206ad5d6362b7ac
                    • Instruction ID: 4f40d037b5df16ba2e1e3680530117998c780cd4fdbc1142bbc543b80f05b922
                    • Opcode Fuzzy Hash: 5bc35c22830d1894bba6d4053475b291a6bd0c4c5065602a2206ad5d6362b7ac
                    • Instruction Fuzzy Hash: 9881D974E01218DFDB14DFA9D894A9DBBF2BF88304F24E06AD819AB365DB709841CF50
                    Function 02EAC4D0 Relevance: 2.7, Strings: 2, Instructions: 186COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1486806886.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2ea0000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID:
                    • String ID: PHq$PHq
                    • API String ID: 0-1274609152
                    • Opcode ID: 23fa8afda09f05c96eb259ff63b14187f577512ec6094f3f5d28b995f3f7c1cb
                    • Instruction ID: f2503b0e89267dae52d039f52c1fec5c0e8a0b464e99718be1e61f97b8d69427
                    • Opcode Fuzzy Hash: 23fa8afda09f05c96eb259ff63b14187f577512ec6094f3f5d28b995f3f7c1cb
                    • Instruction Fuzzy Hash: FE81B574E40218DFDB14DFA9D994A9DBBF2BF88304F24E06AE409AB365DB709941CF50
                    Function 02EABF10 Relevance: 2.7, Strings: 2, Instructions: 186COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1486806886.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2ea0000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID:
                    • String ID: PHq$PHq
                    • API String ID: 0-1274609152
                    • Opcode ID: 544d607d4b6faf60900acfe77ead551cfb8bd8ff7f2a4ce8dbab0d7c1dac59cd
                    • Instruction ID: 684ad7cc4ee07e166c3ba20819bd27420709f7448443ae23b045c1e39425c635
                    • Opcode Fuzzy Hash: 544d607d4b6faf60900acfe77ead551cfb8bd8ff7f2a4ce8dbab0d7c1dac59cd
                    • Instruction Fuzzy Hash: 2681B774E00218DFDB14DFA9D994A9DBBF2BF88304F24E06AE419AB355DB70A941CF50
                    Function 02EA4B31 Relevance: 2.7, Strings: 2, Instructions: 185COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1486806886.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2ea0000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID:
                    • String ID: PHq$PHq
                    • API String ID: 0-1274609152
                    • Opcode ID: 55cf59cffdc499c57f7334acad643cc5c356d50da21206d93c46e08db719c591
                    • Instruction ID: 3385516c2128baa9684fabb881aefb699a090a885503702ecdfd05859394868e
                    • Opcode Fuzzy Hash: 55cf59cffdc499c57f7334acad643cc5c356d50da21206d93c46e08db719c591
                    • Instruction Fuzzy Hash: 5181B274E00218DFEB14DFA9D994A9DBBF2BF88304F14D069E819AB365DB70A941CF50
                    Function 02EABC32 Relevance: 2.7, Strings: 2, Instructions: 184COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1486806886.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2ea0000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID:
                    • String ID: PHq$PHq
                    • API String ID: 0-1274609152
                    • Opcode ID: 814f5037cf1a058f8217b96444138d2aba50afc59b7e16db1cf2fc6f507a8121
                    • Instruction ID: 649a3a65242bad1e83d160a34746853f7e1d997e0a967cc2729f97b9da6c716b
                    • Opcode Fuzzy Hash: 814f5037cf1a058f8217b96444138d2aba50afc59b7e16db1cf2fc6f507a8121
                    • Instruction Fuzzy Hash: 6B81A274E00218DFEB14DFAAD994A9DBBF2BF88304F14D069E409AB365DB70A941CF51
                    Function 02EAB552 Relevance: 2.7, Strings: 2, Instructions: 152COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1486806886.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2ea0000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID:
                    • String ID: PHq$PHq
                    • API String ID: 0-1274609152
                    • Opcode ID: b970fad31c00ae08da26d85c6ae4d2174971278b4ba9097e9aaf1e48485d22c9
                    • Instruction ID: 24f4ba2e7e800579ba231a060499bab72ff7db69da010e2ac95ddd665c68dc73
                    • Opcode Fuzzy Hash: b970fad31c00ae08da26d85c6ae4d2174971278b4ba9097e9aaf1e48485d22c9
                    • Instruction Fuzzy Hash: ED61B674E002089FEB14DFAAD994A9EFBF2BF88304F14D069E419AB365DB745941CF50
                    Function 02EA6EC8 Relevance: 10.4, Strings: 8, Instructions: 450COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1486806886.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2ea0000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID:
                    • String ID: (oq$(oq$(oq$(oq$(oq$(oq$,q$,q
                    • API String ID: 0-2212926057
                    • Opcode ID: 091e37a1f4f0f8140ca3197996fc145d5ec5197f42de4e79644e60ac87358d00
                    • Instruction ID: e055e1ab8238609c7a521ebc63f08e5df3a90dba90e11abb13780f0c838c23b0
                    • Opcode Fuzzy Hash: 091e37a1f4f0f8140ca3197996fc145d5ec5197f42de4e79644e60ac87358d00
                    • Instruction Fuzzy Hash: 37123B30A402099FCB25CF69D894A9EBBF2FF89318F159569E8499F261D730FD41CB60
                    Function 02EA6EB8 Relevance: 5.3, Strings: 4, Instructions: 273COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1486806886.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2ea0000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID:
                    • String ID: (oq$(oq$(oq$(oq
                    • API String ID: 0-3853041632
                    • Opcode ID: abe3d4bb64e4e4b3e3a77cf8246667ec94387cda7b8cc575d7a9967fd420e650
                    • Instruction ID: fe189c477414c983be847a042e4d140e49ac1497ee04b247a7696944eba06ec0
                    • Opcode Fuzzy Hash: abe3d4bb64e4e4b3e3a77cf8246667ec94387cda7b8cc575d7a9967fd420e650
                    • Instruction Fuzzy Hash: D7C13A30A402099FCB14CF69D894AAEFBF2BF88318F15D559E855AB265D731FC41CBA0
                    Function 02EA7850 Relevance: 3.2, Strings: 2, Instructions: 690COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1486806886.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2ea0000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID:
                    • String ID: $q$$q
                    • API String ID: 0-3126353813
                    • Opcode ID: 87abd582c7f13c1569b8745791ebdf6d71e3a96c2e6ee73dea480eb8fe7c78f6
                    • Instruction ID: 402a8149dd30ba50d3739be6d31dbb037827cc710852c9236bff55604df568f3
                    • Opcode Fuzzy Hash: 87abd582c7f13c1569b8745791ebdf6d71e3a96c2e6ee73dea480eb8fe7c78f6
                    • Instruction Fuzzy Hash: 46520D74A002198FEB64DBA4C864BDEBB72EF84300F1081AEC10A6B7A5DF355E45DF65
                    Function 02EA5700 Relevance: 2.8, Strings: 2, Instructions: 323COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1486806886.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2ea0000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID:
                    • String ID: Hq$Hq
                    • API String ID: 0-925789375
                    • Opcode ID: c1deab3a9b92563e47835fb682b365f61c8a89a95aec7261f970cbbb76a7eddf
                    • Instruction ID: e235a90d17da3be1832d44d686902e9a1914cf38ffb69ca5a7bd1f151fb399d3
                    • Opcode Fuzzy Hash: c1deab3a9b92563e47835fb682b365f61c8a89a95aec7261f970cbbb76a7eddf
                    • Instruction Fuzzy Hash: A0B1AF31B442159FDB259F24D8A4BAA7BA2BBC8358F599429E806CF390DF74EC01C791
                    Function 02EA8858 Relevance: 2.8, Strings: 2, Instructions: 322COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1486806886.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2ea0000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4'q$4'q
                    • API String ID: 0-1467158625
                    • Opcode ID: 6124b5536a4dda9e7ae05d6ef422dcadfed38c45b1e57e1f850df51a10679515
                    • Instruction ID: b6249cf805cff4552ae83c6aed7787d04b7d9163f1d429dee5bf1926b68e897e
                    • Opcode Fuzzy Hash: 6124b5536a4dda9e7ae05d6ef422dcadfed38c45b1e57e1f850df51a10679515
                    • Instruction Fuzzy Hash: 95B184703822018FDB18DE29C579BB976A6EF84748F15A079E506CF3A1EF25EC41CB52
                    Function 02EA5C60 Relevance: 2.7, Strings: 2, Instructions: 230COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1486806886.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2ea0000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID:
                    • String ID: ,q$,q
                    • API String ID: 0-1667412543
                    • Opcode ID: a6cf2c04aa999799a6807b749347f1132a2c15e8b54c10f297ada42afe08e5a5
                    • Instruction ID: 023f6834cf770f0be498f84cfd664d73b1b3917a9e5bef4999b52c15eb60ccf7
                    • Opcode Fuzzy Hash: a6cf2c04aa999799a6807b749347f1132a2c15e8b54c10f297ada42afe08e5a5
                    • Instruction Fuzzy Hash: 0B818E34F40105CFCB14CF69C8A8AAAB7B2BF89208B95D069D406DF365DB31F841CB91
                    Function 02EA3480 Relevance: 2.6, Strings: 2, Instructions: 112COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1486806886.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2ea0000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID:
                    • String ID: Xq$Xq
                    • API String ID: 0-1556399337
                    • Opcode ID: 6b015008ed608b5b1b1ee400c3f948f4b0af9d137cff3974051eb4a0baa4bb6d
                    • Instruction ID: e5d9a0e884935977baacb5d7bca03e1e576139f12c02b36363118d060a9037f9
                    • Opcode Fuzzy Hash: 6b015008ed608b5b1b1ee400c3f948f4b0af9d137cff3974051eb4a0baa4bb6d
                    • Instruction Fuzzy Hash: BF31D731B403254BDB2956A998753BE77EAABC4215F18907DE806CB380DFB4DC05C6A1
                    Function 02EA0C8F Relevance: 1.7, Strings: 1, Instructions: 418COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1486806886.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2ea0000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID:
                    • String ID: LRq
                    • API String ID: 0-3187445251
                    • Opcode ID: 4108c1fa0d53b5f9b9acb5996159ba11b9f1498a729e66ae2bfa706a44aec658
                    • Instruction ID: 12e343fabfdfe7c9b654510b8c015b5cda28ce3a3d56d354731f4aa1f51fd6b3
                    • Opcode Fuzzy Hash: 4108c1fa0d53b5f9b9acb5996159ba11b9f1498a729e66ae2bfa706a44aec658
                    • Instruction Fuzzy Hash: 4522A978910219DFCB94EF64E895ADDBBB2FF88301F1095A6E409AB358EB306D45CF50
                    Function 02EA0CA0 Relevance: 1.7, Strings: 1, Instructions: 410COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1486806886.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2ea0000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID:
                    • String ID: LRq
                    • API String ID: 0-3187445251
                    • Opcode ID: 40237dda060e81600756ff2f6d99d63d5f1f41dee0fc974587d14bf1137b49ea
                    • Instruction ID: 185d29fcad2654b49b95e59435973ce4f9cc2292d713d97b37ba2f052d577445
                    • Opcode Fuzzy Hash: 40237dda060e81600756ff2f6d99d63d5f1f41dee0fc974587d14bf1137b49ea
                    • Instruction Fuzzy Hash: 2D22AA78910219DFCB94EF64E894ADDBBB6FF88301F1095A6E409AB358EB305D45CF50
                    Function 02EAA6C0 Relevance: 1.4, Strings: 1, Instructions: 125COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1486806886.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2ea0000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID:
                    • String ID: (oq
                    • API String ID: 0-1999159160
                    • Opcode ID: fb751ddf26ffd5c84562855822fa820eae7d133c7e4d389cff31c6b7263dc172
                    • Instruction ID: 3507d1bf75108360e667c6200a22d4c0f243070f320a7faa84b75a52eca4f023
                    • Opcode Fuzzy Hash: fb751ddf26ffd5c84562855822fa820eae7d133c7e4d389cff31c6b7263dc172
                    • Instruction Fuzzy Hash: A741AF35B102049FDB189B69D9696AE7BF7BFC8611F148469E506DB390DF31AC02CB90
                    Function 02EAA878 Relevance: .4, Instructions: 407COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1486806886.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2ea0000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8f1f20c6aac4d9b8c072bbbbbd9286c020ad2f78bd66bd0ec3507ea13e2835be
                    • Instruction ID: 59347d7f7dd808d5d3108c0dcc0b0642ca4047e33e3d1fbfb3a3a199672b15e6
                    • Opcode Fuzzy Hash: 8f1f20c6aac4d9b8c072bbbbbd9286c020ad2f78bd66bd0ec3507ea13e2835be
                    • Instruction Fuzzy Hash: CBF14D71A806158FDB04DF69C998A9DBBF2FF88314B16D0A9E419AF361CB35EC41CB50
                    Function 02EA7498 Relevance: .2, Instructions: 201COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1486806886.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2ea0000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6669a7c06a2aac04b1e148aa6353b26b98f6698dc0fe0dcdce394bbe34d5c728
                    • Instruction ID: 74a9e11b2b7e0d15705a752c29a3ec21087c948213a3994695d1ea9718364492
                    • Opcode Fuzzy Hash: 6669a7c06a2aac04b1e148aa6353b26b98f6698dc0fe0dcdce394bbe34d5c728
                    • Instruction Fuzzy Hash: FB710B347402058FCB14DF2DC8A8BADBBE6AF89659B1994A5E805CF3B1DB70EC41CB51
                    Function 02EAD3C2 Relevance: .2, Instructions: 171COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1486806886.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2ea0000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d4046ee8fc53ad7ce4f54db55efa8e38d4c9ee6aa6322cc23f2c3d84ed1b409a
                    • Instruction ID: 50ef01852154a7ac55157bcae1b4984d0c3a300056c94eb15981a6f8e9fb086a
                    • Opcode Fuzzy Hash: d4046ee8fc53ad7ce4f54db55efa8e38d4c9ee6aa6322cc23f2c3d84ed1b409a
                    • Instruction Fuzzy Hash: 8B51A4789323969FD3987F20A9AE1AABF60FB9F3177457D24B05F865089F301055CB60
                    Function 02EAD3D0 Relevance: .2, Instructions: 167COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1486806886.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2ea0000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2f7b95fff7cbf7449b02082e0c8576e775f89f7f3d6097fecc1019c536d1f63a
                    • Instruction ID: 583a9768320a36621d9920bbc1314423f46db774631b615bb67ec0301c5afb6c
                    • Opcode Fuzzy Hash: 2f7b95fff7cbf7449b02082e0c8576e775f89f7f3d6097fecc1019c536d1f63a
                    • Instruction Fuzzy Hash: EE5192789323968F93987F20A9AE1BABFA4FB9F3177457D24B15F865089F301054CB60
                    Function 02EA3951 Relevance: .1, Instructions: 141COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1486806886.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2ea0000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 24517be821a3004e19a00d0d5cf7aca137a1fa4f70632be8ba7d3b06f0583ba6
                    • Instruction ID: 5c789696c3c82ceae03b3cbbaabda3c9dc4413c3cdd43f8b2aece494e9e8130a
                    • Opcode Fuzzy Hash: 24517be821a3004e19a00d0d5cf7aca137a1fa4f70632be8ba7d3b06f0583ba6
                    • Instruction Fuzzy Hash: 74518274E01208DFCB18EFA9D59499DBBB2FF89300B209469E809AB364DB35AD41CF50
                    Function 02EACD70 Relevance: .1, Instructions: 138COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1486806886.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2ea0000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4fe75b2be7dc958b752d54d7d3a943207cbadc64d98f1a9d3edce4389cc877cd
                    • Instruction ID: 1f74b786e389c12e1cbcdc8abf4b3d6bce3a8713354598a9e4ee33643cee9635
                    • Opcode Fuzzy Hash: 4fe75b2be7dc958b752d54d7d3a943207cbadc64d98f1a9d3edce4389cc877cd
                    • Instruction Fuzzy Hash: 15519474E01208DFDB44DFA9D994A9DBBF2FF89300F24916AE419AB364DB31A901CF54
                    Function 02EA3960 Relevance: .1, Instructions: 134COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1486806886.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2ea0000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 30e57c0977fcc3a773106c4b8c80c626f37e7e213b5fe01c07f01f405ad87ef9
                    • Instruction ID: c9645306ae0d86dde3640419bbd2dcef055b2b8bead2e44adf47e58ebd868249
                    • Opcode Fuzzy Hash: 30e57c0977fcc3a773106c4b8c80c626f37e7e213b5fe01c07f01f405ad87ef9
                    • Instruction Fuzzy Hash: 2D517274E01308DFDB08EFA9D59499DBBB6FF89310B209469E809AB364DB35AD41CF50
                    Function 02EA9AC3 Relevance: .1, Instructions: 124COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1486806886.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2ea0000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 962d61fd5750e76835031db7d52a246dcb927497520297461163fa743c742dac
                    • Instruction ID: 568a9b7b257cc68385c3ad9a2ca899e2e4c1ef5f53f447494ec6666395755418
                    • Opcode Fuzzy Hash: 962d61fd5750e76835031db7d52a246dcb927497520297461163fa743c742dac
                    • Instruction Fuzzy Hash: 7C417931A44249DFCF15CFA9C8A4BDEBBB2EF89314F009156E815AF296D335E910CB94
                    Function 02EA4E20 Relevance: .1, Instructions: 101COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1486806886.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2ea0000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9e90c7c35249e5c3a94abd17769f76409fa8a3e34593bc1bcd43baa40527ec42
                    • Instruction ID: 7d585244624cb2fe0f5882071b6ee337ac741f1694455ed5dcb81514fae22edf
                    • Opcode Fuzzy Hash: 9e90c7c35249e5c3a94abd17769f76409fa8a3e34593bc1bcd43baa40527ec42
                    • Instruction Fuzzy Hash: AA316D3560410AAFCB459F65D894AAF3FA7FB88205F009069F9198F294CB75DC61CBA0
                    Function 02EAD70F Relevance: .1, Instructions: 95COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1486806886.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2ea0000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 34c301b820d51478d6f4ee8ef095e5df9a68830f54e7679878e809405e1e91f4
                    • Instruction ID: 006e0e0eaa490b61817e29f1a3c49a37ffd1256b241c48f4b6b78023f4a40e8b
                    • Opcode Fuzzy Hash: 34c301b820d51478d6f4ee8ef095e5df9a68830f54e7679878e809405e1e91f4
                    • Instruction Fuzzy Hash: 2D314675D412088FCF08EFB8E855AEEBBB1FB8A305F10A53AD40577290DB39A945CB54
                    Function 02EA7730 Relevance: .1, Instructions: 89COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1486806886.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2ea0000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a45e05a298be1b31c1db3587183a8e4e8bc1f356983d49a3b401aff345fb63ed
                    • Instruction ID: 9149f791a2bf941140de772bce7da401c2b0309a4fef9f0c30022039a863cf7d
                    • Opcode Fuzzy Hash: a45e05a298be1b31c1db3587183a8e4e8bc1f356983d49a3b401aff345fb63ed
                    • Instruction Fuzzy Hash: FE2128317402204BDB25963998A5BBDAA96AFC461DB18D039E806CF384EF35EC42D7C0
                    Function 02EA7740 Relevance: .1, Instructions: 87COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1486806886.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2ea0000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 882e5f8e5bf16301d39917e924e5b3105e25bc5c62df654d7f9ee4e779c69808
                    • Instruction ID: e49a39d69d8198a74be7fd6e1e6b0364cc5b9e4be9bdcc0740132cf59b78c09c
                    • Opcode Fuzzy Hash: 882e5f8e5bf16301d39917e924e5b3105e25bc5c62df654d7f9ee4e779c69808
                    • Instruction Fuzzy Hash: E321C5317802204BDB19963A98A47BEAA97AFC865DF14D039E806CF794DF35EC42D790
                    Function 02EAA869 Relevance: .1, Instructions: 87COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1486806886.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2ea0000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8089a7a639ffe673b268c80845bac7817c484ccf1a383858115650b5ffe6c074
                    • Instruction ID: 60ff37697ab56f5135eaf5bba294fd7ded75b29b828efaf2daeccafd4bcb8d4a
                    • Opcode Fuzzy Hash: 8089a7a639ffe673b268c80845bac7817c484ccf1a383858115650b5ffe6c074
                    • Instruction Fuzzy Hash: D2319170A406058FCB04CF69C894AAEBBB3FFC8714B15C169E515AB3A5DB35EC02CB90
                    Function 02EA20B8 Relevance: .1, Instructions: 77COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1486806886.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2ea0000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: fe8e8d1b061d5a666a0b76b0aa55808eda9538a3d24aafdd02ac09798d16adb9
                    • Instruction ID: 67019fd52d305abb5ced4a9b7694775115fbe14542ff3a8574a7f04039ce95b9
                    • Opcode Fuzzy Hash: fe8e8d1b061d5a666a0b76b0aa55808eda9538a3d24aafdd02ac09798d16adb9
                    • Instruction Fuzzy Hash: 8621C775A00205AFCB14DB28C850AAE3BA5EB99354F51C519DD099F258EB31FE46CB90
                    Function 02EAD611 Relevance: .1, Instructions: 74COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1486806886.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2ea0000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f8c0a875b907ae37bd883b24316a62aff28435b174b2946e408157992646de8d
                    • Instruction ID: 62fe98da3c2c7fe19a1d5286376fa771d22e037e4dbcf49b1c4aeda27ec57831
                    • Opcode Fuzzy Hash: f8c0a875b907ae37bd883b24316a62aff28435b174b2946e408157992646de8d
                    • Instruction Fuzzy Hash: 42212731C10619DECF11EFA8D8546ECFBB4FF4A305F11962AD404B7254EB34AA9ACB40
                    Function 02EA5AC8 Relevance: .1, Instructions: 74COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1486806886.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2ea0000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3b14e964c1a729287164dd12f2950b1f9157c840dc4f44c20eb5d129003c40ff
                    • Instruction ID: 17b902fb916cf5fb366452c4458662139729cc5ccabed9d01c0fd8c17bcf0cbb
                    • Opcode Fuzzy Hash: 3b14e964c1a729287164dd12f2950b1f9157c840dc4f44c20eb5d129003c40ff
                    • Instruction Fuzzy Hash: A421C335B416118FC7299B69D8B466ABBA2FFC87567448169E906CF354CF30EC02CBC0
                    Function 02EA4E11 Relevance: .1, Instructions: 68COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1486806886.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2ea0000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0329b62b078a6179b5b8e1d82336e3615f23fa8e322a9cf204108f79a2ad050a
                    • Instruction ID: 1d11d0c01fb87c720b43810e32d1e9dd7a89956dbee1e4467449fc4beee5ddaa
                    • Opcode Fuzzy Hash: 0329b62b078a6179b5b8e1d82336e3615f23fa8e322a9cf204108f79a2ad050a
                    • Instruction Fuzzy Hash: 1E2193356441099FCB54AF64D8657AB3BA6FBC8314F508469F9058F384CB74DC55CBE0
                    Function 02EAD720 Relevance: .1, Instructions: 64COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1486806886.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2ea0000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 798f38e975cbdf63d59b4f0594f12a033d9e1dab598a30110b01b9b959068167
                    • Instruction ID: 7663fb901dbdf990a1a3b28065b7db49920d25c8935d02dca40cf50ad2306aea
                    • Opcode Fuzzy Hash: 798f38e975cbdf63d59b4f0594f12a033d9e1dab598a30110b01b9b959068167
                    • Instruction Fuzzy Hash: 5121D6749012098BCF18DFB4D951AEEBBB2FB89301F10A439D40577354DB3AAD41CB65
                    Function 02EA5AB8 Relevance: .1, Instructions: 64COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1486806886.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2ea0000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: aa83f4173220685aeb17bff84634de2270982436d26f5de9db2e3773f9249bb6
                    • Instruction ID: 1b24e1b115431d737808734c220ef20dd2e8ec4afb9326a0da38a63e3df0f6f8
                    • Opcode Fuzzy Hash: aa83f4173220685aeb17bff84634de2270982436d26f5de9db2e3773f9249bb6
                    • Instruction Fuzzy Hash: 66110631B01A118FC7199A2AD8B466EBBA6FFC465574980A9E406CF350CF20EC02C7C0
                    Function 02EAA6B0 Relevance: .1, Instructions: 63COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1486806886.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2ea0000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4a6a1702ac077539be342d5df462f3a9594858a40791d62a9a6f2b564e8aca19
                    • Instruction ID: 45dfc6841a287efb10c1e2bfefd06ecabbd33d7075179921b4d5d5575c11fb88
                    • Opcode Fuzzy Hash: 4a6a1702ac077539be342d5df462f3a9594858a40791d62a9a6f2b564e8aca19
                    • Instruction Fuzzy Hash: 65113D36B102089BDB148F69D959BEEBBB6BB8C221F148165F511A7390DB71AC10CB90
                    Function 02EA1FB8 Relevance: .1, Instructions: 55COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1486806886.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2ea0000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f092548958059903aeaca3d08acb93c068d450f14c682bfb706c18c9560e5b5e
                    • Instruction ID: f483ba666cf84714cbcb9fbe04269a228a1658d629f1d56c1ae1b29e923ea76b
                    • Opcode Fuzzy Hash: f092548958059903aeaca3d08acb93c068d450f14c682bfb706c18c9560e5b5e
                    • Instruction Fuzzy Hash: C921A274C1060D8FCB84EFA9D9556EEBFF1FB49300F10526AE905B6214EB305A85CFA5
                    Function 02EA5670 Relevance: .0, Instructions: 46COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1486806886.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2ea0000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 33df56b5288d47788e2165d110ac159c50194519090fb895154b6756130154a1
                    • Instruction ID: 5b1ddb630b85909edbcaf98312e261c0c5ccafa0262b0d0b19cbca26650b1d05
                    • Opcode Fuzzy Hash: 33df56b5288d47788e2165d110ac159c50194519090fb895154b6756130154a1
                    • Instruction Fuzzy Hash: C801D672B001196B8B459E599814AEF7FABDBC8662B54C02AF605DB340DF71DC11CBA0
                    Function 02EA565F Relevance: .0, Instructions: 46COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1486806886.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2ea0000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: dd763bb69e48b50342eff78593fef65b42c119f5d64e58592b20f56dcc191e3e
                    • Instruction ID: 9130318b0314f2785812494d3d417693eb3b15e2ffbcc5cd410c180d62191f62
                    • Opcode Fuzzy Hash: dd763bb69e48b50342eff78593fef65b42c119f5d64e58592b20f56dcc191e3e
                    • Instruction Fuzzy Hash: 1E01DB32A042096FCB068E559C14ADF7FB6EFC9351B15C06AF514CB240DB35D811CBA1
                    Function 02EA2068 Relevance: .0, Instructions: 27COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1486806886.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2ea0000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 86099f2191e6a12a8c7bf8fcbb8c50457ad2c257948b28baee5bcd8a12875d4c
                    • Instruction ID: 9d5eb3c13df66f8774ce7b1bd887412e28521355816ed05332c5a428655f2a1b
                    • Opcode Fuzzy Hash: 86099f2191e6a12a8c7bf8fcbb8c50457ad2c257948b28baee5bcd8a12875d4c
                    • Instruction Fuzzy Hash: 68E08636D2062D53C710A7A5DC156FEBF38EFC1222F954726D810B7144EB71665C82B5
                    Function 02EA2078 Relevance: .0, Instructions: 19COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1486806886.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2ea0000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 78b0f1583a6c16bd227ef2947ece468b307561d1da0057e1caa1ee5e837a9114
                    • Instruction ID: 57fcb7b713a7cc3cda5ba3b18cc872e01c18247b14ea8750140405754ef26a03
                    • Opcode Fuzzy Hash: 78b0f1583a6c16bd227ef2947ece468b307561d1da0057e1caa1ee5e837a9114
                    • Instruction Fuzzy Hash: 84D02B31D2032A43CB00E7A5DC044EFFB38EEC1322B918322D41033000FB312658C2E1
                    Function 02EA82B8 Relevance: .0, Instructions: 18COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1486806886.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2ea0000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                    • Instruction ID: 66c27518a2e46619ec344eca29910282735d7e78fda9e05fac5c77f4056c513e
                    • Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                    • Instruction Fuzzy Hash: 3EC08C7328C1282EA234A08F7C54EF3BB8CC3C13B8A214137F95CEB301A842AC8041F4
                    Function 02EAA76D Relevance: .0, Instructions: 16COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1486806886.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2ea0000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b97cf391407cd93757431c943665a80df660a9d96b25afbe881129510f9ae808
                    • Instruction ID: ef726864141f3bbbc42583335c37e523fbc34b2bf35f28be2c4a64631737d377
                    • Opcode Fuzzy Hash: b97cf391407cd93757431c943665a80df660a9d96b25afbe881129510f9ae808
                    • Instruction Fuzzy Hash: 3BD0677AB110089FDB049F99E8419DDBBB6FBDC221B548116F915A3264C6319921DB90
                    Function 02EA5F00 Relevance: .0, Instructions: 15COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1486806886.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2ea0000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e8b8b0fb136d1f11bbadd807ab82b677b00c32360cda7d6b45831c94d5cedd52
                    • Instruction ID: f3d5e0d2508c21f486dfc0b3fbcf1f162105f2080cd0c9319421b05c7375bb36
                    • Opcode Fuzzy Hash: e8b8b0fb136d1f11bbadd807ab82b677b00c32360cda7d6b45831c94d5cedd52
                    • Instruction Fuzzy Hash: 6AD0973DC1C30407D322F730FE620803B32BAC0409BC808DAA6000EB1AE738480E4776
                    Function 02EA5F10 Relevance: .0, Instructions: 12COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1486806886.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2ea0000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: bf197420084989ec45f5d3972d12c7dbb0f04d49b3fcc9fb6932789161c53ac5
                    • Instruction ID: 3b50ea44d40d809839a7488b731055a85a8889d59597daa87bdd368fb14bdc68
                    • Opcode Fuzzy Hash: bf197420084989ec45f5d3972d12c7dbb0f04d49b3fcc9fb6932789161c53ac5
                    • Instruction Fuzzy Hash: BBC0123491830E47D555F771F955595376BB6C0510F404910B2090D619DF78584A4AB6

                    Non-executed Functions

                    Function 02EA21A8 Relevance: 5.2, Strings: 4, Instructions: 196COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1486806886.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2ea0000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID:
                    • String ID: Xq$Xq$Xq$Xq
                    • API String ID: 0-3965792415
                    • Opcode ID: f65048ecfcc6cadee3362e4301fa3165b46b41c6deaf935c6c73e5cba7de2d91
                    • Instruction ID: 8aced7137e4f018d423869b8233c75e36529786be2fb8e079eb63272a984c9e0
                    • Opcode Fuzzy Hash: f65048ecfcc6cadee3362e4301fa3165b46b41c6deaf935c6c73e5cba7de2d91
                    • Instruction Fuzzy Hash: 0171D330E4031A8FDF659BA4C8603EEBBB5BF89304F14D56AD919BB240DB309D45CBA1
                    Function 02EA60E8 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1486806886.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_2ea0000_JgRVqrgNs4.jbxd
                    Similarity
                    • API ID:
                    • String ID: \;q$\;q$\;q$\;q
                    • API String ID: 0-2933265366
                    • Opcode ID: 3bc779a09e8954460da4abffd058b2cd9ec687f2e4b3f888fb07dff8920bafcb
                    • Instruction ID: 7b809d630ebf144bb799fe72364c7c3bedf6e766fa4a4c832cf1a18314bc720b
                    • Opcode Fuzzy Hash: 3bc779a09e8954460da4abffd058b2cd9ec687f2e4b3f888fb07dff8920bafcb
                    • Instruction Fuzzy Hash: 60017531F801158FCF249A2DC464A557BEAAF9666871D9169E40ACF372DA31EC42C7A0